The CyberWire Daily Podcast 9.23.16
Ep 191 | 9.23.16

Yahoo! breach, infected torrents, insider threats.


Dave Bittner: [00:00:04:07] Bad news for Yahoo!. Really bad. Raum finds its space in the black market. M&A news and a new third party risk management coalition. NATO themed phishbait and a conversation with RedOwl's Brian White about insider threats.

Dave Bittner: [00:00:24:24] Time to take a moment to tell you about our sponsor, Recorded Future. The real-time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web to give cyber security analysts unmatched insight into emerging threats. We read their dailies at the CyberWire and you can too. Sign up for Recorded Future's cyber daily email, to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today to stay ahead of cyber attacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security. Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and it's on the money. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:26:05] I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday September 23rd, 2016.

Dave Bittner: [00:01:33:04] That cloud over Yahoo! Security industry people have had their eye on, boiled up yesterday afternoon into a metaphorical derecho. At least 500 million users have had their accounts compromised, which makes this one of the largest data breaches so far recorded and probably the largest ever from a single site. Yahoo! Disclosed that in 2014 what they describe as a state sponsored actor, no state mentioned but we're betting it's not Maryland or even Virginia, exfiltrated names, phone numbers, dates of birth, security questions and answers, and hashed passwords. Yahoo! does say that no financial information was compromised. The company is in the process of notifying its many affected customers and it advises all who haven't changed their passwords since 2014 to do so as soon as possible.

Dave Bittner: [00:02:18:00] In early August, the hacker known as "Peace" said that he or she had some 200 million Yahoo! credentials for sale. It's not known yet whether that claim is connected to the breach disclosed yesterday.

Dave Bittner: [00:02:30:11] According to the Wall Street Journal, Verizon, which has been in the process of acquiring Yahoo! And disentangling the acquisition target from its stake in Alibaba said it had been notified of the incident within the last two days, but that it was not yet informed enough to comment.

Dave Bittner: [00:02:44:18] Investigation by both Yahoo! and law enforcement authorities is in progress.

Dave Bittner: [00:02:50:18] A new malicious tool on offer in the criminal market is drawing some attention. Called Raum, it distributes malware through torrent files. That's not entirely new, there have been malicious torrents before. What is innovative is the criminals' business model. The gang responsible thought by security researchers at InfoArmor to be the Eastern European mob known as Black Team, not only has what CSO calls a slick interface but they've got an advanced pay-per install model. They're also selective about their criminal to criminal clientèle.

Dave Bittner: [00:03:22:10] InfoArmor says the underground markets that sell Raum are accessible by invitation only with very strict virtual bouncers at the door.

Dave Bittner: [00:03:30:22] Black Team's customers are bundling the tool with malicious games and using it to infect users of both PCs and Macs. Those who frequent sites like the Pirate Bay and ExtraTorrent are thought to be particularly at risk. The malicious pay loads have included ransomware like CryptXXX, the Dridex banking Trojan, and password-lifting Pony spyware.

Dave Bittner: [00:03:51:12] The CyberWire heard from Lastline's CMO, Bert Rankin, who thinks one take away from the incident should be the insufficiency of signature based defenses. "This is exactly the type of pernicious, evasive malware that cross contaminates enterprise organizations. Because it bypasses firewalls and legacy perimeter defenses, it's likely to get in to the enterprise through BYOD and even corporate assets used off the corporate domain." He thinks Raum provides a strong use case for security defenses that identify malware by its behavior.

Dave Bittner: [00:04:24:12] Looking back at the week, there's been a lot of movement in the security industry. Some big consumers of security products including Uber, Twitter, Pivotal, Dropbox, Palantir, Square, Atlassian, GoDaddy, Docker and Airbnb, have formed a coalition aimed at improving cyber security standards. The new vendor security alliance, inevitably to be known by its acronym VSA, will seek to improve the security posture of third party vendors.

