The CyberWire Daily Podcast 6.28.16
Ep 130 | 6.28.16

Not interested in Fancy Bear? Fancy Bear's interested in you. No dark-grey hats, please.


Dave Bittner: [00:00:05:16] Call them APT28, Sofacy, Sednit, Fancy Bear, Pawn Storm, or just the GRU, they've been after lots more than the DNC. DarkOverlord - and probably not the boss villain from Sonic's universe - claims to have millions of health insurance records. Vulnerable medical devices are still running Windows 7 and XP. Security cameras roped into a botnet, 25,000 strong. The IRS takes down its electronic filing PIN system. OPM says yep, that breach was worse than we thought . Cisco buys CloudLock and Investcorp acquires Coresec. How Cisco is training its workforce. And it's good to be Albanian - just ask the police in South Yorkshire.

Dave Bittner: [00:00:46:23] Time to take a moment to thank our CyberWire sponsor, E8 Security. You know to handle the unknown unknown threats, you need the right analytics to see them coming. Consider the insider threat and remember that an insider threat isn't necessarily a malicious actor. Sometimes it's a well intentioned person who's careless, compromised or just poorly trained. Did you know, you can learn user behavior and score a user's risk? E8 can show you how. For example, multiple Kerberos tickets granted to single user can be a tip-off to a compromise. E8 can show you why. Get the white paper at E8 and get started. Detect, Hunt Respond. E8 Security, that's And we thank E8 for sponsoring the CyberWire.

Dave Bittner: [00:01:39:20] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday June 28th, 2016. SecureWorks claims that “Threat Group 4127” (also known as “APT28,” “Sofacy,” “Sednit,” “Fancy Bear,” and “Pawn Storm”) has targeted about 1800 targets in addition to the Democratic National Committee. Other sources continue to expect Russia to release, or leak, emails from presumptive Democratic Presidential nominee Hillary Clinton soon.

Dave Bittner: [00:02:11:11] A hacker calling himself or herself “DarkOverlord” is offering three tranches of personal information that they say were stolen from US healthcare insurance providers. The records are said to be in a plain text database. A total of more than 9.2 million records are said to be involved. That's big, but not as big as the Anthem breach, which affected about 80 million people. The asking price for all records is roughly $700,000 in Bitcoin, the very steep price justified by the hacker’s promise to sell to only one buyer. The DarkOverlord is hawking the data on the dark web market “the Real Deal,” but as a seller they have accumulated as yet no positive feedback from customers, which suggests they are a newbie. (That, plus choosing a villain from Sonic the Hedgehog’s world as your nom de hack. Really, boys and girls.) It’s not yet known whether the data are legitimate or which insurers, if any, were affected. The DarkOverlord claims to have exploited an RDP vulnerability to get to the data, and says they were stolen from organizations in Farmington, Missouri and other unnamed locations in the US Midwest, and Atlanta, Georgia.

Dave Bittner: [00:03:17:21] TrapX warns that medical data are at risk from another source. Many medical devices run outmoded operating systems, notably Windows 7 and Windows XP, and that attackers can gain access to health-care networks by “wrapping new tools in old exploits.”

Dave Bittner: [00:03:35:06] Naturally, such data is sensitive and the theft thereof is of close interest to law enforcement. We spoke to the University of Maryland cyber law expert Ben Yelin about one curious case - the FBI’s raid on a security researcher who exposed an unprotected cache of medical data. Learn from the researcher’s experience. We'll hear from him after the break.

Dave Bittner: [00:03:55:06] Check Point is taking credit, perhaps with some justice, for the disappearance of the Nuclear exploit kit. The company believes its Investigative Report spooked the criminal operators into occultation.

Dave Bittner: [00:04:07:21] Sucuri reports an IoT-based distributed denial-of-service campaign against a jewelry store website. The attackers used a big botnet of 25,000 security cameras that were connected to the internet. The victim was an unnamed brick-and-mortar jewelry store.

Dave Bittner: [00:04:24:15] In the US, the Internal Revenue Service, after observing what it called more “questionable activity,” has decided to retire - presumably for good - its troubled electronic filing PIN tool. Elsewhere in the Federal Government, the Office of Personnel Management has finally acknowledged what informed observers have been saying for more than a year - the breach of its security clearance management system affected far more than the 21.5 million people who’d applied for clearances: “tens of millions” of family, friends, neighbors, and associates were also affected.

Dave Bittner: [00:04:55:18] In industry news, Intel continues, according to reports, to be working toward the sale of the security division formerly known as McAfee. Cisco has purchased CloudLock for $293 million. And Bahrain’s Investcorp, which picked up SecureLink last year, has bought European security shop Coresec. No one is yet sure what effect Brexit is likely to have on the security industry, but the surest bet seems to be that it will put further stress on an already tight labor market. One company, the aforementioned Cisco, is taking matters into its own hands and bringing some cybersecurity talent development in-house. We spoke with Cisco’s Tejas Vashi about the company’s scholarship program.

Tejas Vashi: [00:05:36:01] It's a two-year program over which we hope to get about 10,000 individuals to go through the program. The end goal is to get and build new talent into the industry. So the program is really concentrated around a certification known as CCNA cyber security ops. As with all of our Cisco certifications, this certification is focused on a specific industry job role. The job role that this certification is targeting is a cybersecurity analyst or a security operations center analyst.

Dave Bittner: [00:06:12:04] Vashi says the need for these kinds of certifications reflects the fact that cybersecurity is a rapidly evolving industry.

