The CyberWire Daily Podcast 11.10.16
Ep 224 | 11.10.16

Yahoo! warns Verizon deal may be at risk. More OPM-themed ransomware phishing. Cyber policy advice for, and speculation about, the next US Administration.


Dave Bittner: [00:00:03:18] Elections in the US are over without much hacking, but don't worry - there'll be more cyber finagling from Moscow as France and Germany go to the polls next year. Fancy Bear is phishing with Adobe and Microsoft zero-days. Investigation of the Tesco fraud continues. It looks as if the Bangladesh Bank might recover some of its losses in the SWIFT heist. There's an OPM-themed phishing campaign afoot. Server database issues point up the importance of digital hygiene. More Yahoo! troubles. Advice for the next US President. And Marines, happy birthday and semper fi.

Dave Bittner: [00:00:42:16] Time to take a moment to tell you about our sponsor, CyberSecJobs. If you're an information security professional seeking your next career or your first career, check out and find your future. CyberSecJobs is a veteran owned career site and job fair company for information security professional and students. If you're a job seeker, you can create a profile, upload your resume and search and apply for thousands of jobs. And if you're a recruiter, it's great for you too. If you're looking to source information security professionals, you should contact CyberSecJobs about their flexible recruitment packages designed to meet your needs. To learn more, visit, that's cyber s-e-c And we thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:38:21] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, November 10th, 2016. The US elections passed without apparent cyber perturbation from Russia or others. There's a general consensus that the Russian services have been pretty active in cyberspace around election times, with operations ranging from the relatively light-handed influence operations deployed against American targets through the near coup d'état reported in the Balkans. If you find yourself nostalgic for worrying about election hacks, no worries. France has elections coming up as done Germany, where Chancellor Merkel has just warned people to expect disruptive cyber campaigns during 2017 voting.

Dave Bittner: [00:02:19:11] Elections and the campaigns that precede them present a big attack surface. To communicate some sense of the sheer amount of online activity that swirls around the vote, we'd like to share some stats AT&T sent us. In just the election night parties the other day in Manhattan, the Democrats and Republicans consumed 1.3 terabytes of mobile data. And Hilary's beat the Donald's by nearly 300 gigabytes. AT&T helpfully quantified this in selfie units, a measurement standard we like a lot, and intend to start using along with hackerweight. Remember, one hackerweight equals 400 lbs.

Dave Bittner: [00:02:55:22] Hilary's bash used 2.3 million selfies. The Donald's accounted for just 1.5 million selfies. Make of this what you will, data scientists, we're just here to give you something for your analytics to chew on. We're pretty sure Fancy and Cozy Bear are gnawing away on this themselves.

Dave Bittner: [00:03:13:18] Whatever else the Russian services may be up to, Fancy Bear is busily scooping up gullible phish. Trend Micro warns that this threat actor is showing unusual activity mid-week, as it seeks to take advantage of the recently patched Microsoft zero-days before users can get around to applying the fixes. So as usual, the prudent course of action is to patch as soon as possible and until then to be on guard against the exploits being dangled as phish bait. It can be difficult to keep up with the names of the threat actors. We're partial to CrowdStrike's Fancy Bear because we're ursophiles and also because it's easy to remember. But you'll also hear people call Fancy, Pawn Storm, APT28, Sofacy and Strontium. Whatever the branding, it's the same fine GRU product. Accept no substitutes.

Dave Bittner: [00:04:01:14] Over in the UK, Tesco continues to mop up the fraud campaign that hit the bank's customers over the past week. No clear word yet on how the fraud was accomplished but speculation about an inside job continues.

Dave Bittner: [00:04:14:09] There's an apparent win in court for another bank that was the victim of a major heist. Officers from the Bangladesh Bank are in the Philippines, where courts have ruled that they can recover some of the millions lifted in the SWIFT transfer caper. They expect to be able to get some $15,000,000 back from the casino operator, to whom the funds were transferred in this complicated international scam.

Dave Bittner: [00:04:37:03] The OPM breach continues to be the gift that keeps on giving. OPM-themed and spoofed emails to US government workers and contractors are serving up Locky ransomware. Don't open suspicious attachments. OPM isn't actually sending documents saying something about your bank accounts.

Dave Bittner: [00:04:55:04] Late last week Legal Hackers reported finding shared server vulnerabilities in MySQL, MariaDB and Percona's Server and XtraDB Cluster. These popular database servers are used by Google, eBay, Cisco, Amazon, Netflix, Facebook and Twitter. We heard from Lastline's CEO, Bert Rankin, who thought this discovery was a timely reminder of the importance of paying attention to the basics. Next generation detection and state-of-the-art mitigation are all very well and good, and we mean that, they are very well and good. But as Rankin stressed to us, quote, "It's essential that organizations commit to the basics, including programmatic, regular patch program for servers, applications and other infrastructure in the data center. Vulnerabilities such as this bug are potential dangers only to those organizations that aren't on top of their database updates. But it's amazing how many aren't," end quote. So please be interested in the bugs you can swat. You can be sure Fancy Bear is.

