The CyberWire Daily Podcast 4.3.17
Ep 319 | 4.3.17

WikiLeaks dumps alleged CIA obfuscation code. Attribution skeptics speculate about Russian ops (or the lack thereof). ISIS information operations manual revealed. RATs in the wild.


Dave Bittner: [00:00:03:11] WikiLeaks dumps what it claims are CIA source code files. The International Association of Athletics Federations says it was hacked by Fancy Bear. Two new RATs are discovered in the wild. ISIS takes some cyber hits, and an investigator outlines the group's information operations manual.

Dave Bittner: [00:00:26:21] Time to thank our sponsor, Palo Alto Networks. You can visit them at With the adoption of software as a service applications, data now lives beyond the traditional network perimeter, what are you doing to keep your organization’s data protected in this new environment? Palo Alto Network's integrated platform provides detailed software as a service visibility and granular control, date governance, automated risk remediation and malware prevention so organizations can achieve complete cloud security even in SaaS applications. Palo Alto Networks has the broadest, most comprehensive cyber security for all cloud and software as a service environments because secure clouds are happy clouds. Find out how to secure yours at And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:01:29:24] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, April 3rd, 2017.

Dave Bittner: [00:01:39:20] WikiLeaks' latest dump of purported CIA cyber-operations documents is said to reveal Langley's obfuscation techniques (which some read as a false-flag capability). On Friday, the group released 676 source code files for the Marble Framework, which is said to be a collection of tools the CIA used to make its hacking effectively untraceable and unattributable. Among the files are some suggested ways of including non-American-English linguistic clues in attack cod, Russian, Chinese, Korean, Arabic, and Farsi are specifically called out. This is perceived as particularly damaging, because it arouses suspicion that much of what the US Intelligence Community attributed to foreign nation-states in fact could have emerged from Langley. There's no positive evidence of CIA false-flag operations, but the leak certainly benefits Russia above all other foreign cyber operators.

Dave Bittner: [00:02:35:07] It also will fuel attribution skepticism, which over the weekend induced some observers to call official US conclusions that the Russians in the form of Cozy Bear and Fancy Bear were responsible for, among other things, the damaging email compromise the Democratic National Committee sustained during the last US elections. That skepticism has been fueled by security firm CrowdStrike's partial retraction of some results it released concerning Russian cyber operations, mostly directed against Ukraine.

Dave Bittner: [00:03:04:20] In this case, the recent skepticism is coming more from the political left, than the political right, with at least one observer calling the DNC email compromise an inside leak, with attribution to the Russian intelligence services a "cyber Tonkin Gulf" incident. We don't know about that. There is a great deal of evidence that Russian services has been actively involved in influence operations against US and other Western targets for some time, so this doesn't look like a case of seeing radar ghosts and dolphin wakes during the dog watches, but we do agree that hasty and mistaken attribution is problematic, especially when governments consider kinetic retaliation for cyber attacks. (And the CyberWire has been warning about the possibility of a cyber Tonkin Gulf incident since October 2013.) FBI investigations continue, as do those in both houses of Congress. The Senate's hearings are concentrating on Russian disinformation operations, now thought to have extended to several Republican targets as well.

Dave Bittner: [00:04:04:24] Speaking of Russia, the International Association of Athletics Federations, (IAAF) reports being compromised by Fancy Bear, the latest in a series of athletic association hacks since a number of Russian Olympians were booted from Rio last year on doping beefs. There's no hesitation or ambiguity at all in the IAAF's attribution.

Dave Bittner: [00:04:27:06] The CyberWire spent this past weekend at the Annual Women in Cyber Security event in Tucson, Arizona, where over 800 women and a handful of men enjoyed inspiration keynotes, technical breakout session, a post session, a job fair and much more. I caught up with some speakers and attendees and we'll be featuring their stories throughout the week. Svetla Walsh and Deja Baker are midshipmen at the United States Naval Academy in Annapolis, Maryland, in addition to their rigorous coursework at the Academy, they're volunteering their time to put together a program at a local library for fourth and fifth graders called "Hello Computer Science." We hear from Svetla Walsh first, followed by Deja Baker.

Svetla Walsh: [00:05:07:11] This event kind of came together when the library reached out to the Naval Academy and said, "Hey, we would like to run a coding event, we know you guys have some really smart midshipmen, could you guys get some together and bring them over here?"

Deja Baker: [00:05:17:23] And Walsh approached me and one other midshipmen. 'Cause I'm a computer science major, she's an IT major, so we're gonna work together with the high school student and let them have ownership there. They created their own modules to work with the kids to teach them concepts about computer science.

Dave Bittner: [00:05:31:08] As midshipmen, you have a busy schedule, why is it important for you to take time to do something like this?

Deja Baker: [00:05:37:01] I think, just what matched me just giving back, and the teachers in my life have given me a chance and said you know, we wanna help you and I just wanna do the same. We work a lot with underrepresented minorities, people that don't get a chance to be exposed to this environment and I think it's not fair and I wanna do my part.

