The CyberWire Daily Podcast 2.9.17
Ep 283 | 2.9.17

The Martin NSA-contractor case. Fileless malware hits banks worldwide. DDoS tools undergo refinement. Ransomware developments. Industry notes.


Dave Bittner: [00:00:03:14] We've got an update on the Martin NSA-contractor case. Fileless malware hits banks worldwide. It's been an active week for the cyber sector in mergers, acquisitions, and venture funding. There's a new industry consortium for IoT security and an autonomous vehicle consortium issues a manifesto for cooperation.

Dave Bittner: [00:00:28:03] Time to take a moment to tell you about our sponsor CyberSecJobs. If you're an information security professional seeking your next career or your first career, check out and find your future. CyberSecJobs is a veteran owned career site and job fair company for information security professionals and students. Job seekers can create a profile, upload their resumé and search and apply for thousands of jobs. And it's great for recruiters too. If you're an employer looking to source information security professionals, contact CyberSecJobs about their flexible recruitment packages, designed to meet your needs. Here's one of the current hot jobs. WakeMed is looking for an information systems security office to help safeguard sensitive information. You'll find this and other great opportunities at We thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:31:18] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, February 9th, 2017.

Dave Bittner: [00:01:41:00] A US Federal grand jury yesterday released its indictment of former NSA contractor Harold Martin. He faces 20 counts of stealing classified information - one count for each document named in the indictment - classified information he apparently hoarded at his home in Glen Burnie, Maryland, a Baltimore suburb not far from NSA headquarters at Fort Meade. Charged under the Espionage Act, but not charged with espionage, Martin is alleged to have had some 50 terabytes of information in his possession. That characterization might suggest that all the stealing was digital exfiltration, but he's also reported to have carried home large quantities of paper records, including handwritten notes, that were also highly classified.

Dave Bittner: [00:02:24:12] The agencies alleged to have been affected by his activities include the National Security Agency, US Cyber Command, the Department of Defense, the National Reconnaissance Office, and the Central Intelligence Agency. The material taken, insofar as prosecutors have characterized it, sounds like a magpie's collection of stuff that should never have left the confines of Fort Meade, including everything from NRO space launch information to the identities of covert operatives. With that said, the indictment doesn't claim that he transferred the information to any third parties, especially to any foreign intelligence agencies. This would seem to account for why, although he was indicted under the Espionage Act, Martin wasn't charged with espionage proper.

Dave Bittner: [00:03:07:06] Each of the counts of the indictment carries a potential sentence of 10 years, which is where the widely-reported 200 sentence comes from. Martin's attorneys haven't made new public comment since the indictment was opened, but after his arrest late last year they indicated that they intended to defend him as a well-intentioned, if misguided, packrat. 50 terabytes is a pretty big pack. Mr. Martin will appear before a Federal Magistrate judge here in Baltimore next Tuesday.

Dave Bittner: [00:03:35:16] A wave of fileless malware is reported to have infected more than 140 banks in 40 countries. A bank's security team noticed suspicious code inside a domain controller's physical memory, which aroused their suspicions, and sought help. Kaspersky researchers investigated and found PowerShell scripts within Windows registries. The attackers, apparently criminals, not state actors, extracted privileged credentials with the goal of compromising systems that control ATMs. Fileless attacks, which embed their code in legitimate tools already present in the victim's environment, are notably more difficult to detect than more traditional malware infestations. Such attacks have characterized other high-profile attacks, but have been beyond the reach of more ordinary criminals. The widespread fileless infestation banks are now coping with, may suggest that this particular criminal technique is on its way to commodification.

Dave Bittner: [00:04:29:21] Online privacy is an ongoing concern affecting consumers, businesses and the government. Travis Howe is Chief Information Security Officer with Conga. A company that provides a suite of applications that work with Salesforce. We checked in with him for his take on privacy.

Travis Howe: [00:04:45:11] We're just now at the bottom of a large curve as to what's ahead. I mean, we have the accumulation of, you know, from a citizen perspective, all the information that Google and the Yahoos collect and sell and resell and market. The public information on social media. IOT, obviously, is a huge component, but if you take all this data that we talk about, you can literally create a map of a person's life.