Dave Bittner: [00:04:51:16] Vista Equity Partners took network control shop Infoblox private in a deal worth $1.6 billion. Colorado based security company, Webroot, has acquired machine-learning company CyberFlow Analytics for an undisclosed sum.

Dave Bittner: [00:05:07:24] Oracle has acquired Cloud security vendor, Palerra, also for an undisclosed amount, and with its sights set on market leader, Splunk, big data search and analytics house, Elastic, has picked up Prelert which specializes in unsupervised machine-learning.

Dave Bittner: [00:05:22:11] Venture capitalists continue to be more selective in which cyber security startups to back, but there's still money coming into the sector. White Ops for example has just closed a $20 million Series B round.

Dave Bittner: [00:05:34:21] And finally, it's worth returning to the recent intrusions into the networks of German politicians. It involved a spear phishing campaign which is increasingly the norm in cyber attacks aimed at espionage. The phishbait in this instance consisted in large part of spoofed emails, purporting to be from NATO. Those with long memories, that is memories extending back to early July, will recall doxed emails from a former Supreme Allied Commander Europe, that appeared to reveal a campaign to pressure the US administration into a harder line against Russian actions in Ukraine. Those emails appeared in DCLeaks, a site now regarded by many as Moscow-run.

Dave Bittner: [00:06:13:02] Thus NATO themed emails would be appealing bait. So if you get an email in which, say, the Supreme Allied Commander Europe says that he would like to share an unexpected inheritance with you, he just needs some wire transfer information so the funds can be credited to your account, well, you've been warned. It's not likely General Scapparotti really sent you that request.

Dave Bittner: [00:06:34:22] And that's news you can use.

Dave Bittner: [00:06:40:18] We've got another message from our sponsor Recorded Future, what are you doing the first week in October? If you're a threat intelligence enthusiast consider joining Recorded Future for RFUN 2016 in Washington DC. On October 5th and 6th. This year's annual conference promises to be at least as good as the last four, after all it's organized by Recorded Future, the people who know a thing or two about collection and analysis of the information out there on the web. Recorded Future customers, partners and threat intelligence enthusiasts are all invited to RFUN 2016. Meet others like you, people who understand that cyber security depends on actionable intelligence. Network with your information security peers to learn how others apply threat intelligence. RFUN is the place to be if you're a threat intelligence enthusiast. Register now, it's free, at That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:07:42:00] And I'm pleased to be joined again by Emily Wilson, she's the Director of Analysis at Terbium Labs. Emily, when it comes to dumping data on the dark web reputation makes a difference, yes?

Emily Wilson: [00:07:53:02] It does. There are certain personalities that tend to favor toward one type of information or another; certain signatures that you tend to look at it and think I believe you. I think that this was unsigned or if this was anybody else, I wouldn't believe that this is real data but because it's you I'm going to trust that. People who have come to be prolific in one particular type of data dump or another.

Emily Wilson: [00:08:18:24] One of the interesting things that we see, that I still can't quite wrap my head around, is that we see people who kind of have their hacksaw89 Twitter handle and they're re-dumping information that's several years old. So you have a famous dump of some kind, and then someone six months later, a year later, two years later, is coming back and saying, "Hey guys, I hacked the FBI" or, "Hey guys, I hacked Sony. Check out my Twitter." So it's interesting because you have this odd thing where there's reputation on a broader scale, individuals are names that you come to trust and then you have these people who you can only imagine are frankly 15 year olds bragging to their friends on the internet about how they hacked the government.

Dave Bittner: [00:09:07:23] But they didn't.

Emily Wilson: [00:09:08:23] But they didn't.

Dave Bittner: [00:09:08:23] They're recycling old information.

Emily Wilson: [00:09:11:24] They are, they are recycling old information. If I had a dollar for every time I saw someone reformat information from one of the major government dumps, and claim it was their own.

Dave Bittner: [00:09:23:14] And does the rest of the community respond to this and turn their noses up to these people?

