The CyberWire Daily Podcast 10.20.16
Ep 209 | 10.20.16

CyberMaryland updates. Great power cyber conflict (and organized cyber crime on the side). Vote hacking, agents of influence, and information operations. IoT botnets continue to romp.


Dave Bittner: [00:00:00:00] Czech authorities arrested a Russian man in connection with 2012's LinkedIn hack. US response to Russian election hacking is still under preparation. IoT botnets proliferate as Mirai source code spreads through the criminal underground. Some 200 strains of ransomware are reported in the wild. Financial regulators push greater security. Muddy Waters and St. Jude continue their dispute over medical device vulnerabilities. And notes from CyberMaryland 2016.

Dave Bittner: [00:00:32:13] It's time to mention of our sponsors E8Security and let me ask you a question. Do you fear the unknown? Lots of people do, of course. Vampires, Thunderbirds, stuff like that. But, we're not talking about those. We're talking about real threats. Unknown unknowns lurking in your networks. The people at E8 have a white paper on Hunting the Unknowns with machine learning and big data analytics that go beyond the old school legacies signature matching and human watch standing.

Dave Bittner: [00:00:57:20] Go to and download their free white paper, Detect, Hunt, Respond. It describes a fresh approach to the old problem of recognizing and containing a threat no-one has ever seen before. For known unknowns like poltergeist and zombies, they're nothing compared to the unknown unknowns out there in the wild. See what E8's got to say about them. Go to and check out the free white paper and we thank E8 for sponsoring our show.

Dave Bittner: [00:01:37:18] I'm Dave Bittner in Baltimore. Coming to you from CyberMaryland 2016 with your CyberWire summary for Thursday October 20th 2016.

Dave Bittner: [00:01:46:22] News that Czech authorities arrested a Russian National on charges related to hacking US targets was widely but incorrectly seen as marking the opening shot in the much-anticipated American response to Russia's recent cyber offensive. In fact the crimes the still-unnamed 29 year old man is alleged to have committed instead are related to the 2012 LinkedIn hack. Credentials stolen in that incident could have been used in subsequent compromises, but that remains a matter of speculation. In any case, the gentleman now facing extradition proceedings in a Prague court isn't exactly Fancy Bear or even Cozy Bear. A Czech judge will decide whether he will be turned over to American authorities to face trial in the US.

Dave Bittner: [00:02:28:16] So while the FBI appears to have helped Czech collar this particular hacker, the arrest doesn't seem to represent a US retort to Russian hacking of the Democratic National Committee or related political targets. Observers think that some set of stiff sanctions remains the likeliest form of US response to Russian activity.

Dave Bittner: [00:02:48:11] Former NSA Director Michael Hayden commented to the Heritage Foundation this week that hacking a political party's email was the sort of espionage states do engage in. "Honorable states espionage", as he put it. That's not to say the US has to like it. Hayden went on to say that election hacking should be put in the "Russian problem box", not the "Cyber problem box".

Dave Bittner: [00:03:10:13] This morning at CyberMaryland, Admiral Rogers, the current NSA Director, noted that an election hacking was the sort of information operation Russia has engaged in for a long time. The emergence of cyberspace as an operational domain has greatly enhanced what they can do in this regard. "We've acknowledged that the Russians were behind the hacking of the DNC and other. We need to step back and think about the implications of this. Fundamentally as a nation it's important that we believe the mechanisms of government can be trusted. How an we engender trust and confidence, and send the right message to the rest of the world?"

Dave Bittner: [00:03:44:18] In any case Russian hacking is thought unlikely in the extreme to directly control results of voting this November. The US voting system is too disparate to make this likely, but analysts see two potential problem areas: disruptive "chaos" on Election Day itself, possibly produced by affecting the AP's poll-tracking and result projection system. And a general erosion of citizen's confidence in the US political system.

Dave Bittner: [00:04:10:16] Turning to conventional cybercrime, ransomware and IoT botnet-driven DDoS remain the most widespread forms of cybercrime globally. BankInfo Security's scorecard shows more than 200 ransomware strains now in circulation. Standard bodies and regulators are working to evolve modes of defense and design, and US financial regulators in particular are promising new guidelines. The proliferation of Mirai source code continues to drive formation of internet-of-things botnets. KrebsOnSecurity is tracking some firms it believes occupy some fringe area between legitimate domain registrars and DDoS enablers.