Dave Bittner: [00:05:14:14] For those of us who are in the cybersecurity business, what kind of responsibility do you think we have for taking a lead on this stuff - protecting people who maybe don't know to protect themselves?

Travis Howe: [00:05:26:22] Awareness. We're coming a time now where people are taking attention to it, but they don't really understand what it all means and what the ramification is. I think it's really about getting that message out there, so that they can understand what they're signing up for and what they're sharing.

Dave Bittner: [00:05:45:17] Do you think with the Trump administration coming in, is that a bit of an inflexion point when it comes to this sort of thing?

Travis Howe: [00:05:54:12] Yes, most definitely. I think that it's pretty clear that there's a desire to enhance the security of the country. What that means, in reflection, goes back to the encryption component for the most part and monitoring and everything that was a fallout of Snowden, and the challenge the government has moving forward post Snowden is something that's difficult to get back, and that's trust. I think it's going to be a significantly debated topic with the new administration. I hope we come up with a good solution that doesn't dictate lowering encryption standards or having back doors. The impact that that would have to business and privacy as a whole for everything that's not related to what they're looking for. So I think and hope that the new administration gets the right people in place to really understand what that bigger picture and longer term picture looks like, and not just specifically focus on the scapegoat of encryption.

Dave Bittner: [00:07:04:00] That's Travis Howe. He's the Chief Information Security Officer with Conga.

Dave Bittner: [00:07:09:22] There's more industry news this week. In a cloud security and data leakage prevention play, Forcepoint has acquired Imperva's Skyfence business. Accenture has moved further into the US Government cyber market with its acquisition of privately-held Endgame's Federal business. The Endgame unit, which "specializes in proactive cyber defense, hunt-as-a-service capabilities, red teaming, and cyber operations," will be folded into Accenture Federal Services.

Dave Bittner: [00:07:37:10] Shares of UK-based Sophos have surged following its announcement earlier this week that it would be acquiring Invincea. Investors seem to like the acquisition's promise of growth in the US government, health care, and financial sectors.

Dave Bittner: [00:07:51:03] Bug-bounty shop HackerOne has ridden its successful entry into US Department of Defense business to a $40 million Series C round. And Exabeam, specialists in security intelligence, has also attracted a large Series C round - $30 million - from investors led by Cisco Investments and Lightspeed Venture Partners. The investors see Exabeam as a Splunk challenger.

Dave Bittner: [00:08:15:10] Trident Venture Capital Cybersecurity, one of the largest VC firms in the space, announced yesterday that it had raised $300 million to invest in cyber start-ups. The amount is regarded by analysts as indicative of continuing private equity interest in the sector.

Dave Bittner: [00:08:31:12] Looking for a common theme in recent M&A and VC activity, LightReading thinks it sees one - machine learning. But the Internet-of-things isn't being neglected, either. AT&T, IBM, Nokia, Palo Alto Networks, Symantec, and Trustonic have formed the "IoT Cybersecurity Alliance," which is expected to work on end-to-end security for the IoT.

Dave Bittner: [00:08:55:07] Another consortium, "FASTR," for the "Future of Automotive Security Technology Research," has issued a "manifesto" intended to goad the industry into cooperation on autonomous vehicle safety systems. FASTR's members include Intel, Uber and IoT shop Aeris.

Dave Bittner: [00:09:13:14] And, to close out our discussion of the IoT, we return to the story we mentioned the other day, in which a teenager who goes by the nom-de-hack "Stackoverflowin" hacked, vigilante-style, insecure printers to scare their users straight. Motherboard has reached him. He's surprisingly forthcoming. His motivation? It was like this, he said, “It was just a night I was bored to be honest, doing random stuff.” We bowdlerize - instead of "stuff" he used a demotic coprology. But of course, we're a family show, here.

