The CyberWire Daily Podcast 1.5.17
Ep 259 | 1.5.17

Indiscriminate IOCs erode confidence in attributions. Official leaks erode trust in information sharing. Exploit updates.


Dave Bittner: [00:00:03:18] Indiscriminate indicators of compromise spawn fake news about a Vermont grid hack. Meanwhile, the Mounties cautiously, tentatively, investigate some odd potential IOCs at an Ontario utility. A hacker claims he pwned the FBI, but it looks like a hoax. A quick rundown of exploits currently romping in the wild, many of them involve ransomware. And yes, your thumb print will authenticate you to your phone even if you've dozed off.

Dave Bittner: [00:00:35:03] Time for a message from our sponsor Netsparker. When you want automated security you want it to be well, automatic. Netsparker delivers truly automated web application security scanners. It can be surprisingly labor intensive to scan websites and other solutions need a lot of human intervention. Take one example, with other scanners you have to configure URL rewrite rules to properly scan a website, not with Netsparker. They say it's the only scanner that can identify the setup and configure its own URL rewrite rules.

Dave Bittner: [00:01:01:05] Visit to see how Netsparker's no false positive scanner frees your security team to do what only humans can do. Don't just take their word for it. If you'd like a free trial go to for a 30 day fully functional version of Netsparker desktop. That's Scan your websites with no strings attached, and we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:35:20] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner, in Baltimore with your CyberWire summary for Thursday, January 5th, 2017.

Dave Bittner: [00:01:46:04] There's no shortage of fraud and alarmism gurgling around in cyberspace this week, but fortunately there's also no shortage of cooler heads and skeptical eyes, either.

Dave Bittner: [00:01:55:18] Last weekend's view halloo over Fancy Bears prancing through northern Vermont's electrical grid has by now subsided into a never-mind, no game there after all. The story is instructive. Burlington Electric, which seems to have been acting soberly and responsibly throughout, had updated its scanners to look for indicators of compromise provided by the Department of Homeland Security in its alerts pertaining to Russian election influence operations. On Friday, one of the utility's employees checked email on, and the IP address, benign, according to Threatpost, popped up as an IOC.

Dave Bittner: [00:02:31:14] Utility general manager Neale Lunderville told Threatpost, "Based on that alert, we isolated the computer and reached out to the Feds to let them know what we saw.” So far, so good, and, by the way, bravo Burlington Electric. “We sent the report to the Feds and their indication was that they would get back to us. We went home and the report broke, and it was wrong,” Boy was it ever. Someone was talking to the Washington Post, and it wasn't Burlington Electric. The Post, of course, checked and corrected its story over the weekend, but not before Vermont's governor and Congressional delegation were in full cry, baying for GRU blood.

Dave Bittner: [00:03:08:03] We wondered if fear of Russian grid hacking would move north of the border, and it appears it has. Canadian authorities are investigating "a possible cyber threat" against Ontario's Hydro One electrical utility. There may be nothing more to it than there was to the Burlington Electric incident, but the Royal Canadian Mounted Police are on the case. The Canadian reaction is more cautious and measured than the past week saw from their neighbors to the south. And in any case the RCMP is on the case, and the Mounties always get their man, if there's a man (or woman) to get.

Dave Bittner: [00:03:41:20] Another claimed hack may be a hoax. The blackhat showboat hacker who goes by "CyberZeist" says he compromised a US FBI website and dumped the credentials he harvested on Pastebin. But the caper looks bogus. The Register reports that the security team at Plone, which produces the FBI's content management system, calls hogwash. The email addresses seem to be derived from old publicly available dumps, and the password hashes don't add up, either.

Dave Bittner: [00:04:10:04] Speaking of things that don't quite add up, we speak regularly of hacktivists here, people or groups who take up a cause online. But what about faketivists? We checked in with Marika Chauvin, senior threat intelligence researcher at ThreatConnect about their recent blog post Hactivists vs Faketivists, Fancy Bears in Disguise.

