The CyberWire Daily Podcast 2.14.17
Ep 286 | 2.14.17

RSA Updates. Microsoft calls for Geneva Convention for cyber. Phishing.


Dave Bittner: [00:00:03:17] Researchers look into a wave of attacks on financial institutions. Microsoft calls for Geneva Convention for cyberspace. We take a look at phishing. And the RSA conference is underway. And we’ve got news from the innovation sandbox, and venture capitalists.

Dave Bittner: [00:00:24:04] Time for a message from one of our sponsors, E8 Security. Let me ask you a question. Do you fear the unknown? Lots of people do of course, Jason, Chucky, stuff like that but we're not talking about those. We're talking about real threats, unknown unknowns lurking in your networks. The people at E8 have a white paper on hunting the unknowns with machine learning and big data analytics that go beyond the old school legacy signature matching and human watch standing. Go to and download their white paper. Detect, hunt, respond. It describes a fresh approach to the old problem of recognizing and containing a threat no one has ever seen before. The known unknowns like pumpkin head with a hitcher, they are nothing compared to the unknown unknowns out there in the wild. See what E8's got to say about them. and download that white paper. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:31:15] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner, not in Baltimore as usual but in San Francisco, the city by the other bay with your CyberWire summary for Tuesday, February 14th, 2017.

Dave Bittner: [00:01:45:03] We're, of course, in California covering RSA 2017. We'll offer some observations from the conference a bit later but for now here's a quick review of the day's news.

Dave Bittner: [00:01:54:16] Researchers at Symantec and BAE have been looking into a wave of attacks on financial institutions. These attacks appear linked, they believe, to the Lazarus Group. The connection the researchers perceive is with the malware discovered in several of the watering hole attacks. The malware in question is "Ratankba" and it is thought to bear significant similarities to attack tools used against banks by the Lazarus Group, a criminal organization believed by many to be linked to North Korea and the hack Sony Pictures sustained in 2014. The wave of bank hacking came to light when Polish banks realized they were being compromised through a malware infection on Poland's financial sector regulatory body, the Polish Financial Supervision Authority. Its compromised website was serving as a watering hole.

Dave Bittner: [00:02:40:02] Polish media had initially suspected the campaign to originate with Russian security services; this is now being called into doubt. Attribution is notoriously difficult, the more so insofar as various intelligence and security services make use of criminal actors and even legitimate contractors to lend a degree of plausible deniability to their cyber offensive operations. Cybereason has been reporting their findings in this regard at RSA, noting an increased tendency of governments - Russia, the United States, and the United Arab Emirates are all mentioned - to use such third parties to install and manage cyber espionage tools. Russia's use of criminal gangs was particularly evident in the hacks of the Ukrainian power grid, But the lesson here is that the old staple of covert and clandestine tradecraft, plausible deniability, has reappeared in cyberspace. It's just in a new key.

Dave Bittner: [00:03:33:07] Along those lines, Microsoft has called for a "Geneva Convention" in cyberspace. Such an agreement would go beyond the protection of noncombatants the original Geneva Conventions sought to ensure, and would extend to the full range of issues at they might be negotiated for cyber conflict. Microsoft is interested in promoting general international norms of cyber conflict that would have a significant analogy to the international norms that currently govern armed conflict.

Dave Bittner: [00:04:01:09] Trevor Hawthorn is CTO at Wombat Security Technologies and they recently released their 2017 state of the phish report. We checked in with him for some highlights.

Trevor Hawthorn: [00:04:11:19] There were some trends that continued on that we've seen the last several years, there's also some goods news. So we are actually starting to see some improvements when it comes to phishing and so, you know, while it's still an ongoing threat just like a lot of things, just because you may tamp down one particular attack factor, doesn't mean that you can completely take the pressure off and shift onto something else. It now is something that you have to kind of maintain. If you've reviewed the report, we send a lot of phishing emails and so we have a pretty good idea of what makes people tick. Are people clicking more? Are they clicking less? And one of the trends that the report shows is we saw a 64% increase in organizations measuring end user risk from 2015 to 2016.

Trevor Hawthorn: [00:05:02:01] And so what that basically says to us is that organizations are starting to actually do something. We're also starting to see more anecdotal evidence. If you go on to Twitter and you just search for the words "phishing training" you're starting to see just a lot more chatter about people talking about their organizations, conducting simulated phish. And this could be from the administrators running programs, all the way to end users saying, "Oh, I got caught." And they talk about the training. I've even seen a couple of my favorite parity accounts talk about phishing training, so we kind of feel like okay, you know, I think we're starting to hit the sort of critical mass here.

Dave Bittner: [00:05:41:18] What about technology versus training? How are we doing in terms of these phishing emails never actually getting to the users?

Trevor Hawthorn: [00:05:52:21] I've been doing information security primarily on the technical side of the house for a little bit over 20 years now. And every single year that I've gone out to every conference and every talk that I've ever seen, there's always really cool technology. There's a lot of really cool things happening and end point production now. At the end of the day, if email filtering and spam filtering and that type of thing was an effective control here, we wouldn't be in business and there wouldn't be this now fairly large industry. There wouldn't be a magic quadrant for user awareness if technology was 100% of the problem, which isn't to say that technology is useless, obviously I'm a technologist, I think everybody should have the most advanced email filtering that their budgets will allow. But at the end of the day, the bad guys know that and they know how to get around it and if I send a properly formatted non-spammy email that uses either malware that's never been seen before, or novel attack. Or if I use an attack that doesn't involve any malware, you know, there's nothing to sandbox, there's no URL, it could be more of a confidence style attack. You have to rely on the end user to kind of close the gap between technology and where things fail.

