The CyberWire Daily Podcast 9.9.16
Ep 181 | 9.9.16

Malware mines Monero. That sad OPM breach, Crackas cracked, and more.


Dave Bittner: [00:00:02:20] Tensions rise over election hacking as more call for naming and shaming Russia. Assange says he has more dox to release on Wikileaks. VDOS DDoS service earned its masters $600,000 over the last two years. GovRAT 2.0 is out in the wild. Congress reports its investigation of the OPM hack. Intel sells its security unit, which will go back to its old McAfee name. And the FBI says they've nabbed the Crackas-with-Attitude.

Dave Bittner: [00:00:35:20] Time to take a moment to tell you about our sponsor, Recorded Future, the real-time threat intelligence company. Recorded Future's patented technology continuously analyses the entire web, to give cyber security analysts, unmatched insight into emerging threats. We read their dailies at the CyberWire and you can to. Sign up for Record Future's cyber daily email, to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today, to stay ahead of cyber attacks. They watch the web, so you have time to think and make the best decisions possible for your enterprise's security. Go to, to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and it's on the money. That's, and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:36:17] I'm Dave Bittner, in Baltimore, with your CyberWire summary and Week in Review, for Friday, September 9th, 2016.

Dave Bittner: [00:01:43:20] There was little ambiguity at this week's Intelligence and National Security Summit, the US and Russia are clearly positioned as adversaries in cyberspace. That the US would rather not have to engage in an ill-defined and poorly delimited cyber conflict with Russia was equally obvious, but many of the Summit's participants were prepared to echo US Secretary of Defense Carter's warning to Russia that it should avoid "Interfering in democratic processes." In the case of some members of Congress and experts from the private sector, they were willing to amplify that warning. The senior members of the House Permanent Select Committee on Intelligence called for a more forthright attribution, more naming and shaming.

Dave Bittner: [00:02:24:00] The interference in democratic processes, of course, refers to what's being characterized informally, albeit all but officially, as a Russian government campaign to "disrupt" upcoming US elections. Such a campaign is under active investigation, as Director Comey said yesterday at the Summit, when asked to comment on the matter.

Dave Bittner: [00:02:44:15] Direct hacking of voting is feared, and intrusion into state election databases has fed those concerns. But such Russian activity as has been observed, is more consistent with influence operation than classic cyberattack. Observers see the probable goal as undermining confidence in US institutions to the general detriment of the US and the advantage of Russia. Most of the interest in the alleged Russian campaign continues to center on what Russian intelligence services may have collected from political parties, especially the Democratic Party and from candidate Clinton's State-Department-era private email server.

Dave Bittner: [00:03:19:19] Wikileaks' Julian Assange, objectively aligned with Russia's government, has promised to release as many as "100,000 pages of new material" related to Hilary Clinton. No firm date is promised, but Assange says he'll leak the material, "Before the election."

Dave Bittner: [00:03:36:08] KrebsOnSecurity reports that vDOS, an Israel-based booter DDoS-attack service, has earned its masters some $600,000 over the past two years. The operators' criminal customers use vDOS in their attacks on targeted online services.

Dave Bittner: [00:03:53:08] InfoArmor has published an update on GovRAT, a criminal campaign now in version 2.0 and exfiltrating data from US Government, military, and Defense Industrial Base targets. InfoArmor concludes that, "The threat actor is working with a highly sophisticated group of cybercriminals, that are selling stolen and fake digital certificates for mobile and PC-based malware code-signing, used to bypass modern AV solutions for other possible APT campaigns."

Dave Bittner: [00:04:23:03] The Congressional report on 2015's massive OPM breach is out. We spoke with Cylance's Malcolm Harkins and got the inside perspective on the breach, we'll hear from him later in the show.

Dave Bittner: [00:04:34:11] The big industry news this week was Intel's sale of a controlling interest in its cyber security unit to private equity firm TGP. Intel Security, as the unit was called, will revert to its better-known name of McAfee, despite challenges from the original founder, John McAfee. Intel paid $7.7 billion for McAfee in 2010, it sold 51% of the unit for $4.2 billion. Intel will retain 49% of McAfee.

Dave Bittner: [00:05:03:08] And finally, remember the Crackas with Attitude? The boyos who allegedly got into the US DCI's and DNI's and other numeros' private email accounts? The G-men yesterday popped two millennial gentlemen, Andrew Otto Boggs, age 22, and Justin Gray Liverman, age 24 and charged them with various computer crimes in connection with the incident. The gentlemen allegedly worked by social engineering and not by applying any mad technical skills. That social engineering involved impersonating, the Feds say, allegedly, Verizon techs and FBI IT support.