Marika Chauvin: [00:04:30:22] This all kind of began with the DNC breach and its aftermath. A threat actor or persona known as Guccifer 2.0 kind of came out of the woodwork, right after Crowd Strike announced that it had attributed the attacks on the DNC to Fancy Bear and Cozy Bear. So, in the faketivist research that we've done at ThreatConnect, we've focused primarily on Fancy Bear because we have found overlaps in targeting focus and infrastructure used by Guccifer 2.0, DCLeaks and Fancy Bear.

Marika Chauvin: [00:05:06:16] So the day after the breach was publicized, Guccifer 2.0 emerged with a Wordpress blog and then a couple of days later, a Twitter handle. Guccifer 2.0 claimed that that persona alone was responsible for the DNC hack and that they compromised the organization in the summer of 2015. Then what was likely an effort to add some legitimacy to the persona's claims, it then began posting documents that were stolen from the DNC on that blog.

Marika Chauvin: [00:05:38:02] Now interestingly enough, the more that Guccifer 2.0 talked, and the more that he claimed, the less sense he made. One claim that was particularly odd was that he compromised the DNC back in September 2015 using the bug that mistakenly gave Berni Sanders' campaign unauthorized access to voter information. Now, that sounds plausible until you start looking into that bug and in our conversations with NGP VAN, we found that the specific bug that was referenced by Guccifer 2.0 didn't even exist in the code until December 2015.

Marika Chauvin: [00:06:20:19] So, I like to say that either this guy, gal, group, this faketivist either has a Tardis, or a souped up DeLorean because that's the only way he could have traveled forward in time and then back.

Dave Bittner: [00:06:36:10] Why a persona at all? Why not simply have WikiLeaks release the information or have it anonymously go to the press? Was there any sense of what the advantage is of putting some kind of a face behind this stuff?

Marika Chauvin: [00:06:52:00] I believe so. I mean, I can speculate as to what the people behind the persona were trying to do, but when it comes to something like WikiLeaks, they have no control over the timing of a publication, whereas if they create their own persona to share that information out, not only do they have the plausible deniability that they would have gotten with something like WikiLeaks, but they also have control over the message that's getting out there, and the timing of that information.

Dave Bittner: [00:07:25:12] That's Marika Chauvin from ThreatConnect.

Dave Bittner: [00:07:29:14] Several exploits in the wild draw security researchers' attention. We'll run through some of them quickly. Forcepoint reports the return of the MM Core backdoor spyware in two new variants, "BigBoss" and "SillyGoose." The GDI Foundation warns of a campaign actively targeting MongoDB. Fujutsu and its partners Forcepoint and Recorded Future are tracking the RIG exploit kit, which is now serving TrickBot and Madness/QuantLoader.

Dave Bittner: [00:07:57:09] And we note that ransomware does indeed seem to be holding its prominence in the threat landscape. It's increasingly seen equipped with DDoS and doxing functionality. Dunbar Security calls the latter "doxware". GoldenEye ransomware is appearing in campaigns targeting HR departments, especially vulnerable because the nature of their business tends to make them willing to open email attachments. There is some good news on this front. Emsisoft has a decryptor for version 3 of Globe ransomware, so again, bravo Emsisoft.

Dave Bittner: [00:08:31:04] And finally, we heard yesterday about the Teddy Bear and Billy Bass threats to mental well-being, if not to security. Today we hear about another toy-related issue. Parents, take heed. An Arkansas mother had secured her iPhone with a nice biometric feature, enrolling her fingerprint to control access. She dozed off, as moms will, in Arkansas and elsewhere, but when she awoke, presumably refreshed, she saw to her horror that she apparently had been hacked. The indicator of compromise was the purchase of some $250 worth of Pokemon-themed toys from Amazon.

Dave Bittner: [00:09:05:19] Before Mom could call ISAC-Momma to report the incident for investigation, her six-year-old daughter proudly told her, "Mommy, I was shopping!" The child had used sleeping Mom's thumb to unlock sleeping Mom's iPhone. We say, "Don’t feel bad, friend. A lot of us have been there."

