The CyberWire Daily Podcast 9.20.16
Ep 188 | 9.20.16

FBI hunts Russian bears, election hacking, chat bot warnings.


Dave Bittner: [00:00:03:17] The FBI is looking for ways to impose costs on Fancy Bear and Cozy Bear. Election hacking fears remain, despite DHS reassurances and industry sources warn of privacy risks within campaign databases. Investigation continues into the ISIS-claimed weekend attacks. Cisco patches a firewall vulnerability related to a Shadow Brokers' exploit. M&A activity and other warnings to beware of chat bots. They're out phishing.

Dave Bittner: [00:00:35:08] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever.

Dave Bittner: [00:01:01:00] We at the CyberWire have long been subscribers to Recorded Future Cyber Daily and if it helps us, we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. That's and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:32:20] I'm Dave Bittner, in Baltimore with your CyberWire daily podcast for Tuesday, September 20th, 2016.

Dave Bittner: [00:01:38:19] The FBI is looking, hard, for a way in which law enforcement could impose costs on Fancy Bear and probably on Cozy Bear too. If you've misplaced your scorecard, Fancy Bear works for Russia's GRU, the country's military intelligence establishment and Cozy Bear is with the FSB, which is the post-Soviet heir to the old KGB.

Dave Bittner: [00:01:58:03] Reuters says the Bureau is under pressure to do something, but what thing it might be able to do is unclear. There's a good bit of speculation about tighter sanctions. What hasn't surfaced so far among the options are the names of any "people behind the keyboards," as FBI Director Comey has referred to state agencies' actual human operators.

Dave Bittner: [00:02:17:01] The FBI has worked to bring indictments against named officers of China's People's Liberation Army in industrial espionage cases brought in Pennsylvania. So far, however, no named individuals have surfaced and so the costs to be imposed would appear likely to be sanctions as opposed to indictments.

Dave Bittner: [00:02:34:09] Assurances and support from the US Department of Homeland Security aside, many in the security industry warn that vote hacking is possible and that it need not be global or even widespread to affect an election. Security company LogRhythm, for one, pointed out a disturbing fact to Dark Reading. There are about two and a half months between election and inauguration. It takes an average of six months for companies to detect a breach.

Dave Bittner: [00:03:00:08] Quite apart from voter fraud and foreign influence, the analysis of voter behavior and preferences by campaigns poses its own threat to privacy. Andrew Hay, CISO of security company DataGravity writes in HackRead that political campaigns, like other organized and centrally directed marketing efforts, collect, analyze and use a great deal of personal information. If you're in a demographic group of interest, expect campaigns to look closely at whatever they can learn about you and your preferences. The security with which those data are handled may not even be up to advertiser standards. And the data can't be assumed to disappear once the campaign is over, so the risk may be an enduring one.

Dave Bittner: [00:03:40:23] Other high-profile investigations currently underway are looking into the weekend attacks in New York, New Jersey, and Minnesota. The cyber dimension here is the ISIS information campaign that successfully radicalizes, recruits and inspires fighters to violence. Investigators are looking into the online activities of suspects in the attacks but so far not much has turned up. So in these cases ISIS may be applauding and claiming people with a tenuous connection to the Caliphate. In any event centralized command and control have never been the ISIS way. Their operations have depended more on inspiration than direction.

Dave Bittner: [00:04:16:13] Many are calling for more effective counter-radicalization programs. Most countries have versions of these in place, but the problem lies in the messaging, and in the conviction. It's unclear what Western societies could offer, or would be willing to offer, that could compete with the promise of transcendence that motivates the convinced to murder, and to willingly die in the act of murder.

Dave Bittner: [00:04:38:01] The Shadow Brokers released a large tranche of genuine zero-days early last month, which the Brokers claimed to have got from a compromised NSA operation belonging to the Equation Group. Some of the exploits affected Cisco products, and Cisco quickly patched. Cisco has issued another patch that fixes a vulnerability it discovered in the course of researching the Shadow Brokers' leaks. It affects a Cisco firewall and is similar to the BENIGNCERTAIN exploit closed earlier.

