The CyberWire Daily Podcast 7.18.16
Ep 143 | 7.18.16

Dark web observations on coups and lists. Pokémon Go and the madness of crowds.


Dave Bittner: [00:00:03:10] Coups d’ état and social media: forget the radio station—get the Twitter feeds. The United Cyber Caliphate and the competing “Peace Brigades” release overlapping and competing target lists. Hacktivism in Eastern Europe likes neither Russia nor NATO. “Delilah” is a backdoor Trojan built for blackmail. “Wildfire” ransomware looks like the work of the Russian mob. Some purported databases for prominent sale on the Dark Web look like junk. And, of course, Pokémon Go looks like the biggest mania since the 17th Century’s tulip craze.

Dave Bittner: [00:00:39:19] Time to take a moment to tell you about our sponsor Netsparker still scanning with labor intensive tools that generate more false positives than real alerts. Let Netsparker show you how you can save time and money and improve security with their automated solution. How many sites do you visit and therefore scan that are password protected? With most other security products you've got to record a login macro but not with Netsparker. Just specify the username, the password, and the URL of the login page and the scanner will figure out everything else. Visit to learn more and if you'd like to try it for yourself you can do that too. Go to for a free 30 day fully functional trial version of Netsparker desktop. Scan your websites and let Netsparker show you how easy they make it. That's and we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:38:12] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, July 18th, 2016.

Dave Bittner: [00:01:44:08] Turkey’s President Erdoğan seems firmly in the saddle as his government puts down an apparent coup d’état over the weekend. A purge of both the judiciary and security forces is in progress. Those who are said to have attempted to depose the president are said to have seized some mass communication media, but they either overlooked or were unable to cope with Twitter. The entire incident was tracked by tweets, which is ironic at best given the Erdoğan administration’s ambivalence about social media, and its periodic efforts to rein them in. The government’s use of Twitter seems to have significantly contributed to the President’s ability to prevail over the attempt.

Dave Bittner: [00:02:21:03] We’ll be watching for hacktivist or state-sponsored operations in response to the coup. For now, however, such activity seems limited. Terbium Labs has told us that they observed signs of one Turkish group breaching and exposing a Russian government database over the weekend, which they view as in line with longstanding Turkish efforts to push back against both Islamist and Russian influence insofar as such affects regional stability.

Dave Bittner: [00:02:45:18] ISIS names more people in the US and elsewhere as targets, marking them by name as “crusaders” and encouraging the Caliphate’s followers to strike them. The announcement was made online by the “United Cyber Caliphate,” ISIS’s nominal cyberspace arm. Iraqi Shi’ite leader Moqtada al-Sadr, whose “Peace Brigades” have fought the predominantly Sunni forces of ISIS, has also announced some new and perhaps unexpected targeting: he advises that he will consider US forces deploying to the region to fight ISIS “targets.” These statements, widely disseminated online, coming as they do after recent terror attacks, lead analysts to wrestle with the difficulty of distinguishing terrorists from people who are, as the New York Times calls them, “simply deranged.” Some think “terrorist” is used tendentiously and too expansively, but others argue that, given ISIS and similar groups’ calculated appeal to the disaffected, the unsuccessful, and unstable, a distinction without a difference.

Dave Bittner: [00:03:42:14] In other nationalist hacktivism, a Ukrainian nationalist faction—anti-Russian but not happy about NATO, either—claims responsibility for a cyberattack on Poland’s Defense Ministry.

Dave Bittner: [00:03:53:14] Diskin Advanced Technologies reports on “Delilah,” a backdoor Trojan criminals are using to infect and blackmail employees who visit adult or gaming sites. It collects information about the employees dodgy surfing, then recruits the victims to steal and report corporate information. Failure to comply results in exposure.

Dave Bittner: [00:04:13:14] The insider threat comprises one aspect of cyber risk. There was much discussion last week at SINET’s Innovation Summit of risk management. Today we’ll hear from Deloitte’s Emily Mossberg, who talked us through her firm's latest report on cyber risk, "Beneath the Surface." She told us that many conversations about cyber risk were only seeing part of the picture.