Dave Bittner: [00:07:10:03] That's Trevor Hawthorn from Wombat. Their state of phish report can be found on their website.

Dave Bittner: [00:07:16:14] In industry news, we're hearing that Microsoft has delayed issuing the patches expected for today. They should be out soon but just not quite yet. Adobe has patched thirteen Flash vulnerabilities. There's also some M&A activity: Convergence Technology has acquired Deep Run. WiseKey has agreed to buy Quo Vadis and HALOCK will acquire Eclipsecurity. In the start-up world, InSights has secured a $13 million Series B funding round.

Dave Bittner: [00:07:44:22] RSA 2017 opened with its annual hunt for the most innovative startups in the sector. A talented field yielded some creative solutions to vexing security challenges. RSA's 2017 Innovation Sandbox held its competition and selected a winner yesterday afternoon: UnifyID. The ten finalists all offered interesting and compelling presentations (especially the runner-up, EN|VEIL), but UnifyID bore the prize away.

Dave Bittner: [00:08:14:08] A panel of venture capitalists offered a state-of-the-security sector report. They think that, while investors have become more selective, particularly in later stages of funding, the cyber sector remains attractive and there are many deals to be made.

Dave Bittner: [00:08:28:15] One of the VCs, Bob Ackerman from Allegis Capital, characterized the state of the sector like this: "Markets initially run on hype, and then move to a cycle in which they digest information." He sees the cyber sector as being currently on the cusp of that shift. If you're an entrepreneur pitching investors, here are some pieces of advice: avoid buzzwords; Know what differentiates you. And bring people who've been at the cutting edge of either the security industry or the intelligence community.

Dave Bittner: [00:09:02:04] Time for a message from our sustaining sponsor Cylance. Are you looking for something beyond legacy security approaches? If you are and really who isn't, you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solutions scales easily and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence but it's real protection. Visit to learn more about the next generation of anti-malware. Cylance, artificial intelligence, real threat prevention. That's And we thank Cylance for sponsoring our show.

Dave Bittner: [00:10:01:09] And I'm pleased to be joined, once again, by Emily Wilson. She's the Director of Analysis at Terbium Labs. You know Emily, as we've spoken about it before, you and I, the dark web kind of mirrors the real world in many ways and there's a lot of expressions of nationalism on line.

Emily Wilson: [00:10:18:20] It's true, we've talked before about the different communities, you have your fraud community, you have your drug community or what have you. But we also see kind of these lines being drawn, these national lines and this manifests in a few different ways. Whether it's a Russian speaking forum or a Japanese drug site, but one of the most interesting ways is when you see, you know, clearly expressed dos and donts that are set up to prevent certain people from being targeted.

Emily Wilson: [00:10:46:13] So, there's a Russian carting site I'm thinking of in particular where you go to sign up or you go to log in and it says, "Don't buy from Russians, don't sell to Russians, don't card Russians, everyone else is fair game." And this isn't just Russia, it's Israel too, is another example. But there are these lines where again it's honor amongst thieves. We have a code, we don't attack our own people, everyone else have fun but we don't attack our own people.

Dave Bittner: [00:11:14:19] And what happens if someone violates those rules? Do they just get booted out? It's like any social norm situation I guess?

Emily Wilson: [00:11:22:16] I think that's exactly it and I think for these communities are self-reinforcing. I think that if you are the kind of person who wants to be able to card everyone including your own countrymen, you're probably not going to associate yourself with that group. But we see are these group manifestos, kind of being built where you're building your own subset of a subset of an online community.

Dave Bittner: [00:11:50:16] Is it an amplification of the kinds of things you see in the real world is it a distillation of the kinds of things you see in the real world? Or does it pretty much parallel the way we all think about our nations and our groups and our groups of friends, our cities, our neighborhoods, our high schools?

Emily Wilson: [00:12:09:05] I think that in the same way that we see in the real world different manifestations of patriotism and when that crosses internationalism, I think that you see that. On one end you have someone who doesn't identify themselves in any particular way on line and then maybe you have your country's flag as your profile picture. Or maybe you have a username that's in a different language or has some patriotic undertones. And I think that's the spectrum, then you move over to someone who's going to say I'm not going to card my own people or I'm not going to buy and sell to them. And then I think you have maybe on the furthest end of the spectrum people who want to actively work to advance the goals of their country and want to work in that space.

Emily Wilson: [00:12:54:21] And so I think these are the same behaviors that we see off line, it's just that they're manifesting themselves, the same spectrum is manifesting itself in the online community as well.

Dave Bittner: [00:13:05:22] Emily Wilson, thanks for joining us.

Dave Bittner: [00:13:10:01] And that's the CyberWire. As we mentioned, we're at the RSA Conference in San Francisco so our publishing schedule will likely be a bit off kilter this week. We appreciate your patience and we'll have some special reports from the show in the coming days.

Dave Bittner: [00:13:22:20] For links to all of today's stories, interviews, our glossary and more, visit Thanks to all of our sponsors for making the CyberWire possible especially to our sustaining sponsor Cylance. To find out how they can help protect you from cyber attacks visit

Dave Bittner: [00:13:38:19] The CyberWire podcast is produced by Pratt Street Media, our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, and our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.