The CyberWire Daily Podcast 11.16.16
Ep 227 | 11.16.16

An insider threat deadline approaches. Lawful intercept tools from Italy. Carbanak moves to new targets. Security policy in Germany and the US. A guilty plea in the TalkTalk hack.


Dave Bittner: [00:00:03:15] Lawful intercept tools are found prospecting Android. Synack calls shenanigans on Shazam, but maybe no harm, no foul. Insider threats and how to mitigate them. If you've got a facility clearance, you've got a deadline coming up. Arlington Capital merges three of its companies into a new cyber shop. Symantec is rumored to be sniffing at LifeLock. A teenager cops to the TalkTalk hack, and, if you're asking for a friend, the tally of accounts affected by the AdultFriendFinder breach hits 412,000,000.

Dave Bittner: [00:00:38:04] Time for a message from our sponsor, E8 Security. And I'm talking about putting your data together with E8's analytics for security that can handle the unknown unknowns. Consider what might warn you off the malware on your system. Listening or running programs on a rare or never seen before open port is one of them. It's easy to say that but could you say what counted as rare or never seen before? Or would that information jump out at you as you reviewed logs? If you had time to review your logs, and by the time the logs reached you, that news would be old. But E8's analytical tools recognize and flag that threat at once, enabling you to detect, hunt and respond. Get the free White Paper at and get started. That's E8 Security, your trusted partner. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:37:14] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, November 16th 2016.

Dave Bittner: [00:01:43:17] A new strain of lawful intercept spyware appears to be targeting Android devices. The manufacturer is not HackingTeam, however, as some had initially suspected. It's instead thought to be a different Italian company. But attribution remains both circumstantial, based on some apparently identifying names in the code, and preliminary.

Dave Bittner: [00:02:03:12] Synack points out that the Mac version of music-identifying tool Shazam keeps recording even when it's switched off. It just stops processing. Shazam says this is a benign behavior but that, out of sensitivity to user concerns, it will update its software in a few days.

Dave Bittner: [00:02:20:17] The Carbanak cyber gang, known for attacks on banks, has turned its attention to the hospitality sector. Trustwave has a rundown on the criminal campaign which still begins with social engineering. Carbanak, also known as Anunak, is thought to have skimmed around a billion dollars from banks, so the threat is not to be taken lightly.

Dave Bittner: [00:02:40:10] Social engineering notoriously is able to turn good people into insider threats. The insider threat phenomenon is getting a lot of attention this month, particularly in the United States, where a change to the National Industrial Security Program, NISPOM, mandates new measures companies must take to secure classified information. On May 18, 2016, the Department of Defense issued Change 2 to NISPOM, and this is significant because it requires contractors to implement an Insider Threat Program no later than November 30, 2016.

Dave Bittner: [00:03:13:07] We're of course just two weeks away from that deadline, and yesterday the Chesapeake Regional Technology Council convened a panel of experts on the insider threat at the Chesapeake Innovation Center in Odenton, Maryland, to give companies some perspective on what NISPOM Change 2 means to them.

Dave Bittner: [00:03:28:21] In outline the requirements seem simple enough to state, as Tanager's Mike Miller laid them out at the forum. First, establish an insider threat program. Second, designate an Insider Threat Senior Official, who must be an employee, a US citizen cleared in connection with and to the level of the facility clearance. Report insider threat information to the Cognizant Security Authority. Train relevant personnel. Provide pertinent records and implement protective measures.

Dave Bittner: [00:03:55:06] But as always the devil is in the details. Shawn Thompson, of the Insider Threat Management Group, pointed out that insider threat management has significant cultural implications for any business. Privacy, human resources policies, recruiting, and morale are all in play when you devise an insider threat mitigation program.

Dave Bittner: [00:04:14:11] And the process is complicated, in part because law and regulation are complicated, and often operate at cross or at least competing purposes. Keith Moulsdale, of Whiteford Taylor Preston, told us, quote, "Indeed, the laws are complex and daunting. If only the federal government would step in with an omnibus law and put us all out of our misery," end quote, which we think he meant in a good way, as in good nutrition and a roof over our heads, not euthanasia. Moulsdale went on to say, "In the meantime, the best advice for a small USA business is to keep in mind that written notice, coupled with express consent, can solve most, but not all, privacy-related risks arising from industry standard data security programs implemented in the workplace."