Emily Mossberg: [00:04:32:13] There is a lot of dialog focused on how do you quantify a breach of personal and identifiable information, and a lot of focus on the notification and customer protection mechanisms following a breach of personally identifiable information. But we knew through working with our base of clients that there really were a number of broader impacts, that they were experiencing that really didn't seem to be part of the equation.

Dave Bittner: [00:05:04:12] The report organizes potential impacts from a cyber breach into two main categories, above the surface and below the surface and uses a metaphor of an iceberg to illustrate the concept. Above the surface risks include things like the technical investigation, public relations, regulatory compliance and attorney's fees. But it's the below the surface factors that Mossberg says aren't getting the attention they deserve.

Emily Mossberg: [00:05:25:21] Things that were not typically talked about and that included things like the value of lost intellectual property. Not that a breach of intellectual property is never contemplated, but we hadn't seen a real value or calculation really that to what that might mean to an organization. Things like loss of contracts value as well as lost customer relationships. Then we have things like operation disruption and destruction. Again most of the conversation about breach and incidents revolves around a breach of information. There hasn't been as much focus on what are the true costs if part of the business is unable to function or there is a true disruption of service.

Dave Bittner: [00:06:13:05] The report makes the case that while the above the surface risks get the most attention it's actually the below the surface ones that can be the most costly.

Emily Mossberg: [00:06:20:17] 90% or greater of the total impact end up being beneath the surface, and so what that really compels organizations to do is to one; think about this problem a little bit differently than they have been thinking about it before, and look to additional mitigation strategies as it relates to how they secure the assets, how they monitor those assets and how they plan to respond when they actually have an incident.

Dave Bittner: [00:06:52:16] Mossberg says she hopes the report spurs conversation among stakeholders.

Emily Mossberg: [00:06:56:24] How do we start to change the way that we talk about this and think about this, to align more with a broader enterprise risk management strategy, so that we're doing scenario planning around cyber risks similar to the way in which we're doing scenario planning for broader enterprise risk management.

Dave Bittner: [00:07:19:05] That's Emily Mossbert from Deloitte. The report is titled "Beneath the Surface of a Cyber Attack." And a program note you can hear more from Emily Mossberg and other experts in our upcoming special edition Quantifying Cyber Risk which will be published July 19th.

Dave Bittner: [00:07:36:17] Ransomware continues its romp through corporate networks. Cisco OpenDNS researchers have uncovered a new variant—they’re calling it “Wildfire”—that appears on internal evidence to be the work of Russian organized crime.

Dave Bittner: [00:07:49:11] Several vendors are working on answers to the ransomware threat. We heard at SINET’s Innovation Summit that big customers are also big integrators of security products, often trying to pull together dozens of different solutions. Later in this podcast we’ll hear from Quintessence Labs’ John Leiseboer, who’ll talk us through the interoperability challenges this situation presents.

Dave Bittner: [00:08:08:21] Even as new threats appear, old malware variants still comprise the dominant forms of malicious code in circulation. Conficker still holds its lead by a comfortable margin, with Sality trailing in second place. Relative newcomer, mobile malware Hummingbad has risen into third place, at least as Check Point sees the leaderboard.

Dave Bittner: [00:08:29:15] More files purporting to be stolen databases are for sale on the dark web, but some of them are more sizzle than steak, or if you’d prefer more hat than cattle. A widely reported Amazon Kindle credential database being hawked in one of the black markets, for example, struck many at the time of its discovery as largely bogus, and we’ve received some confirmation today from Terbium Labs that those suspicions are well-founded: to them it looks like junk, mostly—a bot database. “The backtraces,” they said, “are from something running in Azure and running a Selenium crawler, presumably to download free Kindle books.”