Tejas Vashi: [00:06:21:06] Whether you talk about the change in the networking space overall, with cloud-based technologies, internet of things where multiple endpoints are being brought into the network, that all need to be projected. Every time you add a new end point or an end device, it adds a new surface of attack or a new vulnerability to the network. Our customers and the industry in general, is struggling to find the right skills in the environment to actually bring into their workforce to be able to secure their networks and evolve their overall operations.

Dave Bittner: [00:07:02:14] The Cisco scholarship program targets both experienced workers and those who are new to the field.

Tejas Vashi: [00:07:07:01] You've got the traditional workforce, the folks that are in the space right now, that absolutely need to be re-skilled to make sure that they can keep up with the new vulnerabilities that are emerging on what seems to be a daily basis or a multiple- times a day, even, right? In addition to that, you need to bring in new talent with diverse perspectives, diverse ways of thinking, diverse ideas in terms of problem-solving because that's what this space is all about, is identifying what the issues are and being able to have a mitigation plan created to address them.

Dave Bittner: [00:07:46:19] That's Tejas Vashi from Cisco. You can learn more about the Cisco global cybersecurity scholarship on their website.

Dave Bittner: [00:07:55:24] You may have heard that Google CEO Sundar Pichai's Quora's account was hacked over the weekend. He thus joins Mark Zuckerberg among the ranks of tech bigwigs who’ve suffered compromises of some personal accounts. The group claiming responsibility calls itself “OurMine,” and claims to be providing a security testing service for executives, celebrities, and others with the money to pay $100 to improve their social media security or $1000 for a full web scan, whatever that may entail, or $5000 for a comprehensive security audit. OurMine has also claimed to have hacked accounts belonging to G.I. Joe star Channing Tatum, Daniel Ek, Spotify CEO, and Werner Vogels, Amazon’s CTO; they say other hacks are coming.

Dave Bittner: [00:08:38:16] CSO calls the hacks “publicity stunts,” and notes that OurMine claims to have earned $18,400 so far selling its services. Wired has a longer, more critical profile. They were in touch with an anonymous representative of OurMine who said the group wasn't criminal, but “a security group” trying to teach people that they’re not safe. Whatever hat they’re wearing, and we’re calling it black, not grey, they change their IP address frequently to stay ahead of the law. Wired sensibly advises, “those seeking a security audit should probably not engage a group of anonymous, lawbreaking Twitter-defacement artists.” So, again, link accounts with caution, if at all, use multi-factor authentication, and don’t reuse passwords, not even great ones like “dadada.”

Dave Bittner: [00:09:24:15] Finally, police in South Yorkshire are investigating an attack, apparently by Albanian patriotic hacktivists, who defaced police websites with a cartoon, the double-eagled Albanian flag, and a little bit of brag. Prominently featured was the sentence, "It's good to be Albanian," which is no doubt true, although there seems little point to insisting on it in Doncaster or Sheffield. Maybe it’s a Brexit thing?

Dave Bittner: [00:09:53:03] This CyberWire podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services, that proactively prevent rather than reactively detect the execution of advanced persistent threats and malware. Learn more at

Dave Bittner: [00:10:16:14] I'm joined once again by Ben Yelin. He's from the University of Maryland's Center for Health and Homeland Security. Ben, there was an article in the Daily Dot recently, it was about the FBI raiding a dental software researcher. He discovered some private patient data that was on a public server. It was out there, it could be found. And the next thing he knows, he had FBI agents breaking down his door. What can you tell us about this case?

Ben Yelin: [00:10:40:05] Sure, this is a gentleman named Justin Schafer, a guy from Texas whose home was raided by the FBI and he's been charged, or he's facing possible prosecution under a federal statute known as the Computer Fraud and Abuse Act. And this is a law that is 30 years old and basically at its core, it prohibits unauthorized access into information systems. The law is worded in such a vague way that even unauthorized access that's not for any nefarious purpose, that's not for hacking, that's not for stealing information, can still be the basis for a federal crime. And the reason that that carries extra significance is because the punishments under the law are particularly severe.

Ben Yelin: [00:11:24:12] There was a tragic case a few years back that I think many of your listeners would remember, of Aaron Swartz, who stole JSTOR documents from MIT, to show some of their security vulnerabilities. He was facing 13 charges under this Computer Fraud and Abuse Acts, was facing up to 35 years in prison and ended up committing suicide as a result of facing these federal charges and that's started a very strong movement among civil liberty advocates to reform this law, to add some element of intent that in order to be prosecuted, it's not the act that should be punished. The act of exposing a security vulnerability. It should be the intent that's punished.

Ben Yelin: [00:12:07:02] So the intent to hack, the intent to seal information. Dave you and I have talked about the analogy of the physical world. If somebody went into their bank and saw that the bank vault was exposed and was open, and somebody poked their head in and went to the teller and said, you know you're bank vault is exposed? We would not expect that person to be charged with a federal crime for unauthorized access into a bank vault. In fact, I think we would hold up that person as being a good Samaritan. And I think that's really what happened here to Mr Shafer. We'll have to see if he is actually charged and to see whether he is actually prosecuted. But I think the more cases we see like this, while seeing more of a political effort to reform the Computer Fraud and Abuse Act. And it's encouraging that in Congress, there has been bipartisan support for such a law. I know it's had a couple of Democratic sponsors in the house, and Rand Paul has been an advocate on this as well. So hopefully, we can reform this from a political standpoint, so that we don't have the sort of raid that we saw here.

Dave Bittner: [00:13:18:13] Alright, Ben Yelin, thanks for joining us.

Dave Bittner: [00:13:22:17] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit the Thanks to all of our sponsors who make the CyberWire possible. Did you know, you can reach our audience of engaged, informed business, government and academic leaders by sponsoring the CyberWire. Visit and find out how. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik and I'm Dave Bittner. Thanks for listening.