The CyberWire Daily Podcast 7.1.16
Ep 133 | 7.1.16

Conficker worms into medical IoT. Talking key management, DevOps. NERC standards take effect.


Dave Bittner: [00:00:03:11] Bot-herders round up security cameras. Medical devices are exploited by the Conficker worm. Other health care facilities and insurance companies suffer more conventional breaches. DevOps, and its implications for security. Power grid cyber protection standards take effect today in North America. SWIFT-based threats to Eastern European banks. Sprashivai is compromised. Observers still see misdirection in Guccifer 2.0. And Palo Alto takes down some Iranian cyber espionage infrastructure.

Dave Bittner: [00:00:35:13] It's time to thank our sponsor E8 Security. You know the old parameter approach to security no longer protects against today's rapidly shifting cyber threats. You've got to address the threats to your network once they are in your networks. E8 Security's Behavioral Intelligence Platform enables you to do just that. Its self learning security analytics give you early warning when your critical resources are being targeted. The E8 security platform automatically prioritizes alerts, based on risk and lets your security team uncover hidden attack patterns. To detect, hunt and respond, you need a clear view of the real risks in your business environment. That's what E8 gives you. Visit and download the free white paper to learn more. E8 transforming security operations.

Dave Bittner: [00:01:27:00] I'm Dave Bittner in Baltimore with your CyberWire summary and weekend review for Friday July 1st, 2016.

Dave Bittner: [00:01:34:05] The Internet-of-things has occupied much of the week’s news. A large botnet of security cameras has been used in distributed denial of service attacks. The CCTV bots were herded using LizardStresser, which incorporates both clients on hacked Linux-based machines and a server attackers use to control the clients. LizardStresser is one of the tools being used to exploit embedded devices.

Dave Bittner: [00:01:57:02] Medical devices are, of course, of particular concern. It’s easy to fear that they might be disrupted by hackers to threaten the safety or health of patients and users. There seems, however, to be a more proximate threat. Criminals appear to be attacking them not to disrupt the devices themselves, but rather to exploit the devices as conduits into larger caches of patient information, an indirect assault on medical records and personally identifiable information. There’s a large demand for that kind of data on the criminal market, where they’re selling for between $10 and $20 a record. Compare that to the $5 most financial records fetch, and medical records’ attraction to criminals becomes obvious.

Dave Bittner: [00:02:36:00] TrapX Labs reports observing a wave of such medical device hacks using the venerable Conficker worm to exploit them and gain access to data. Conficker’s salad days were back in 2009, but it remains effective against systems running older versions of Windows, and that, unfortunately, is what a lot of medical devices run. TrapX calls the current wave “MEDJACK 2,” and says that attackers have used Conficker against, among other targets, radiation oncology, fluoroscopy, and x-ray systems. The goal in each case is to gain access to patient information.

Dave Bittner: [00:03:10:04] More conventional approaches to medical data that don’t involve IoT exploitation also persist, as we see in this week’s disclosure by Massachusetts General Hospital that it suffered a data compromise affecting some 4,300 patients. A third-party, specifically a dental patient scheduling software vendor, is thought to be the origin of the breach.

Dave Bittner: [00:03:30:09] The insurance sector is similarly at risk. While the quality and provenance of the health insurance data DarkOverlord is selling in the RealDeal dark web market remain controversial, there are reports out of India of another breach. InfoRiskToday reports that Shriram Life Insurance has suffered compromise of an undetermined number of records. Third parties claim to InfoRiskToday that they've confirmed the incident. The head of the Uttar Pradesh police cyber security task force says they’ll open a formal investigation once they receive a disclosure from the affected company.

Dave Bittner: [00:04:04:01] We hear a great deal about DevOps, and the role it can, should or might play in security. Today we hear from two experts, eGlobalTech's Branko Primetica, and Cybric's Mike Kail, to help explain what a DevOps culture is, and what to expect if you transition to one.

Mike Kail: [00:04:20:07] You can think about it as comprised of four tenets. The acronym is CAMS so, Collaboration, Automation, Measurement, and Sharing.

Dave Bittner: [00:04:27:23] That's Mike Kail from Cybric.

Mike Kail: [00:04:29:23] If you look back at the original software development life cycle you had your development team, and then they handed off the application to the operations team which really didn't understand the application from an automation and deployment prospective, as well as measurement and performance. They were basically just order-takers so deploying code: trying to run it without really understanding the whole development process. The collaboration movement is of merging those two; making pure operations people think like or act like engineers. Engineers do take some operations with respect to automating processes into their workflow: it's kind of merging the two worlds, and it's probably a good way to think about it.

Branko Primetica: [00:05:12:00] Well, DevOps is simply referring to the integration of development and operations teams when they're deploying a solution in a more automated and repeatable manner.

Dave Bittner: [00:05:21:11] That's Branko Primetica from eGlobalTech.

