The CyberWire Daily Podcast 6.24.16
Ep 128 | 6.24.16

Brexit beats Bremain. Cyber combat support. The usual ransomware.


Dave Bittner: [00:00:03:07] UK voters take their country out of the EU. Who predicted Brexit and how, when the smart money was on Bremain?

Dave Bittner: [00:00:10:03] Fancy Bear and Cozy Bear don't look like a lone hacker, but they do strike one oppo-researcher as Lazy Bear.

Dave Bittner: [00:00:16:15] GhostSquad goes after the US military and US Cyber Command goes after ISIS.

Dave Bittner: [00:00:21:14] Ransomware continues to pursue businesses and individuals. Some old threats return, Conficker among them.

Dave Bittner: [00:00:27:14] Investigations into US State Department emails continue, enabling technologies for the IoT. And keep calm and carry on.

Dave Bittner: [00:00:41:05] I want to thank our sponsor E8 Security and remind you to visit, to check out their free white paper, Detect, Hunt, Respond. It's going to give you the information you need to deal with the unknown threats in your network; the threats no-one has ever seen before.

Dave Bittner: [00:00:57:12] E8 is going beyond legacy signature matching and human watch standing; they're hunting these unknown threats with machine learning and big data analytics. See what E8 has to say, download the free white paper at And as always, we appreciate E8 for sponsoring the CyberWire.

Dave Bittner: [00:01:21:17] I'm Dave Bittner in Baltimore with your CyberWire summary and weekend review for Friday, June 24th, 2016.

Dave Bittner: [00:01:29:02] The big news today is, as we expected, that the UK voted yesterday to exit the European Union. The vote means that Prime Minister Cameron's government will be out by October at the latest. The decision to leave the EU will have far-reaching policy and market implications for cybersecurity as well.

Dave Bittner: [00:01:46:13] We'll talk a bit later with the CEO of Expert System, the company whose research into social media trends called the vote for Brexit when most other prediction markets, even the betting shops, had the smart money on Bremain.

Dave Bittner: [00:01:59:19] In that other political story, on this side of the pond, consensus is firming up that the DNC wasn't hacked by a lone hacktivist. Signs still point to Moscow. A former DNC researcher thinks, Fancy Bear and Cozy Bear don't know much about opposition research. He would make Lazy Bear the third bear in this story.

Dave Bittner: [00:02:19:02] GhostSquad Hacktivists, largely associated with anonymous operations like Opicarus against governments and banks, offers ISIS support by releasing a database containing personal data of US military personnel. This support is at least objective, if not actually coordinated and some observers regard the list as effectively another ISIS hit list. HackRead said the data looks legit.

Dave Bittner: [00:02:43:05] The release comes as US Cyber Command takes an increasingly active combat support role against ISIS. 46 of the command's mission support teams are reported to be fully operational; 59 are at initial operational capability and there are another 28 still to be organized. They're currently supporting US Central Command in its operations against ISIS.

Dave Bittner: [00:03:04:14] Some observers of that effort recommend that anti-ISIS information operations against the self-proclaimed Caliphate's online echo chamber be specific, granular, and tightly crafted for its audience.

Dave Bittner: [00:03:16:00] An expert from the International Center for the Study of Radicalization, the ICSR, at King's College in London, recently characterized the members of that audience as "what we call the cheerleaders and fan boys and wannabes - people who aren't actually members of ISIS, who aren't actually in Syria, but are essentially freelance supporters often based in the west. They are the ones who are giving the group its online oomph."

Dave Bittner: [00:03:43:00] In the world of cybercrime proper, Neutrino is serving CryptXXX to visitors of anime site jkanime. The campaign mostly affects users in Latin America, particularly in Mexico.

Dave Bittner: [00:03:54:22] Ransomware remains the most worrisome form of cybercrime affecting enterprises, but older threats persist too. LizardSquad may have subjected another gaming site to a DDoS attack. This time, the affected game is, for no discernible reason, Overwatch. The venerable Conficker remains the number one malware family. The Necurs botnet, used to spread Dridex and Locky, is back after a three week hiatus.