Dave Bittner: [00:04:57:08] We also checked in with Steven Grossman from Bay Dynamics for his take on NISPOM Change 2.

Steven Grossman: [00:05:04:01] The NISPOM 2 changes that are going into effect at the end of November are an important step in the right direction. What it does is it raises visibility and it highlights the importance of the insider threat. It's a great first step in that they are advising and implementing training and monitoring of contractors by their employers, that is the consultants or the other firms that are employing them. It's a great first step to be able to identify people that may be a potential insider threat. The important next step for them to take is to connect the dots between that behavior that that employee is doing on the-- for their employer, for the contractor with what they're doing on the fine side. That is when they are on the government's network and they're working on the government's platform and on site at the government's offices, that they be able to monitor the behavior there and connect the dots with what is going on back at their own employer so that you have a full profile of the person and you understand what is going on across the board.

Steven Grossman: [00:06:04:08] And what that does also is that enables you to distribute a load of monitoring and security incorporating your partners and your consultants who have a vested interest in making sure that they are doing the right thing for you as well.

Dave Bittner: [00:06:17:20] When, when people fall short, despite their best efforts, where are the areas where they usually have trouble?

Steven Grossman: [00:06:26:17] That's a great question. I mean, it's a difficult challenge in that, very often, people are not tripping alarms, they are not violating policies necessarily. They may just be doing things that are out of profile for themselves. And so what we've is very often it's left to the SOC, right, the operations center, to kind of figure it all out and the SOC is missing a very important piece of the puzzle and that is business contacts. And so, a SOC operator who is responding to a potential insider threat may see a tool like our own or others that are identifying unusual behavior. What they are often missing is the business context of whether that unusual behavior is really bad or whether that unusual behavior is really truly unusual and the only person that will provide that is the person who has the understanding and the knowledge of the application, that being the application security owner.

Steven Grossman: [00:07:20:18] The other, the other area that very often companies fall short is connecting the dots between that insider threat and their assets and their data, as well as the vulnerabilities on the system, to be able to really provide a complete view of risk. User activity in isolation is just user activity and user behavior analytics just adds more alerts to the pile if not put in the right context of business and vulnerabilities.

Dave Bittner: [00:07:47:17] That's Steven Grossman from Bay Dynamics.

Dave Bittner: [00:07:52:03] In industry news, Arlington Capital, advised by the Chertoff Group, assembles a new cyber security firm, Polaris Alpha, from EOIR, Intelligent Software Solutions and Proteus Technologies. The new company's headquarters will be divided between Fredericksburg, Virginia, and Colorado Springs.

Dave Bittner: [00:08:10:10] Elsewhere, CRN reports rumors that security company Symantec may be considering buying the identity-protection shop LifeLock for as much as $2 billion.

Dave Bittner: [00:08:21:14] In policy news, Germany's new cyber security strategy is attracting attention in Berlin and elsewhere. It appears to exhibit familiar tensions, calls for public-private partnership but without clarity about how such might be realized and a simultaneous commitment to both widely available strong encryption and to the ability of security and legal agencies to access communications in cases of need. How that latter circle might be squared remains to be seen.

Dave Bittner: [00:08:49:10] In the US, NSA Director Rogers reiterates his longstanding call for closer cooperation between the Intelligence Community and private industry. And as the transition team gets down to business, lobbyists are already approaching the incoming Administration to advocate strong encryption and limits on surveillance.

Dave Bittner: [00:09:07:18] A British teen has copped to the TalkTalk hack. The 17 year old boy, whose identity is decently shielded by Her Majesty's law, will be sentenced next month. He apparently told a friend he was in big trouble on the day of the hack itself. Events have proved him, sadly, right.

Dave Bittner: [00:09:24:20] Finally, the tally from the AdultFriendFinder breach has been creeping up, reaching a reported 412,000,000, if you're keeping score at home. Spread the word among your 412,000,000 friends.