Dave Bittner: [00:09:45:01] If you're bored with random stuff, by the way, why not get interested in cybersecurity and space - and we mean cyberspace meets outer space - and check out Cosmic AES Signals and Space Monthly Cyber Security Briefing. You'll find it at Enjoy.

Dave Bittner: [00:10:08:16] Time for a message from our sponsor E8 Security. You know, to handle the unknown unknown threats, you need the right analytics to see them coming. Consider the insider threat and remember that an insider threat isn't necessarily a malicious actor, sometimes it's a well-intentioned person who's careless, compromised or just poorly-trained. Did you know you can learn user behavior and scorer a user's risk? E8 can show you how. Did you know, for example, that multiple Caballeros tickets granted to a single user is a tip off to a compromise? E8 can show you why. Get the white paper at and get started. Detect, hunt, respond. E8 Security. We thank E8 for sponsoring our show.

Dave Bittner: [00:11:00:05] I'm pleased to be joined once again by Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, we both have kids and when you have kids at home, part of what you have to do is look out for their security when it comes to cyber stuff and accidentally or on purpose or whatever, sometimes it's a good idea to kind of lock down what they can access on the computer. I'm thinking specifically of adult content.

Joe Carrigan: [00:11:28:02] Correct, yes.

Dave Bittner: [00:11:29:09] I don't know what you're doing? At our house, we found a really useful free service called Open DNS.

Joe Carrigan: [00:11:35:08] There's a number of services like this. What they do is they intercept what's called DNS, which is Dynamic Name System. For example, if you want to go to Google, before your web browser can actually request that page from Google, it needs to know the IP address that will be handling the request. So it has to go through a process called Domain Name Resolution and that's handled by DNS servers.

Dave Bittner: [00:12:06:20] That's normally handled by your provider, right?

Joe Carrigan: [00:12:09:24] Right. It's normally handled by your provider. There's also free and open DNS services out there - Google actually offers one.

Dave Bittner: [00:12:16:17] What I like about open DNS, which got bought by Cisco, is it's just kind of a set it and forget it sort of thing. It's preconfigured to block adult content. You just point your DNS server to them.

Joe Carrigan: [00:12:31:16] What they have is they have a blacklist of sites that generally people don't want their kids going to. So, now when I go into my web browser and I type in some site that kids shouldn't be going to, the very first thing that happens still is a domain name resolution process. But when my domain name server sees that I've requested a site that's on the blacklist, it goes, "no you can't go to that site." And that's the end of the transaction. The web browser can't now request the web page because it doesn't know the IP address of the server that holds the page.

Dave Bittner: [00:13:09:12] This is a good idea in general, I think, for small businesses or businesses in general and, of course, there are premium versions of it. But I will tell you that I found out the hard way once - sitting with a client, in an edit suite where I went to go to look up something on YouTube and I inadvertently left the Y out of the world YouTube, and as many of these sites do, they get the words where you mash them.

Joe Carrigan: [00:13:34:22] They get the common typos.

Dave Bittner: [00:13:36:11] They get the common typo and boy it was not YouTube! And there I was, sitting in front of a client and the things that came up on my computer screen were not flattering.

Joe Carrigan: [00:13:45:10] I had the exact same thing happen to me, with my boss standing right behind me. I was showing him this cool site I'd just found and I mistyped a U, where I should have hit an I, in a domain name and my monitor just exploded in porn. It was great. He understood that I mistyped it and he turned around and walked away. Fortunately, this was back in the days before monitoring. But I would have had to answer some questions now if I did that.

Dave Bittner: [00:14:10:14] Yes. It happens to the best of us. So, this sort of service is a way to kind of protect yourself from it maybe and make it less likely to happen.

Joe Carrigan: [00:14:19:04] Yes.

Dave Bittner: [00:14:19:04] Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:14:21:00] It's my pleasure, Dave.

Dave Bittner: [00:14:24:16] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To learn more about how Cylance helps stop cyberattacks, visit

Dave Bittner: [00:14:36:20] The CyberWire podcast is produced by Pratt Street media. Our editor is John Petrik, our social media editor is Jennifer Eiben, our technical editor is Chris Russell, our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.