Dave Bittner: [00:04:21:05] We attended the Cyber 7.0 Conference this week and a report is up on our website. The conference was concerned primarily with the Internet-of-things and critical infrastructure. Today, we have as our guest, someone who will tell us about a key enabling IoT technology, low-power wide-area networks. Matthew Knight is a Security Researcher with Bastille Networks. He recently gave a presentation on low-power wide-area networks at the Jailbreak Security Summit.

Matthew Knight: [00:04:46:05] Currently, we have 25 billion devices connected to the Internet in some way. And they project that, by 2020, there are going to be 50 billion devices connected to the Internet in some way. Some of the buzzier things that you'll hear about in the media today are the "IoT" devices. You're talking about your smart refrigerators, your smart door lock, all these different IP camera, you know, things that would survey your home.

Matthew Knight: [00:05:08:03] On the more industrial side, you have some Skater applications, NetSlick industrial control tracking, you might have, like, vehicle fleet monitoring as an example of a wide range roaming application. You know, today, a number of those devices are connected via wires, you know, you have power of course, but when I say connected, I'm referring to ethernet. But a lot of them are wireless too.

Matthew Knight: [00:05:30:09] You know, we're talking about things like cellular devices, which, you know, ultimately wind up getting into the Internet in some way. When we look at that 50 billion in 2020, fewer and fewer of those devices are going to be wired every year. So we're seeing this broad proliferation of wireless networks that are standard ones, like Wi-Fi and cellular, but also some new emerging less standard technologies.

Dave Bittner: [00:05:54:23] On the industrial side, many devices connect using the older 2G cellular network. It's cheap and offers wide coverage. But its days are numbered.

Matthew Knight: [00:06:04:01] 2G has kind of worked its way in as this very popular interface for a number of these IoT applications. However, AT&T and a number of the other domestic 2G carriers have announced that they're sunsetting those networks at the end of this year. They want to repurpose their spectrum for some of the more modern technologies and the 2G standard is very old at this point. They're going to be turning those towers off and using them for something else.

Dave Bittner: [00:06:28:15] This opens up opportunities for low powered wide-area networks.

Matthew Knight: [00:06:32:15] The best way to describe it is it's just like cellular data service, but optimized for IoT and low bandwidth applications. When I say it's just like cellular data service, it's a very similar network architecture. You have a network of base stations, in LPWAN terminologies they're often called gateways. And then you have end nodes that connect directly to that network of gateways, via this wireless interface.

Dave Bittner: [00:06:59:04] LPWANS have the advantage of enjoying much lower start-up costs, in large part, due to the type of RF spectrum they use.

Matthew Knight: [00:07:06:16] Cellular base stations operate on restricted spectrum. You have to own the rights to operate on it in order to legally transmit, and the FCC regulates that. Now, there exists a number of pieces of spectrum that are referred to as ISM spectrum. This stands for Industrial, Scientific and Medical, if I am getting that acronym correct. That is what is referred to as unlicensed spectrum.

Matthew Knight: [00:07:29:02] Basically what that means is, you're allowed to transmit it, so long as you're abiding by certain rules and principles, without having a dedicated user license from the FCC. That's the sort of thing that Wi-Fi and Bluetooth, those are all in the 2.4 gigahertz ISM band. You know, when you go to Best Buy and buy a router, you don't have to immediately send off to the FCC for permission to use it, it's compliant with the FCC's ISM rules, so you're allowed to just take it out of the box and plug it in and Internet.

Matthew Knight: [00:07:55:22] These low-power, wide-area network technologies that are gaining the most steam, all operate in the ISM bands, which means that in order to become a network operator, you do not need to own a spectrum license. This is really profound, because that takes out an enormous cost of putting up a network.

Dave Bittner: [00:08:10:15] Of course, there's a downside to using unlicensed spectrum. It can be crowded and noisy, with lots of interference.

Matthew Knight: [00:08:17:19] Not only is there the potential for it, it's virtually guaranteed that you're going to have all sorts of collisions and all sorts of interference in these unlicensed bands. The way that they address that is through their phy-layer technology. They've designed a phy that is the lowest definition of the electrical specification, to be very resilient to interference.