Branko Primetica: [00:05:24:20] So, it's based upon what's called the “lean attitude.” That means that in the development process and the deployment process which is merged now, you involve all the stakeholders, just an open communication. There is what's called the focus on the customer, meaning that they're always involved in the process beginning to end, so no requirements to privacy, to functionality, and so on. And also, doing things right the first time is something that's turned around a lot: that's something you need, the ability to stop the line, or to stop developing process, and to stop the deployment process as an issue arises. All of the people who are involved, the developers or operations people, swarm. They go to the issue, fix it immediately and keep on going so that saves time and resources.

Dave Bittner: [00:06:16:04] According to Branko Primetica, there are significant benefits to adopting a DevOps culture.

Branko Primetica: [00:06:21:07] One, you step up the quality of your software engineering in your code, right? Because everybody's involved. There's constant peer reviews. Things are more automated and repeatable, so that kind of lowers time to market. And also the quality of your code. Another major benefit is that that boosts transparency and predictability in an IT development effort. So, nobody's caught by surprise because everybody's involved.

Dave Bittner: [00:06:46:06] Mike Kail says, there's time savings too.

Mike Kail: [00:06:48:18] You can speed up the overall application development and deployment lifecycle because everybody's involved and working together versus that somewhat contentious hand off of the previous years or days.

Dave Bittner: [00:07:00:13] Of course, the shift to a DevOps culture is a culture shift. Mike Kail warns that organizations should expect some resistance.

Mike Kail: [00:07:08:07] I think it's more of personal fear. So, if you're a pure operations person, and you maybe don't understand engineering, you might be a little bit afraid of it, in that your job's going away and vice versa. So, if you're a developer and you think, I don't wanna do operations, I think there's the extreme cases and kind of fear, uncertainty and doubt pushback. I mean, I think you have candid conversations with them and say, look, you're going to expand your skills, you're a developer, you're not moving into pure operations, you just have to take a little bit of an operations mindset, and operations need to take an engineering approach to things. I mean, look at the way the world is moving and you want to advance your career in the company, this is what you need to do.

Dave Bittner: [00:07:51:12] Branko Primetica says, once you get buy-in, it's important to have a plan.

Branko Primetica: [00:07:55:05] Something that says, okay, this is what we want out of DevOps. Then, I would need to work on developing a DevOps methodology. So get your development operations teams together. Make sure they're involved in the process, that they're familiar with it, and that it actually works for them. You want to get your security people there as well, your business people there, so that they're all up to date. Then, I would select the support tool set. You need a scheduling tool for release management and for peer reviews of code, for example, you need automated testing. Once you've done all of that stuff, then I would make sure that my team is up to date on their skill sets. Did they understand all of this? Can they actually automate some of these processes? Do they really know what we're talking about? And then, I would try out the methodology once everybody has that skill set. Say, hey, this is the foundational methodology. Let me start with a new development project and follow this process that we've established. That will allow you to actually refine your methodology. . Let me start with a new development project and follow this process that we've established. That will allow you to actually refine your methodology.

Dave Bittner: [00:09:04:03] It may seem slow going at first, and there may be fits and starts along the way, but Primetica believes that if you put the right systems and processes in place, and take the time to properly implement them, the pay off will be worth it.

Branko Primetica: [00:09:16:08] Train everybody on what this means. Guide them through the process. Measure success and address it, because the first year or two of transitioning to this approach will not be easy. I mean, you're changing not just the process, but the mindset; the culture; the procedures they've been used to now for several years. It's going to be slow at the beginning, but the payoff will be great at the end.

Dave Bittner: [00:09:40:04] Our thanks to Mike Kail from Cybric, and Branko Primetica from eGlobalTech.

Dave Bittner: [00:09:49:14] This CyberWire podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent, rather than reactively detect, the execution of advanced persistent threats and malware. Learn more at

Dave Bittner: [00:10:11:05] I'm joined once again by John Leiseboer, he's the CTO at QuintessenceLabs, one of our academic and research partners. John, I know it's easy to think of key management as just the generation of keys for encryption, but there's more to it. It really is a larger part of your whole security framework, yes?

John Leiseboer: [00:10:30:20] Absolutely right. So you said, team management at one level is just the secured generation: to have the storage of key material, perhaps the secured distribution of it, and the use of it in cryptographic applications, or at least supporting the use of encrypted applications, but there's a whole other area which is related to, I guess, the policies that surround the usage of key material. We have very simple policies in some cases, but some more complex. An example of the simple policy might be that an organization decides that it needs to implement or ensure that products implement algorithms' security strength: it's like a key link, or that specific algorithms are in use.

John Leiseboer: [00:11:13:02] So, you might find what might be called an object policy perhaps, around a key, would be something like all objects encrypted with this key shall use 128 bit AES. An extension of that might be a lifetime policy wrapped around a key. This key can be used for encryption but for no longer than 30 days: after 30 days it must be rotated out and a new key used. So, that's a couple of examples there that are very simple policies, but they're very important policies in that they provide a guarantee in some respects of the security strength, and also provide a mechanism for retiring keys from use when they're effectively you know, "worn out."

John Leiseboer: [00:11:57:05] Probably a more complex policy, one that would support much richer forms of applications might be policies related to usage of keys. So, for example, think of the key management server that supports a number of operations will get a key; create a key; revoke a key; destroy a key; modify the attributes of a key; change ownership of a key, those sorts of things. When I say, "key," I mean a general purpose cryptographic object. "Key" might be a symmetric key; might be a public key or a private key. It might be a certificate even, or it could even be cryptographic material that goes to create a password. So, in a general sense there, I'm talking about a key as being anything of a cryptographic purpose related to cryptographic operations.