Dave Bittner: [00:04:47:12] Muddy Waters Capital, famous for having shorted St. Jude stock, then releasing results of research that allegedly revealed vulnerabilities in St. Jude medical devices, has returned to the news with more allegations of flaws in implantable cardiac devices. They report these in the form of videos posted to a site Muddy Waters has established for that purpose. St. Jude is suing both Muddy Waters Capital and the vulnerability researchers it employed, MedSec, alleging that reports of vulnerabilities are inaccurate and sensationalized and done for Muddy Waters and MedSec's financial gain.

Dave Bittner: [00:05:21:07] Verizon's acquisition of Yahoo remains in doubt as Verizon continues to assess the materiality of Yahoo's recent breach disclosure.

Dave Bittner: [00:05:29:05] Not in doubt however, are two other acquisitions. Nehemiah Security has announced its acquisition of Triumphant, and Malwarebytes has acquired AdwCleaner, a French company that specializes in anti-adware technology.

Dave Bittner: [00:05:42:22] As we mentioned we're podcasting today from CyberMaryland 2016, which opened this morning at the Inner Harbor Hilton in Baltimore. This morning's keynote address was by Admiral Michael Rogers, NSA Director and Commander US Cyber Command. He was particularly concerned to emphasize the importance of human capital in the cyber domain.

Dave Bittner: [00:06:01:17] Some of the most excellent human capital on record will be honored here tonight as the National Cyber Security Hall of Fame inducts its newest members. The class of 2016 includes: Dan Geer (Chief Information Security Officer at in-Q-Tel). Lance J Hoffman (Distinguished Research Professor of Computer Science, the George Washington University). Horst Feistel (Cryptographer and inventor of the United States Data Encryption Standard). Paul Karger (High Assurance architect, prolific writer and creative inventor). Butler Lampson (Adjunct Professor at MIT, Turing Award and Draper Prize winner). Leonard J LaPadula (co-author of the Bell-LaPadula model of computer security), and William Hugh Murray (pioneer, author and founder of the Colloquium for Information System Security Education). Congratulations to them all.

Dave Bittner: [00:06:49:03] Tom Sadowski is Vice Chancellor for Economic Development for the University System of Maryland. He sat down with us here at CyberMaryland to discuss the evolution of the conference and the role of the university system in the cyber ecosystem.

Dave Bittner: [00:07:04:12] So here we are at CyberMaryland and this is an event that you have been involved with for a long time. Take us through sort of the evolution of CyberMaryland and where it is today?

Tom Sadowski: [00:07:16:01] Well it started out as this idea about, you know, supporting the mission at Fort Meade and NSA and the nature of the mission there didn't involve private sector and the talent pool and so we thought, you know, let's get all the community players together and talk about how we can be better supporters of the post. And then industry associated with the post. And then we started to understand the nature of the industry and all the commercial applications. It kind of grew from there this...all these great relationships and this community eco system began to build and today we like to refer to it as this community of communities, because CyberMaryland then reached out to CyberTexas and, you known cyber California and next thing you know I think today at the conference we launched Cyber USA. So, again building this community network really spawned from a couple of champions that really believed in the mission here and the promise of the industry and just getting the right stakeholders together.

Dave Bittner: [00:08:13:04] And what is the advantage of having a regional get together like this?

Tom Sadowski: [00:08:18:03] I think the advantage of having a regional get together is anytime you get a little too procurial you know you become a suffer too much from tunnel vision. So, regional there are a lot of complementary assets throughout the region. You know, no one jurisdiction or no one, you know confined geographic market place can ever feel like they control, particularly something like cyber. So the benefits of having a regional conversation are you broaden the realm of the conversation. You know you have different skill sets, different backgrounds that are encouraged and then new ideas stem from there. Then you've got a more resources and you kind of create, again I think a larger more plugged in community. Whereas if you're just working within a confined constraint I think your ideas and then your impact become constrained as well. So, I think regionalism has been really key.

Dave Bittner: [00:09:11:08] You're involved with the university system now, what is the role that the university system has to play in all of this?