Dave Bittner: [00:09:29:04] Time to take a moment to thank our sponsor Cylance. Are you looking for something beyond legacy security approaches? Of course you are. So you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence.

Dave Bittner: [00:09:46:09] Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources, and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection.

Dave Bittner: [00:10:05:09] Visit to learn more about the next generation of anti malware. Cylance, artificial intelligence, real threat prevention, and we thank Cylance for sponsoring our show.

Dave Bittner: [00:10:22:21] And I'm pleased to be joined once again by Rick Howard. He's the CSO at Palo Alto Networks. He also heads up Unit 42 which is their threat intel team. Rick, you had a recent blog post called The Next Board Problem: Automatic Enterprise Security Orchestration. This is a new term to me, describe what you're talking about when you're talking about security orchestration.

Rick Howard: [00:10:44:09] Yes, this is something that popped up in the last year or so. Lots of network defenders are struggling with this idea. It's this evolving evolution of how we manage our network defense. When I first started doing this in the '90s, all we had was defense in depth, and we would put random controls in our networks and hoped that the bad guy would be stopped.

Rick Howard: [00:11:09:05] Back in those days we all had three controls. We had a firewall, we had an anti-virus solution and we had an intrusion prevention system. When we only had three it was easy enough to manage, but defense in depth really hasn't worked that well and we've been struggling with it till about 2010 when Lockheed Martin and crew wrote a white paper describing the kill chain.

Rick Howard: [00:11:31:11] What they realized is that we needed to put prevention controls at every phase of the kill chain, and security vendors were only too happy to find really great products to put at each of those spots. What has happened is an explosion of security tools - we call them point products - that everybody has to manage. Typical organizations I run into are running 15 to 20 point products that just do security down the kill chain.

Rick Howard: [00:12:00:00] Other high end organizations with lots of resources, they're managing 80 point products. I talked to one financial a couple of weeks ago, he claimed to have 150, and how do you manage all of those things? The dirty secret in the security community is that we expect the customer to do that. It's my experience that you pay for a point product three times. You buy the box, you got to buy a person who can make the box go, maintain it, keep the blinky lights going. Then you got to buy a person who understands the data coming off the box.

Rick Howard: [00:12:32:17] You probably need a fourth person who can stitch them all together. If you have 15 point products, someone has to be able to paint a coherent picture. Well, most organizations cannot do that and it's expensive and time consuming and it just doesn't get done, and what many organizations do is just deploy those machines in the default configurations and hope that they do some good.

Rick Howard: [00:12:54:05] Two models have emerged to try to fill that need and one is the platform play, and all the firewall vendors have a platform play, where they put all those point products into a single platform for the purpose of stopping the bad guys down the kill chain. So that's one model.

Rick Howard: [00:13:12:01] The other model is third party vendors doing the orchestration for the customer, meaning they might be a cloud play and they might orchestrate 20 or 30 of the point products themselves, so you give them permission to do that for you. So those are the two competing models that are doing this orchestration bit.

Dave Bittner: [00:13:32:24] So, is the notion to take some of the complexity away from the organization, sort of I'll job that out to someone else?

Rick Howard: [00:13:39:13] Yes, because most organizations barely have enough to do their security operations center. They definitely don't have enough people to do intelligence and maintenance of all the gear that they have. So the question the customers are asking us is, why aren't the security vendors talking to each other, and getting this stuff done?

Rick Howard: [00:13:57:23] Or how big is the move closer to that goal of getting it all done without them having to do all of it? And so these are the models that are pushing forward.

Dave Bittner: [00:14:05:21] Alright, interesting stuff. Rick Howard, thanks for joining us.

Dave Bittner: [00:14:11:01] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors who make the CyberWire possible, and special thanks to our sustaining sponsor, Cylance. Learn more about how Cylance prevents cyberattacks at

Dave Bittner: [00:14:28:15] If you enjoy our show, and find it a valuable part of your day, we hope you'll leave us a review on iTunes. It's one of the best ways you can help us spread the word.

Dave Bittner: [00:14:36:23] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.