Emily Wilson: [00:09:29:10] No, oddly they're broadly ignored. It's not really worth my time. I don't know, the dark web community is an interesting one because you have your factions, you have people who are there primarily for drugs, people who are there for fraud and they don't think very kindly of each other. But then they all turn a snide eye to anyone who's there asking, "Hey where can I find this scary, super gory details that people tell me are on the dark webs?" Obviously anyone who's asking for material related to exploitation is rather soundly told to walk away.

Emily Wilson: [00:10:08:03] People tend to think of the dark web as this scary, frankly very dark place full of criminal activity and it's not that.

Dave Bittner: [00:10:19:04] Like a dark alley that you wouldn't want to wander down?

Emily Wilson: [00:10:21:12] Right. That's actually the odd thing; it's frankly just a harder-to-access platform for e-commerce. People are just doing business. People rely on reviews and reputation and having a better product or a better price or faster shipping or better shipping than their neighbors. It's not that scary.

Dave Bittner: [00:10:43:14] Emily Wilson, thank you for joining us.

Dave Bittner: [00:10:46:15] I'd like to take a break and tell you about an exciting CyberWire event that's coming up soon; the third annual Women in Cyber Security reception. Taking place September 27th at the Columbus Center on the beautiful waterfront in downtown Baltimore. The Women in Cyber Security Reception highlights and celebrates the value and successes of women in the cyber security industry. The focus of the event is networking, and it brings together leaders from the private sector, academia, and government from across the region and women at varying points in their career spectrum. The reception also provides a forum for women seeking cyber security careers, to connect with the technical and business professionals who are shaping the future of our industry. It's not a marketing event, it's just about creating connections.

Dave Bittner: [00:11:29:03] This year we're pleased to be partnering with the great people over at the Cyber Security Association of Maryland, CAM, we're grateful to our sponsors too. Booz Allen Hamilton, Cylance, Saul Ewing LLP, Exelon, ClearedJobs.Net and CyberSecJobs, CyberPoint International, Delta Risk, IBM, Redacted and A.I. Tech. If your company is interested in supporting this important event, we still have some great sponsorship opportunities available. We're also partnering with Maryland Art Place to have a special work of art created for the event that attendees can take home with them. As it's been in previous years, this is an invitation only event. We do it this way to ensure a mix of women with diverse backgrounds and at different career levels.

Dave Bittner: [00:12:09:00] If you're interested in getting an invitation to this year's event, tell us a little bit about yourself and request one at our website: That's And we look forward to hearing from you.

Dave Bittner: [00:12:28:01] My guest today is Brian White. He's the chief operating officer at RedOwl. A company that provides information security and regulatory surveillance products. He joined us in our Baltimore studios to discuss the challenges of defending organizations from insider threats, both malicious and accidental.

Brian White: [00:12:45:11] We have email, chat, phone calls we make. Activity we do on the network. What we do on an endpoint. What we may do with a physical badge, where we go. And all that data exists. But the problem has been is it's very difficult to pull it in to one place and then really find some meaning within that data.

Brian White: [00:13:04:21] So the founding vision was how do we pull together structured data, and that is the network data that I'm talking about, as well as the unstructured data. That being the email, the comms, the voice. And pulling it into a platform, and then applying analytics on top of it. The use cases that we solve are really around how you mitigate human risk. What are you doing around the insider threat? And we define that very broadly. So one broad set of use case for us, is for the information security community, where we help those organizations really look to uncover if they have a malicious, compromised or negligent employee. And maybe during this we'll go a little bit deeper into those.

Brian White: [00:13:46:24] The other use case that's germane is what we're doing in trader surveillance. That is what we do for large investment banks and asset managers that are looking to surveille their trading activity. And they're mandated to do it, but what has happened is that they really have had some very legacy-style tools. So they are now taking advantage of companies such as ours, to have the capability to look and do their essential supervisory review to make sure that their employees are compliant as well as, and perhaps more importantly, use the analytics to uncover those that maybe doing something that they don't know about.