Dave Bittner: [00:09:05:14] Pokémon Go now amounts to both a cyber-physical security phenomenon (and the latest chapter in the history of the madness of crowds). The game is wildly popular, and, if the videos we’re seeing of self-organized mobs of Pokémon trainers surging through public parks is any indication, it’s at least as popular among adults as it is among children. One such herd was observed stampeding after Vaporeon. This struck our technical editor as surprising, given that you can evolve Vaporean on your own. We hasten to reassure the suits that our technical editor heard this from someone else, we think, not that he’s, like, playing Pokémon Go on company time or anything like that.

Dave Bittner: [00:09:42:22] And there’s plenty of other Pokémon Go news you can use, not the least of which are the emergence of a large number of malicious (and bogus) Pokémon Go apps that will snare the unwary so download with caution. And please do watch where you’re going as you pursue the Pokémon—Joint Base Lewis McChord, for example, near Seattle, has asked trainers not to chase Pokémon into sensitive areas of the base. (You’re welcome, General Lanza.)

Dave Bittner: [00:10:06:16] Some people, however, we encourage to follow where the Pokémon lead. Especially if you’re in Manchester, New Hampshire, where the Police Department has helpfully notified a number of wanted felons that a Charizard—a freakin’ CHARIZARD!—has been spotted inside their main station. Go get ‘em, Granite State’s most-wanted. And, Manchester PD, catch 'em all.

Dave Bittner: [00:10:34:03] Time to tell you about our sponsor, E8 Security. The old perimeter approach to security no longer protects against today's rapidly shifting cyber threats. You've got to address the threats to your network once they're in your networks. E8 Security behavioral intelligence platform enables you to do just that. Its self-learning security analytics give you early warning when your critical resources are being targeted. The E8 Security platform automatically prioritizes alerts based on risks and lets your security team uncover hidden attack patterns. To detect, hunt and respond you need a clear view of the real risks in your business environment. That's E8 gives you. Visit and download their free white paper and learn more. E8 transforming security operations and we thank E8 for sponsoring our show.

Dave Bittner: [00:11:27:12] And I'm joined once again by John Leiseboer, he's the CTO at Quintessence Labs, one of our academic and research partners. John I know one of the concepts you wanted to share with our listeners was interoperability. What can you tell us about that?

John Leiseboer: [00:11:40:15] So interoperability permits the exchange of information between components of the system. So for example the ability to exchange emails, the ability to display an image on a television screen. The ability to use the global positioning system with your car, navigation systems to help you drive to new destinations. So it's all about making it possible to use different vendor's equipment to allow for the exchange or the display, or the reproduction of information in a way that we'd expect it to all work transparently. Interoperability amongst different vendor's products really empower users to deploy components in a system with some degree of confidence that they'll work together, and they'll work together properly.

John Leiseboer: [00:12:28:07] It provides the users with choice. It enables diversity in system deployment which is extremely important for reliability, availability, and for security. Without diversity, a single vulnerability could allow, for example, a breach of many different systems. It allows the effort required by an attacker to be much lower but it also increases the likelihood of a successful attack. So interoperability is all about protecting us from single points of failure.

Dave Bittner: [00:12:55:24] So when we're talking about cybersecurity in particular, what are some of the challenges that we face when it comes to interoperability?

John Leiseboer: [00:13:02:19] Some of the challenges with interoperability when we're talking about cyber security systems relate to ensuring that the algorithms we use, the data formats being used, the protocols for exchanging information, that they not only commit that exchange of information freely amongst different systems, but that they also do it in a secure fashion. Now there are many ways of exchanging information, some of which are more secure and some are less secure. So one of the real challenges is finding the appropriate interoperability standards that are implemented correctly as well.

Dave Bittner: [00:13:40:09] Alright John Leiseboer thanks for sharing the information, we'll talk again soon.

Dave Bittner: [00:13:46:10] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more visit the Thanks to all of our sponsors who make the CyberWire possible. If you'd like to place your product, service or solution in front of people who want it, you'll find few better places to do that than the CyberWire. Visit and find out how to sponsor our podcast or daily news brief.

Dave Bittner: [00:14:07:09] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, our Social Media Editor is Jennifer Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.