Dave Bittner: [00:05:40:12] Boggs and Liverman will soon plead their case in the Eastern District of Virginia. Observers expect a swift adjudication, that Alexandria court's not called the "rocket docket" for nothing. So, North Carolina, it turns out the alleged Crackas weren't from Nutley or Ronkonkoma, after all, as some of our stringers had speculated, but, allegedly, we stress, from North Wilkesboro and Morehead City, North Carolina. All persons accused of crimes are entitled to the presumption of innocence, or so the lawyers tell us.

Dave Bittner: [00:06:14:04] Time for another moment from our sponsor, Recorded Future. RFUN 2016 is coming and Washington D.C.'s got it. Join Recorded Future and other leaders in the threat intelligence space, this October 5th and 6th. Get industry insight, here from top cyber security and corporate strategy experts, as they share their ideas and experiences. Teresa Shea, now of In-Q-Tel, formerly NSA's chief of SIGINT, Christopher Mascaro, director of Global Cyber Threat Intelligence at First Data, John Scott-Railton, Senior Research Fellow at the University of Toronto's Citizen Lab, Elias Ladopoulos, you may know him as Acid Phreak, founder and CEO at Supermassive Corp. Robert M Lee, founder and CEO at Dragos Security and course author for SANS FOR578. And finally, Joe Navarro, former FBI agent, body language expert and bestselling author. If you're a threat intelligence enthusiast, register for free now, at Recorded Future dot come, slash RFUN. That's Recorded Future dot com slash R-F-U-N. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:07:21:12] And I'm joined by Markus Rauschecker, he's the cyber security program manager for the University of Maryland Center for Health and Homeland Security. Markus, some privacy groups are not happy with the Department of Homeland Security about a social media proposal that they've come up with, what can you tell us about that?

Markus Rauschecker: [00:07:40:03] Yes, so there's a new proposal out by the Department of Homeland Security, that says that anyone coming into the United States, through Visa Waiver Program, would now have to also submit any kind of information on any kind of any online presence that they have. So that means, those individuals traveling to the United States in their Visa Waiver Program application would submit usernames or other social media identifiers, Facebook, Twitter handles, so that they would submit that kind of information on their applications, so that DHS and the US Customs and Border Protection could presumably investigate any kind of online media presence, any kind of online postings, to when they review the application of the individual traveling to the United States.

Dave Bittner: [00:08:33:22] So, on the surface, that doesn't seem terribly unreasonable, but there are a number of privacy groups who take issue with this.

Markus Rauschecker: [00:08:41:12] Right, so DHS is saying, a lot can be learned about an individual, if you take a look at their social media or their online presence and DHS thinks that they can then more easily or identify potential terrorists or other threat actors, before they come to the United States. Of course, privacy and civil liberties groups are very opposed to this proposal, because they say it's a fundamental infringement on the right to speech and the right of opinion and it can potentially put a dampener on people's willingness to post online and to post their views and to post their religious views online. There's a real concern on privacy groups, that this proposal is an infringement or an obstacle to free speech and freedom of expression.

Dave Bittner: [00:09:34:21] And so, it is just a proposal, so I suppose there will be a comment period, before anything is settled on?

Markus Rauschecker: [00:09:42:07] Absolutely, right now, this is a proposal and DHS is seeking comments on this proposal, we'll see, you know, what they get back, I know that a lot of privacy groups, civil liberty groups, have already posted, responded with strong opposition to this, I'm sure DHS will be getting a lot of comments about this proposal and they'll take that into account and they'll see if they need to refine the proposal and then we'll see what happens to the proposal in the end, if it goes through or if DHS decides to scrap it.

Dave Bittner: [00:10:16:02] Alright, we'll keep an eye on it, Markus Rauschecker, thanks for joining us.

Markus Rauschecker: [00:10:18:04] Thanks very much.

Dave Bittner: [00:10:21:01] I'd like to take a break and tell you about an exciting CyberWire event happening next month. The Third Annual Women in Cybersecurity Reception, taking place, September 27th at the Columbus Center, on the beautiful waterfront in downtown Baltimore. The Women in Cybersecurity reception highlights and celebrates the value and successes of women in the cyber security industry. The focus of the event is networking and it brings together leaders from the private sector, academia and government, from across the region and women at varying points on their career spectrum. The reception also provides a forum for women seeking cybersecurity careers, to connect with the technical and business professionals, who are shaping the future of our industry. It's not a marketing event, it's just about creating connection. This year, we're pleased to be partnering with the great people over at the Cybersecurity Association of Maryland, CAMI, if your company is interested in supporting this important event, we have some great sponsorship opportunities available. We're also partnering with Maryland Art Place, to have a special work of art created for the event, that attendees can take home with them. As it's been in previous years, this is an invitation only event. We do it this way, to ensure a mix of women with diverse backgrounds and at different career levels. If you're interested in getting an invitation to this year's event, tell us a little bit about yourself and request one at our website, the CyberWire dot come, slash W-C-S. That's the CyberWire dot com slash W-C-S. We look forward to hearing from you. Once again, there are still a few remaining sponsorships available, so if you'd like to show your support for women in cybersecurity, with all of the recognition and promotion that goes with it, we'd love to hear from you.