Brian White: [00:14:25:10] To us, it's the same problem, because it's insider risk, but there's two different people that are interested in the issue.

Dave Bittner: [00:14:32:14] Take me through the insider threat types. The person who is out to do bad, and the person who may just not know any better?

Brian White: [00:14:41:21] That's a great point. I mean the reality is, I think we'll all know about the insider threat because of Edward Snowden. He is one of many, and perhaps the most public, especially with the new movie coming out this week, the Oliver Stone film. It sets out what a committed insider may do. To me, he was clearly a malicious insider, and not venturing my opinion on what I think about his actions, the reality is that he took information and exposed it to people that should not have had it. I think what he proved is that, very publicly, the kind of damage that somebody can do when they are committed to this.

Brian White: [00:15:25:12] You have not just seen that obviously in a public breach there,but you see that actually across corporate America, day in and day out. We have been able to catch people taking information before going to a competitor. So these happened fairly regularly where an individual is committed, to take information that they should not and expose it to somebody else. So to us, that individual is a malicious insider. But there are two other types there that are equally as important.

Brian White: [00:15:52:11] One is the negligent insider. That is essentially probably a lot of people that may even be listening to this. Those are individuals that may share a document inadvertently with somebody. They may access a site that they should not have access to. They may leave. They may send information somewhere, they may bring it in to a cloud service and, by doing that, they're exposing information and introducing more risk. But they don't set out when they get to work in the morning to do something bad. Those are the negligent users and they are, perhaps, the most concerning because you need to really start to train them on the education and awareness, and then when you do have a program in place to catch them, you don't want to obviously take

Brian White: [00:16:36:17] Termination action against them. But you do want to uncover what happened here? What can we learn to do better, and how is this applicable across the organization? Because often what they're doing is probably somebody else is making a similar type mistake.

Brian White: [00:16:48:24] The third category is really, as you well know here, a compromised insider and this is clearly the primary means of access now with spear phishing, running an exploit and then going ahead and taking over your account. And essentially what is happening there is you are doing something that is unlike you. Because, as I always say to people, the cyber threat is sometimes lost in these big words and whether it's the Chinese or the Russians or the APT or whatever term we want to throw in there, but the reality is we have gotten fairly good at stopping the automated style attacks. When people are really trying to break in and do harm, especially to large, sophisticated organizations, it is a person doing it. Point one. It's a person sitting somewhere taking remote access and moving around to find out what they're looking for. But when that person is using legitimate credentials, they are

Brian White: [00:17:47:17] Doing actions that are unlike the legitimate person. For example, when you or I show up at work every morning, we do a lot of things that are generally the same to us. We open up email, we check the sports site, we read the news, we then have a lull and we go grab a cup of coffee, we generally show up at the same time at work. Now, if you are all off a sudden not doing those actions and accessing source code repositories, seeking to escalate privileges, that's an issue and that should be flagged. So really what we are trying to do with those insiders is find them from the inside. And prove out that their pattern looks different and, therefore, this person may be a compromised account and therefore require some investigation

Dave Bittner: [00:18:31:18] What are the parts of what you're doing that are still puzzling to you? What are the harder parts that if only we could figure this part out, what we're doing would be a lot easier?

Brian White: [00:18:41:06] I think the story that for some reason is underplayed is the people in the organization. There's a study out there that says that 20% of employees would sell their log on credentials, for less than $100,. I mean the people don't even know that they're necessarily targets. I think we need a broader public discussion on this issue and then from a company and from a technology perspective, we're excited with where things are going. Taking advantage of data stack, data stories like Elastic, being able to do some very fun streaming in analytics, being able to deploy in AWS. I mean you are just taking advantage of a very ripe environment to deploy our type of technology. And it's fun.

Dave Bittner: [00:19:30:23] My thanks to Brian White. He is the Chief Operating Officer at RedOwl.

Dave Bittner: [00:19:38:11] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, our Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe. I am Dave Bittner. Have a great weekend everybody.