Dave Bittner: [00:05:55:12] Chuck Ames is director of cyber security for the State of Maryland. We checked in with him to learn about the role the states play in cyber security and about an upcoming event he's moderating, sponsored by the Chesapeake Regional Tech Council, on insider threats and how the Federal Government expects the companies they do business with to protect themselves.

Chuck Ames: [00:06:13:01] Where the Federal Government seems paralyzed as far as getting out appropriate legislation to improve the electronic situation, the states seem pretty well poised to take matters into their own hands. And just one example of that is breach notification laws are well versed throughout the states. So the states have done a good job of, by and large, bringing that kind of law or compliance to the various states before the Federal Government.

Dave Bittner: [00:06:44:17] There's an event coming up, sponsored by the Chesapeake Regional Tech Council, that you want to promote, this is a cyber forum on insider threats. What can you tell us about the event?

Chuck Ames: [00:06:54:05] So meeting the insider threat is important to every community and I'm just going to give you a little bit of background here. If you are a CISO of a state, like I am, so if you're the Chief Information Security Officer of the state, as I look through the survey of myself and my peers, 47% of us say we are not ready to handle threats originating internally, 57% of us say we aren't able to handle threats originating externally. So there's a great deal of work to be done on the insider threat piece. The Federal Government in response to that said, businesses that support Federal work, they need to have an insider threat management program or a personnel management program that will help them identify folks that might be at risk, that are on their network, before they become an actual thief or an actual criminal of some other intent, or someone who works against the companies' interests.

Chuck Ames: [00:07:53:24] Now this mandate that's come down, it's a soft mandate, so it's a NIST regulation that comes down in an industrial control letter. But in the Federal procurement space companies, regardless of size, need to have that kind of personnel management system, where they normally don't have that.

Dave Bittner: [00:08:11:20] Who are they people you're targeting who should attend this event?

Chuck Ames: [00:08:14:24] I think the CEOs, CTOs in small to medium companies should pay attention to this industrial control letter. It's going to be a burden to them to develop the HR system themselves. Or they're going to have to react somehow and it will be advantageous for them to then join as a sub to a larger company. And that larger company would have the HR resources to handle a program like this. If they want business in the Federal Government, they need to do something and it's best to get in front of that and start figuring out how they're going to meet this requirement.

Dave Bittner: [00:08:52:14] That's Chuck Ames, Maryland's Director of Cyber Security. You can find out more about the insider threat event at the Chesapeake Regional Tech Council website in their events section.

Dave Bittner: [00:09:03:23] In industry news, Yahoo! makes a troubling admission to regulators and shareholders and to Verizon as well. Yahoo! has now discovered and disclosed that some of its personnel may have known as long ago as 2014, that foreign state sponsored hackers had compromised the companies networks. Yahoo! tells investors that its deal with Verizon may be in jeopardy.

Dave Bittner: [00:09:26:08] In happier industry news, security start-up, RiskIQ receives $30.5 million in a Series C funding round led by Georgian Partners.

Dave Bittner: [00:09:37:04] Different approaches to remedying shortage of cyber labor are being mooted around the world, from marketing the field to students as early as grade school, to educational initiatives including competitions and scholarships, to moving toward a gig economy in vulnerability testing and research. The EU's General Data Protection Regulation, GDPR, which goes into full effect in 2018, will require some 75,000 data protection officers and not just in the EU. The US will need about 9,000.

Dave Bittner: [00:10:07:15] We will leave it as an exercise for you techno-libertarians, and we know you're out there, to calculate what this might amount to as dead-weight, regulatory drag and we'll merely observe that the GDPR will place a further global squeeze on the already tight security labor market.

Dave Bittner: [00:10:25:03] There's no shortage of cyber policy advice, news and speculations swirling around President-elect Trump. You can follow the links to a great deal of this in today's CyberWire Daily News Briefing, but we'd like to share the advice Nuix, a global security intelligence company, is offering the next administration for its first hundred days. Nuix's, Chris Pogue and Keith Lowry, suggest four initiatives. First, work toward Federal data breach notification requirements. There are, Pogue observes, 47 distinct state-level breach disclosure notification laws. He thinks a Federal standard would go a long way toward simplifying the process for organizations that happen to be compromised.