Dave Bittner: [00:09:41:03] Time to take a moment to tell you about our sponsor, AlienVault. Do you know that a typical attack goes undetected for more than eight months? This is especially frightening considering 90% of all businesses have suffered an attack. So it's no longer a question of whether an organization will be breached, it's when. Better threat detection starts with AlienVault Unified Security Management. The AlienVault platform provides all of the essential security controls needed for complete threat detection in one easy to use and affordable solution. With its integrated security controls and expert threat intelligence from the AlienVault Lab Security Research Team, you don't need to deploy and manage numerous security point products. Spend your time responding to threats rather than researching them with AlienVault. Visit today to download your free 30 day trial of AlienVault Unified Security Management. That's And we thank AlienVault for sponsoring our show.

Dave Bittner: [00:10:43:21] Joining me once again is Jonathan Katz. He's a Professor of Computer Science at the University of Maryland and Director of the Maryland Cyber Security Center. Jonathan, an article came by, it was from Engineering and Technology Magazine and it was called Cryptography Could Get a Boost from Photonic Technology. It looks like some, some researchers were trying to do some cryptography making use of light. What do you make of this?

Jonathan Katz: [00:11:08:22] Well, I only took a look at the news article. I haven't looked at the research paper on which the article was based. But from the look of it, it sounded like what they were trying to do is to do cryptography in a continuous domain using light and using physical properties of light rather than what we typically do which is to think about cryptography in a digital domain where the cypher text just consists of zeros and ones.

Dave Bittner: [00:11:29:11] In the continuous domain, does that mean there are more variables that you can use to get your randomness, if you will?

Jonathan Katz: [00:11:37:02] Yes. You can think about that. I mean, basically, the key that you-- that the two parties would share would now be chosen from a continuous set of probabil-- of possibilities which gives you more, more possibilities for that key thereby presumably making it a little bit more difficult for an attacker to attack. Other than that, however, it seemed to me, as far as what I can read in the news article, that they were essentially doing something very similar to the one-time pad which is a classical scheme that goes back to Shannon in the 1950s.

Dave Bittner: [00:12:07:11] So in the article here, it says that they, that they did attack this system. Did they have any success?

Jonathan Katz: [00:12:12:13] They did. I mean, what's interesting is apparently there has been some research going on in this area for a couple of years but it looked to me, again, like these attacks were very similar to known attacks on the one-time pad. There were basically allowing the researchers to learn the key after observing a couple of encryptions of known plain text and also to learn the key after a couple of decryptions of known ciphertext and these are all kind of standard attacks that have been applied in the digital domain to the one-time pad and it looks like now they are just applying it to the continuous domain as well.

Dave Bittner: [00:12:43:02] Let's dig in a little bit to that. Can you sort of describe to us what, what's the difference between the digital domain and the continuous domain?

Jonathan Katz: [00:12:49:16] Well, in the digital domain you have data just represented by a sequence of zeros and ones. So, you know, your message will be represented by a bunch of zeros and ones, your key would be a bunch of zeros and ones and then the ciphertext that you get from encrypting will also just be a sequence of zeros and ones. And this, of course, is how we think about things being stored on a computer and being transmitted over the Internet. But of course it's also possible to have things in the continuous domain, right, where basically something that you measure can take on, say, any value in a given range and not limited to a finite set of possibilities. So you think about, just as an example, measuring the wavelength of light. So the wavelength of light is not limited to some discrete set of possibilities. Instead, it can take, you know, any value in a very large range actually. And so you can imagine packing more information into that, into that light than we can do with digital information. But of course, this also means that you need physical mechanisms to store and transmit that information and you can't easily store it in a computer or transmit it on the computer networks we have today.

Dave Bittner: [00:13:51:04] So at some point, that information from the continuous domain, would it have to be converted to a digital domain?

Jonathan Katz: [00:13:57:02] Well, most likely, for practical scenarios it would have to be. I mean, in, in principle, right, you could just imagine having somebody look at it at the other end but that is not likely to be very useful. So, yeah, you're right, that ultimately you would probably have to start with it in a digital domain and then transfer it-- transform it to a continuous domain and then, at the other end, similarly you are going to receive something and then convert it back to the digital domain for further processing by a computer. So that's true, actually, that from that point of view everything ultimately nowadays is going to end up back in the digital domain.

Dave Bittner: [00:14:27:01] Alright. Interesting stuff. Jonathan Katz, thanks for joining us.

Dave Bittner: [00:14:32:07] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors, who make the CyberWire possible.

Dave Bittner: [00:14:42:10] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.