Tom Sadowski: [00:09:17:05] We're in the business of human capital development. That means, you know, if it's the furtherance of ideas, of creation of new ideas, discovery of the generation of talent all those things are critical. And, you know, we know that we played an important role in the states economic development conversation but, we do a lot each and every day to support the federal government in its mission. We do a lot of regated support industry in what they do and the nature of how innovation is done. It requires partnership now. And so, our job each and every day now is putting ourselves out there and letting the world know that we're active and engaged partners in that whole innovation discussion. And meanwhile, you know we have to be mindful of the students. You know, because without heard Admiral Mike Rogers say today, I mean a human capital concern is the greatest challenge we face in this cyber discussion. And, we take that seriously.

Tom Sadowski: [00:10:10:04] We know that we're generating the talent and the minds necessary to keep this nation's economic engine running. And, so we take that job very seriously. And if we're not part of the conversation then we don't know how to best do that.

Dave Bittner: [00:10:22:04] That's Tom Sadowski, Vice Chancellor for Economic Development for the University System of Maryland .

Dave Bittner: [00:10:29:06] And finally another note to you fellow youths. This one courtesy of Admiral Rogers, who noted this morning that his Millennial sons, children of their generation, think the ability to access whatever data you want in whatever format you choose is in the United States Constitution somewhere. IT's a living document, maybe. And you kids, you've still got to get off my lawn.

Dave Bittner: [00:10:55:22] Time to take a break to tell you about one of our sponsors. If you're a cyber security professional and you're looking for career opportunities check out They're a veteran owned specialist that matching security professionals with rewarding careers. They have opportunities from top employers like Swift, Decer and the Los Alamos National Laboratory. Learn more about their opportunities for both cleared and non-cleared professionals at their website Once more that's And we thank for sponsoring our show.

Dave Bittner: [00:11:37:01] I'm pleased to be joined once again by Ron Yahalom, he's the project leader at the Malware Lab of the Cyber Security Research Center at Ben-Gurion University. Ron, I know today you wanted to talk about something in your research that is referred to as BadUSB?

Ron Yahalom: [00:11:52:05] The users need to trust USB devices to do what they think that the device is supposed to do but in reality USB devices are small computers that can be re-programmed to do just about anything. So, you really should think of a USB device as a syringe and be sure that it's sterile before you inject it into a host computer. This concept is commonly referred to as “BadUSB,” which is actually a family of USB attacks that are based on a reprogramming of the USB device's firmware.

Ron Yahalom: [00:12:20:22] Reprogramming is usually made possible by reverse engineering the other way. But, usually you just reverse engineer the firmware update process. And then you can practically re-program the device to do whatever you want it to. Now, it's important to understand that the BadUSB it's not a technical flow over mobility. It's just completely complaint with the USB specification. You have a lot of examples of BadUSB attacks. For example, got device simulation attacks where you have flash drive that emulates the keyboard and injects keystrokes. Where a flash drive that emulates a network adapter. And it just overrides the host DNS and the full gateway settings once you inject it into the host.

Ron Yahalom: [00:13:02:15] Another example of a BadUSB attack would be bootsetra virus. Once you plug in an infected flash drive it detects which operating system its communicating with and when the bos acts as a flash drive a keyboard is emulated to get the host to boot from the hidden storage that was placed on the flash drive and this hidden storage contains a rootkit. And that's how you get a rootkit to infect the host computer that's booting from the flash drive. So these attacks are very, very powerful.

Dave Bittner: [00:13:35:04] So are we're seeing reports of these types of attacks in the wild?

Ron Yahalom: [00:13:38:18] Formal reports no. But, these attacks have been demonstrated so, we know they work. We have seen also some scientific papers published about different attacks also based on reprogramming the firmware for example, for re-programming of webcams firmware so that it's actually spying on whoever is using the webcam and stuff like that.

Dave Bittner: [00:14:03:09] Alright, Ron Yahalom thanks for joining us.

Dave Bittner: [00:14:07:24] And that's the CyberWire. If you are at CyberMaryland do come by and say hello. For links to all of today's stories along with interviews our glossary and more visit The podcast is produced by Pratt Street Media. Our Editor is John Petrik. Our Social Media Editor is Jennifer Eiben. And our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.