John Leiseboer: [00:12:39:07] So, usage policies then might be that you might say, a user of the system can only use a specific key if they are a member of a specific group, and the sort of operations they could form might be limited. So, it might give some users the ability to get keys and use a key for crypto purposes such as encryption. We might say that another user, or that same user, is not permitted to destroy the key but, perhaps if they have a quantum definition, then a usage policy might say that two out of a group of five users, when they both agree, then a key can be destroyed: can be removed from use from the system. So, these sorts of policies allow us to build very powerful applications, to take advantage of a centralized key management platform for managing the security that is built into the use of keys themselves.

Dave Bittner: [00:13:32:08] John Leiseboer, thanks for joining us.

Dave Bittner: [00:13:37:04] I want to take a moment to tell you about our sponsors at the Billington Global Automotive Summit, the heads of GM, Lyft, General Dynamics, and the Department of Transportation offer their perspective on the latest strategies, best practices and steps needed to ensure cyber security in connected cars and autonomous vehicles at the Billington Global Automotive Summit meeting this July 22nd at Detroit's Cobo Center. They'll join top cyber security professionals from three of the world's leading auto makers as well as the leader of the newly formed AutoISAC to discuss a new path forward in auto cyber security. Registering with promo code, CyberWire2016, will save you 20 percent on admission. Don't miss this information-rich day with the most important stakeholders in the dynamic world of connected cars and autonomous vehicles. Register at Don't forget to use the promo code, CyberWire2016, to receive 20 percent off of corporate rate.

Dave Bittner: [00:14:47:07] Returning to the Internet-of-things security in a different sector, today marks the implementation of the North American Electric Reliability Corporation, that's NERC, Critical Infrastructure Protection, CIP, V5 standards. These standards specifically address the cyber security of the power grid. LogRhythm’s CTO and co-founder, Chris Petersen, tells us it’s about time. NERC had delayed the compliance deadline by several months. “The reality is that legally mandated compliance regulation is the best motivator that pushes critical infrastructure entities to improve their cyber defenses. Given the challenge of hardening legacy systems, which were never designed to withstand cyber attacks, a security strategy of rapid detection and response is paramount.”

Dave Bittner: [00:15:33:03] We also heard from Ray Rothrock, CEO of RedSeal, who also said it’s about time. He thinks delays rarely end well. "As demonstrated by previous delays in the Payment Card Industry Data Security Standard. However, I hope the extra time means compliance and resilience is on the horizon.”

Dave Bittner: [00:15:52:06] The NERC standard is mandated by the Federal Energy Regulation Commission. The utilities under NERC’s jurisdiction serve more than 334 million people. We’ll be following the effects of NERC infrastructure protection standards going forward.

Dave Bittner: [00:16:07:00] Turning to Eastern Europe and Central Asia, investigation into the potentially very large SWIFT enabled funds transfer fraud from Ukrainian and Russian banks continues. Reuters has obtained a copy of a confidential communication from Ukraine’s Central Bank to lenders, warning them that it has seen attempts at criminal fraud, and urging them to increase security and be on their guard.

Dave Bittner: [00:16:29:02] In Russia, the popular social networking, Q&A site Sprashivai, which Infosecurity Magazine aptly compares to Yahoo! Answers has been compromised. It’s redirecting users to the RIG exploit kit, which is installing the SmokeLoader Trojan. SmokeLoader is typically associated with credential theft and click fraud.

Dave Bittner: [00:16:50:14] Looking at the hack of the US Democratic National Committee, most observers continue to see the hidden hand of Russian intelligence organs at work. They also regard Guccifer 2.0’s handwaving as so much misdirection, although why the Russian services would go to the trouble baffles some observers, since they’re hardly shocked, shocked, to learn that spy agencies spy.

Dave Bittner: [00:17:10:24] Palo Alto Networks has taken down the infrastructure used by an Iranian group to spread Infy cyber-espionage tools, a welcome but probably temporary respite for those targeted.

Dave Bittner: [00:17:22:09] Finally, as we head into Independence Day weekend, commemorating the Amexit of 1776, this seemed like a good time to acknowledge and thank our listeners in France. So thanks, all, especially for the indispensable help we got from the Marquis de Lafayette and Admiral de Grasse during the Amexit at Yorktown. Someday we hope to visit, and when we do, we’ll be sure to say, “Lafayette, nous sommes arrives.”...

Dave Bittner: [00:17:51:24] ...and that's the CyberWire. For links to all of today's stories, along with the interviews, our glossary, and more visit Thanks to all of our sponsors who make the CyberWire possible. We help you stay on top of the news in cyber security and information assurance. We can also help you get your product, service, or solution in front of an informed audience of influencers and decision-makers. Visit to find out how.

Dave Bittner: [00:18:15:08] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our editor in chief is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. Enjoy the Fourth. We'll be back on Tuesday with more of the CyberWire.