Dave Bittner: [00:12:04:09] The US House of Representatives Committee on Oversight and Government Reform released their report on the OPM data breach this week, subtitled, "How the Government jeopardized our national security for more than a generation."

Dave Bittner: [00:12:17:05] My guest today is Malcolm Harkins, Chief Security and Trust Officer at Cylance, a cybersecurity company, who was named specifically in the report for their part in detection and remediation of the breach. I asked Malcolm Harkins for his take on the report.

Malcolm Harkins: [00:12:31:22] I felt the report itself was quite thorough and complete, it seemed like a very thoughtful and well written and one of those reports that they turned over all the rocks and my read of it looks like they summarized the key items quite well and it, for me, it was very useful in looking through, not only the details of the timelines, the analysis, but I also think the conclusions that they came up with.

Dave Bittner: [00:13:02:12] Can you take us back and walk us through the timeline of what happened with this breach?

Malcolm Harkins: [00:13:07:00] Well, if you read through the report, there's, in many ways, a little bit of a couple of different timelines. One of them started out a few years ago, long before this ever got into the press. In 2012, they had established that attackers had access to the OPM network, according to the US-CERT and found malware resident on their servers since 2012 and so it evolved, you could look at it back into that time period, but also some things in 2013. But 2014 is really when they had the first, what I'd say, notification, from the US-CERT, of data ex filtration from their network and that was what created, what they called, their big bang strategy, where they spent a few months trying to figure out when and how things were occurring, so they could observe the intrusion and then they had their big bang strategy, which was essentially the extraction and remediation of the intrusion from their environment that they went through. Now, what I think most of us seem to remember, is really what happened in 2015, when the notification went out that they had been breached and that's really what caused the awareness, what then triggered the oversight committee to do this investigation.

Dave Bittner: [00:14:36:23] Cylance is mentioned specifically in this report, what was your role in the discovery and the remediation?

Malcolm Harkins: [00:14:44:12] So our role dates back in multiple things, into the 2014 time period, they were looking at our product, doing some evaluation of it at that time, but in reality, what happened was in April of 2015, an individual in the OPM organization got kind of the first indications of malware that was occurring. And what they had done was they brought a silence expert on site, to help facilitate the discovery and an installation of our silence protect product and then from there, we worked with them very closely, through that roll out and then the remediation and essentially, elimination of the intrusion from their environment. What we did was we found the specific instances of the malicious code, when they had already had some detection. So Opium had already had some idea that some things were not right, that were found through other means and other mechanisms and then they ran those samples against us, which then told them, "Okay, this is something that is malicious," and that's when we got the engagement, we sent people in to help. We started rolling out the product and as you can see in the report, there were some items, that as they started doing that roll out, characterizes, they were lit up like a Christmas tree, because once they rolled us out and they started getting the visibility to what was on their systems, there was right around 2,000 pieces of malicious code that we had identified.

Interviewer: [00:16:41:15] What are the takeaways for you?

Malcolm Harkins: [00:16:43:04] I think the takeaways are a few things. One, when you evaluate a new technology and a new set of controls and a new way of doing things. Like Opium had the opportunity to do, starting in 2014 and again, if you look through the timeline and you look through the conclusions, if they had deployed us in those time periods, the report is pretty conclusive, it would have prevented and mitigated, essentially, all of this from having occurred. It's a little bit, hindsight's 20/20, but I think there's a lesson in that for everyone. And it's a new approach, it's a new way of thinking, but it does change the risk dynamic, so that's one. Two, perhaps the leadership challenge and I think that's a broader thing, that when I read the report, that I think it is perhaps a systemic issue across the industry, in terms of having policies, not implementing them, having an idea of what I can do to solve the risk, not moving forward with it, not getting the budget and authority, having a level of perhaps, more independence of the security team, the security officer from the IT team. Because again, if the IT team's measured on availability, roll out of functionality and cost, I'm a big believer in structure drivers, behavior, you get what you measure, that's an element I think, of some of the stuff. And then finally, I think the other big learning and conclusion of this report is, there is hope, you can achieve a level of security, that is unprecedented, I think you can achieve a level of flattening and lowering your total cost of controls that's unprecedented, when you focus on prevention. And then, finally, I think with the right mindset, security can enable the business.

Dave Bittner: [00:18:44:14] That's Malcolm Harkins from Cylance. You can hear more of our discussion, where we talk about the responsibilities of board members, proactive versus reactive approaches to security and how some security professionals have what Mr Harkins describes as a hero dilemma, next week on our website, the CyberWire dot com.

Dave Bittner: [00:19:05:11] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit Thanks to all of our sponsors, who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. I'm Dave Bittner. Have a great weekend everybody.