Dave Bittner: [00:05:05:13] It's unclear from reports whether the bug was in the Equation Group tranche of zero-days or whether the revelation of the BENIGNCERTAIN exploit prompted the research that disclosed similar flaws. Probably the latter, but in any case, patch.

Dave Bittner: [00:05:20:19] Mozilla is due out with a Firefox patch today. This one is expected to fix a man-in-the-middle vulnerability in Mozilla's popular browser.

Dave Bittner: [00:05:29:05] Last week at the Billington Cyber Security Summit in Washington DC, we sat down with CaseyEllis. He's the founder and CEO of Bugcrowd, a company that aims to crowdsource application testing, connecting crowds of independent security researchers with companies to uncover vulnerabilities and collect bug bounties. One of the challenges Bugcrowd faces is convincing companies to trust their apps to a group of hackers.

Casey Ellis: [00:05:52:18] I really see that trust evolution as a very similar one that the market went through when pen-testing first became a thing back in the early, you know, 2000s. And really what it comes down to is, you know, they're assessing risk versus reward and they're getting used to a novel concept and trying to get their heads around what those risks actually are and a big part of what Bugcrowd built is things to actually mitigate that risk and make it controllable for the client.

Casey Ellis: [00:06:19:24] So it's an interesting one because I think, you know, the, the biggest initial issue is this sense of, you know, aren't hackers bad? There's this, you know, I think, immediate kind of link that most people draw that someone that can do something bad to a computer is someone that shouldn't be trusted. And the reality of it is, you know, people like myself and people like the folk that we have in the crowd, they enjoy that type of thinking. They enjoy thinking like a criminal essentially, but they have absolutely no desire to be one which makes them incredibly useful and, you know, really necessary at this point.

Casey Ellis: [00:06:51:10] You look at where the cybersecurity industry's up to, there's a chronic shortage of resources and I actually think the big driver for all of this is people are looking for more creative ways to connect talent to the problems that they have.

Dave Bittner: [00:07:04:21] In addition to connecting security researchers with companies, Bugcrowd provides opportunities for the hackers to connect and learn from each other.

Casey Ellis: [00:07:12:19] It's basically getting the crowd to educate itself. So we've got, you know, forums, we've got, like, channels that we've set up on different things, and we encourage wherever we can communication between the researchers to help teach each other how to be better at all of this stuff. And for the better part, they're actually quite collaborative.

Casey Ellis: [00:07:30:21] I get asked often, like, "Isn't this a competitive thing?" Sometimes it is, sometimes they have a secret sauce they don't want to share. But for the better part it's actually quite a supportive group of people. You know, new people come in and as long as there's this humble attitude and desire to learn, like, that's the hacker mindset, alright? So they kind of take them in as one of their own and it goes from there which is just-- it's a wonderful thing to watch.

Dave Bittner: [00:07:56:19] Ellis believes that crowdsourcing helps bring a level of proportionality to the fight.

Casey Ellis: [00:08:00:20] In my mind, this is not, this is not about bug bounties or, or vulnerability disclosure as much as it is about just this absolutely crying need we have to, to deliver more human creativity into this problem space. You know, get people that don't think like security, like, the thing is that engineers, you know, people that are outside of security, generally don't think like an adversary. They don't have an adversarial mindset. And the problem I think with a lot of people in security is that we assume they do, because that's just how we walk around, right? We're looking, we're looking at the locked door and thinking about how, you know, safe the lock is or whatever else.

Casey Ellis: [00:08:40:02] They don't do that. So there's this essence of, like, mutual understanding that needs to happen and this feedback loop that needs to be created. And there's not enough people to do that and the way that we're doing it right now is broken. So the way I see this progress over time is basically for, you know, coordinated disclosure, people actually saying, "Okay, if you find something reactively I'll provide a channel for you to communicate that to me." That I think is going to become completely ubiquitous.

Casey Ellis: [00:09:09:22] And then this idea of basically crowdsourcing as a, as a way of accessing talent and solving security problems, I see that as being a necessary way to combat just the lack of professionals we've got right now. So it's going to be interesting, particularly in the next three years in this space. I think it's going to be pretty radical in terms of some of the shifts we see.