Matthew Knight: [00:08:41:22] They have a number of very interesting technologies there, that give it a very strong linkbudget that is its ability to extract signal from noisy channels and also contributes to its range.

Dave Bittner: [00:08:56:15] As manufacturers bring LPWAN products to market, some of their performance claims are quite impressive.

Matthew Knight: [00:09:02:16] There's one LPWAN called Sigfox that advertises ten years on a single AA battery, which is, you know, quite dramatic. I haven't tested that, but that's what they're claiming. In terms of range, LoRa, the technology that I've spent a bit of time looking at, advertises up to 13.6 miles, so the performance is pretty dramatic.

Matthew Knight: [00:09:22:11] Of course, the way they get that performance is by trading on other aspects. Both of these protocols are fairly low data rate and they're designed to duty cycle very aggressively. That means, they're designed to sleep for the vast majority of their lifetime.

Dave Bittner: [00:09:39:09] Matthew Knight says, there's a lot of excitement and innovation going on in the space, including some unconventional applications.

Matthew Knight: [00:09:46:20] Actually, I was at an event recently and I met a guy who was developing LoRa connected rat traps. Those are, you know, exactly what it sounds like, they're devices that would go in your wall and try to take care of a pest problem. But he wanted to know if they were being effective or not. So now, whenever it catches a rat, it will send a message up over LoRa and let him know.

Dave Bittner: [00:10:08:15] As a Security Researcher, Knight is interested in potential vulnerabilities of these systems.

Matthew Knight: [00:10:14:06] Some of these low-power wide-area networks are uplink only, meaning they can only send messages up and they can't receive messages down. One of the effects of that means that they cannot wire through received firmware. If there's a bug that they're deployed with, they will have that until somebody physically goes there and either updates it manually, or replaces the device.

Matthew Knight: [00:10:35:02] There is the opportunity for some of these vulnerable devices to become entrenched for quite a long time.

Dave Bittner: [00:10:41:14] That's Matthew Knight from Bastille Networks. He recently gave a presentation on LPWANS at the Jailbreak Security Summit. You can download his slides from that presentation at the Jailbreak website.

Dave Bittner: [00:10:53:18] Investigation into email security at the US State Department continues, as more emails come to light revealing the department's temporary lowering of its spam filters to enable its networks to receive email from former Secretary Clinton's private server. The former Secretary's concern, as expressed in contemporary emails, was to avoid any risk of the personal being accessible.

Dave Bittner: [00:11:19:24] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of Information Security, Assurance and Privacy. Learn more online at

Dave Bittner: [00:11:44:23] I'm pleased to be joined, once again, by Malek Ben Salem. She's the R&D Manager for Security at Accenture Technology Labs. Malek, I know something you wanted to share with us was your take on software defined security. What can you tell us about that?

Malek Ben Salem: [00:11:58:00] Correct. Let me start by saying why we need software defined security and then I'll talk about, what is software defined security as an approach. Recently we've seen a new significant move by companies transforming their IT infrastructure into the software defined infrastructure. That includes software defined networking, software defined storage, server visualization, or what is known as software defined computing. Basically creating software defined data centers.

Malek Ben Salem: [00:12:34:15] What this enables is that, everything is provisioned, controlled, configured through software, which makes their IT environments very dynamic and agile. That, in and of itself, creates new security challenges. CDLs cannot keep up with the rate of change in the IT infrastructure environment and that is why we need a new security management mechanism. This is where software defined security comes in.

Malek Ben Salem: [00:13:12:02] Software defined security basically is a new approach for security management, that abstracts the security management from the actual physical attributes of security controls. Through this abstraction, it makes security controls independent from the underlying security appliances, or hardware and it makes security management more dynamic and more easily handled by security analysts.

Dave Bittner: [00:13:44:23] Is this a matter of sort of setting up automation, to be able to keep up with the velocity of what's happening on a software defined network? Is it that sort of thing?

Malek Ben Salem: [00:13:55:19] Yes, absolutely. Automation is absolutely one piece of it, but it's not just automation, it's also providing more scalability, decreasing the complexity of the security management so that you can create services for certain security functions that are independent of the hardware. Let's say a fire-walling service.