Dave Bittner: [00:11:04:21] Next, take your own medicine. Pogue also thinks that the Feds, who face the same kinds of threats the country does at large, should rigorously test systems, address vulnerabilities and deploy security teams that train the way they'll fight.

Dave Bittner: [00:11:18:09] And, recognize that the threat's not only an external one. For his part, Lowry would like to see the next administration work up a thorough program of defense-in-depth that accounts for all potential bad actors, insiders, outsiders, and we'd add outsiders who've established themselves inside.

Dave Bittner: [00:11:36:11] And last, get experience at the top. The outgoing Administration's Cyber Security National Action Plan and appointment of the First Federal CISO were positive steps. But Lowry thinks they're not enough. He'd like to see the new Administration go even further, maybe even creating a cabinet position dedicated to all areas of cyber security.

Dave Bittner: [00:11:57:10] And finally, today is a birthday worth marking. Whose birthday, you might ask? Well, we'll tell you. On this day in 1775, the United States Marine Corps was formed in Tun Tavern, a Philadelphia watering hole. America's Corps of Marines has been ready to cross water uninvited ever since. We'll make one more historical observation. Major General Benedict Arnold, shortly after you were organized, called you the "refuse of every regiment." What did he know? Sometimes your best recommendation is the enemies you make. So semper fi, Marines, and thanks for you service.

Dave Bittner: [00:12:38:12] It's time to tell you about one of our sponsors, E8 Security. And let me ask you that question, do you fear the unknown? Lots of people do of course, yowies, things that go bump in the night, stuff like that. But we're not talking about those, no, we're talking about real threats. Unknown unknowns that are lurking in your network. The good people at E8 have a white paper on hunting the unknowns with machine learning and big data analytics that go beyond the old school legacy signature matching and human watch standing. Go to and download their free white paper, "Detect, Hunt, Respond." It describes a fresh approach to the old problem of recognizing and containing a threat no one has ever seen before. The known-unknowns, like ghouls or the headless horseman, they're nothing compared to the unknown unknowns out there in the wild. See what E8's got to say about them. and check out that free white paper. And we thank E8 for sponsoring our show.

Dave Bittner: [00:13:41:15] Joining me once again is Markus Rauschecker. He's the Cyber Security Program Manager at the University of Maryland Center for Health and Homeland Security. Markus, welcome back. I saw a story here that the FCC has just passed some sweeping new rules to protect online privacy. Take us through what the FCC has done here.

Markus Rauschecker: [00:13:59:11] Yeah, this was a pretty big decision by the FCC. It does a lot to protect consumer privacy. I think we all know, or should know at this point, that whenever we're on-line, the websites that we visit or the Internet service providers that we're using, are collecting a lot of information about us, about how we're using the Internet and how we're browsing the websites, where we're located. So there's a lot of information being collected about us and companies are actually using this information to make a lot of money off of this information. They end up selling this kind of information to other companies and it's a, it's a pretty big business for, for these companies.

Dave Bittner: [00:14:36:11] And so what kind of restrictions has the FCC placed upon them?

Markus Rauschecker: [00:14:39:23] Internet companies are going to be required to get consumer consent before they start selling that kind of personal information about usage and, and online behavior. Basically the FCC's requiring those companies to get explicit approval from users on them being able to sell their information before they go ahead and do that. Before this ruling from the FCC, that was not the case, companies were able to sell information about their users whenever they wanted to. Now, with this new ruling from the FCC, consumers will be able to now explicitly authorize or not authorize the selling of their personal information according to this new FCC ruling.

Dave Bittner: [00:15:27:04] Now this was a three/two party line vote by the FCC's five commissioners. Is this a done deal or could there be legal challenges to it?

Markus Rauschecker: [00:15:35:15] Well, I think you'll see a lot of resistance to this ruling on the part of these big companies who have been selling information to make a lot of money. I think since it is such a big business and such a big revenue opportunity for large companies, they're going to be very opposed to it and they'll be looking for all kinds of ways to reverse this decision.

Dave Bittner: [00:15:55:06] Alright, we'll keep an eye on it. Markus Rauschecker, thanks for joining us.

Dave Bittner: [00:16:00:21] And that's the CyberWire. Tomorrow is Veteran's Day and we'll be observing the solemnity by remembering veterans. Spare a thought for them all. We won't publish tomorrow but we'll be back as usual on Monday.

Dave Bittner: [00:16:12:11] For links to all of today's stories along with interviews, our glossary and more, visit The people who are interested in those stories tend to be the people who read or listen to the CyberWire. If you'd like to reach them, visit and find out how you can sponsor the new brief or podcast. And thanks to all of our sponsors who make the CyberWire possible.

Dave Bittner: [00:16:33:18] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.