Dave Bittner: [00:09:33:23] That's Casey Ellis from Bugcrowd.

Dave Bittner: [00:09:37:18] A quick rundown of some industry news. Vista Equity Partners is taking Infoblox private, acquiring it for $1.6 billion. Colorado-based Webroot has acquired San Diego-based machine-learning shop CyberFlow Analytics for an undisclosed sum. And KBR has picked up Honeywell Technology Solutions, which has a cyber practice.

Dave Bittner: [00:09:59:09] Finally, there are some warnings out there about chatbots. As they get better at imitating human chit-chat, call-and-response, do keep your Turing Test guard up. It's inevitable that chat bots will be used for phishing. Indeed, Dark Reading reports that some chat bots have been chumming around the Tinder dating app. Yes, believe it or not, some lovelorn gentlemen have been hornswoggled by a chatbot who convinced them that it or she really truly cared or at least was up for a good time. So be wary, friends, especially if that chat bot calls herself "Tay."

Dave Bittner: [00:10:39:01] We've got another message from our sponsor Recorded Future. What are you doing the first week in October? If you're a threat intelligence enthusiast consider joining Recorded Future for RFUN 2016 in Washington DC on October 5th and 6th. This year's annual conference promises to be at least as good as the last four, after all it's organized by Recorded Future, the people who know a thing or two about collection and analysis of the information out there on the web.

Dave Bittner: [00:11:02:20] Recorded Future customers, partners and threat intelligence enthusiasts are all invited to RFUN 2016. Meet others like you, people who understand that cybersecurity depends on actionable intelligence. Network with your information security peers to learn how others apply threat intelligence. RFUN is the place to be if you're a threat intelligence enthusiast. Register now, it's free, at That's and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:11:40:06] Joining me once again is Dr Charles Clancy. He's the director of the HumeCenter for National Security and Technology at Virginia Tech. Dr Clancy, welcome back. I know you wanted to talk today about the situation that's been brewing with, with St. Jude's Medical and Muddy Waters Capital and MedSec Cyber Security.

Dr Charles Clancy: [00:11:59:00] I think it's a, it's a really fascinating series of events that I think is unprecedented right now in the world of cybersecurity and for those of your listeners who haven't been following the news quite as closely over the last couple of weeks, basically a couple of weeks ago, Muddy Waters announced a, a short position on St. Jude's, which is a company that creates pacemakers and other medical devices, basically saying that they had discovered through their consultant, MedSec, a number of cyber vulnerabilities that were able to kill the battery in pacemakers or change the therapies delivered by pacemakers, both of which could have lethal consequences.

Dr Charles Clancy: [00:12:43:04] This was particularly interesting in my opinion because it was the first time we've seen a hedge fund actually take a financial position against a company with respect to a potential cyber vulnerability and the impact that that would have on their, on their long term stock value. And many in the community were kind of upset by the tactics, indicating that it wasn't really a responsible disclosure of a vulnerability, while others felt that it was kind of an interesting way to really get people's attention and highlight the vulnerabilities in this domain.

Dave Bittner: [00:13:18:24] Yes, and we saw just this week that St. Jude has responded and has sued Muddy Waters and MedSec for defamation which is an interesting response. It seems legal people are saying they have an uphill battle, but it's a response nonetheless.

Dr Charles Clancy: [00:13:34:10] Indeed it is, and they're basing a lot of their assessment on some work that was done at University of Michigan where they have a research center that's been funded by the National Science Foundation for the last few years, looking specifically at medical devices. And the researchers at University of Michigan basically say that the error messages that MedSec was able to demonstrate, were perhaps not as catastrophic as they indicated they were, and so while they weren't necessarily saying that the vulnerabilities weren't there, they were just saying that the proof that's been presented so far is perhaps not conclusive.

Dr Charles Clancy: [00:14:10:08] So it's interesting to see the-- St. Jude's response and I think what has a lot of people in the community on edge, is whether or not this is an anomaly or this is the new normal in terms of major vulnerability reporting.

Dave Bittner: [00:14:24:23] Alright, we'll keep an eye on it. Dr Charles Clancy, thanks for joining us.

Dave Bittner: [00:14:30:18] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors, who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.