Malek Ben Salem: [00:14:19:20] Regardless of the firewall that you have deployed within your infrastructure, all you need to configure is that fire-walling service, which would be applied to all of your firewalls underneath, or an intrusion detection service.

Malek Ben Salem: [00:14:36:22] All of your security policies can be implemented at the software level, regardless of the underlying security appliances that you have within your infrastructure.

Dave Bittner: [00:14:46:16] Malek Ben Salem, thanks for joining us.

Dave Bittner: [00:14:52:06] I want to take a moment to tell you about our sponsors at the Billington Global Automotive Summit. The Heads of GM, Lyft, General Dynamics and the Department of Transportation offered their perspective on the latest strategies, best practices and steps needed, to ensure cybersecurity in connected cars and autonomous vehicles.

Dave Bittner: [00:15:09:08] At the Billington Global Automotive Summit, meeting this July 22nd, at Detroit's Cobo Center. They'll join top cybersecurity professionals from three of the world's leading automakers, as well as the leader of the newly-formed Auto-ISAC to discuss a new path forward in auto cybersecurity. Registering with promo code CYBERWIRE2016 will save you 20% on admission.

Dave Bittner: [00:15:31:00] Don't miss this information rich day with the most important stakeholders in the dynamic world of connected cars and autonomous vehicles. Register at Don't forget to use the promo code CYBERWIRE2016 to receive 20% off the corporate rate.

Dave Bittner: [00:16:02:07] Returning to the Brexit vote, not only has the pound sterling plummeted in international currency markets, but stock markets in Britain, Europe and the US are also taking a beating as investors and speculators are spooked by the Brexit's many unknowns.

Dave Bittner: [00:16:16:19] For the cyber sector, if you expect many, if any changes in British cyber policy. There are concerns shared with the larger tech sector about the labor market. Brexit is expected to make labor less mobile and more expensive than it had been.

Dave Bittner: [00:16:31:07] Most prediction markets had been confident that British voters would cast their ballot to remain in the EU. That obviously didn't happen and the betting shops in particular, are working to explain how the smart money might have backed the wrong horse. It seems to have been either a case of counting money more than heads, more money was placed on Bremain, but more punters went for Brexit, or else, just one of those cases in which the long shot won. Here in Baltimore, we've seen that happen at Pimlico from time to time.

Dave Bittner: [00:16:59:19] We did hear from some people before the vote, however, who did get the prediction right, and since they did so through social media analytics, their work is of some cyber significance. Expert System, working with researchers at the University of Aberdeen, called the election for Brexit to us on Wednesday. Expert System's CEO Daniel Mayer, joins us to tell us what they saw and how they analyzed it.

Daniel Mayer: [00:17:22:03] In this case, we're using a particular cognitive computing technology called Text Analytics. It's a process of social media. This technology recognizes concepts that are expressed in text and recognized as meaning. And what that boils down to is that it enables the computer to understand what we as humans are expressing.

Daniel Mayer: [00:17:48:23] For this particular study, we analyzed something like 50,000 tweets. I think in this case, we were maybe a bit lucky that some of the segments of the population that are using Twitter maybe were not as well represented in other instances and I'm thinking particularly of the younger parts of the population and also, perhaps, you could imagine that some of the most disenfranchised, or maybe a bit more vocal on social media. That could account for some of the differences in signals that you get from social media on one hand, and maybe through other methods.

Dave Bittner: [00:18:32:00] That's Daniel Mayer from Expert System. They've published the results of their analytics on their website and invite researchers and collaborators to take a look.

Dave Bittner: [00:18:41:21] Finally, our best wishes to our friends, colleagues and listeners in the United Kingdom. Whatever the future looks like outside the EU, we trust you'll cope and thrive.

Dave Bittner: [00:18:55:20] That's the CyberWire. I had a great time recording for the Grumpy Old Geeks podcast again this morning. If you get a chance, do check out their podcast, it is a good time.

Dave Bittner: [00:19:04:04] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik and I'm Dave Bittner. Thanks for listening. Have a great weekend everybody.