Deja Baker: [00:05:54:07] Yeah, I think it's important to teach kids while they're younger, about basic computer concepts so they can learn more later and know, "I know something about that, I can actually do these things." I think a lot of people look at our majors and they're like, "Wow, computer science, that's super hard." Well, listen, it's not really. You know, it's a harder major I think, it's challenging but I'm learning a lot so I think the kids will, if they absorb the knowledge, maybe they think, "We can do this too, just like you guys."

Dave Bittner: [00:06:16:09] Tell me, what is the path that brought you here to studying computer science and technical fields at the Academy?

Deja Baker: [00:06:22:18] Well, actually I'm a part enlisted cryptological technician. So I have a computer background in that sense. And I knew I wanted to go to college, so I applied as an enlisted person to go to Navy Academy, so my path's a little different than, I guess a high school student that went directly in, so.

Svetla Walsh: [00:06:38:05] I'm from a small town, I'm one of eight. I enlisted knowing that I wanted to go to college, I couldn't afford it. But I was, you know, book smart, but I was like, you know, I can't afford college, my family can't pay for me to go. So being enlisted gave me an opportunity to serve my country and as well learn some skills. Coming to the Academy, I got an opportunity to learn about all these different majors and I always liked technology, but I didn't understand it, so it was like that curiosity of like, you know, I really like technology, but I don't understand it and I want to actually understand it, so IT sounded like the best route to go.

Dave Bittner: [00:07:10:00] For that young woman who maybe considering a career in tech, but isn't sure, maybe considering a military career, what advice do you all have with the experiences that you've had so far?

Deja Baker: [00:07:20:17] I think, I would tell that person to actually-- that they can do it, that to no sell themselves short. I think as a female in general, we're told things growing up that maybe you should look more to the humanities, you shouldn't focus on STEM and that's not true. We're just as smart as everyone else. We just need the opportunity to do that, or we need to believe in ourselves, so I think that's the biggest thing.

Svetla Walsh: [00:07:39:12] I would say just role models, as a black woman, it's like, my role models growing up were kind of more in like the entertainment industry and just like, what's on TV and what society perpetuates to me is, you can do whatever you wanna do and don't think you have to do one route, because it's all you see. Like, I'm hoping that I am at least doing my part as being a role model and saying, you know what? I love fashion, I love tech and if you wanna do the military, that's awesome. And then if you had another idea, like maybe going into fashion or tech, then go, pursue it as well. Don't think, like, that you're locked on a certain path.

Deja Baker: [00:08:09:00] Yeah, actually that's important, like, we're not just females, we're multi-faceted. We have different, you know, different things going on.

Dave Bittner: [00:08:15:04] Svetla Walsh and Deja Baker are midshipmen from the United States Naval Academy. You’ll be able to hear more from them and some of the other women at the Women in Cybersecurity Conference on an upcoming special edition of The CyberWire.

Dave Bittner: [00:08:29:13] The two major competing Jihadist brands pursue somewhat different lines of attack. ISIS concentrates on information operations, but it's currently going through a rough patch with countermessaging, counterhacking, and arrests making inroads against the Caliphate. Amaq, regarded as the terrorist group's official news agency, has warned its users not to download a malicious app that impersonates a Flash Player. A number of visitors to the site have already been infected; it's apparently a watering hole attack disseminating spyware. Anonymous claims it's responsible for the hack.

Dave Bittner: [00:09:02:13] The anti-ISIS messaging that accompanies counterattacks like those Amaq recently sustained have a consistent, symmetrical message: ISIS is weak. Indeed, inducing perception of weakness is perhaps the most profitable line the Caliphate's opponents have followed.

Dave Bittner: [00:09:18:19] ISIS has so far had little success in direct cyberattacks on targets in the Dar al-Harb, that is, the world outside the Caliphate, but British authorities are taking seriously signs and chatter that an attempt on infrastructure controls in the UK may be in the works

Dave Bittner: [00:09:33:21] ISIS's competitor, al Qaeda, appears to be at the root of recent restrictions on carrying laptops and similar devices onto airliners. The group has apparently been studying airport security systems with a view to slipping bombs concealed in electronic devices aboard aircraft. Their activity is being tracked online, and remains under investigation.

Dave Bittner: [00:09:55:15] Finally, we'd be remiss if we let you think that ordinary criminals were idle. Two new RATs (remote access Trojans) have been observed in the wild, Felismus by Forcepoint and RedLeaves by Japan CERT. Felismus exhibits a fairly sophisticated modularity, and RedLeaves is successfully being spread by, what else, email. So get out there and set your RAT traps accordingly.

Dave Bittner: [00:10:24:11] Time to take a moment to tell you about our sponsor Control Risks. If you own cyber security in your organization, let's be honest, you might not sleep easily. If you lie awake thinking about new threats over the horizon or how to allocate your limited resources, Control Risks can help. It's often impossible to separate threats to your data from geo-political swings, local regulatory shifts and competitors maneuvering. Without a risk-led approach, how can you be sure all your shiny tools are working? Talk to Control Risks. They treat information security as a business risk, not just a technical problem. For over 40 years they've helped clients proactively identify and mitigate risk. Respond to and recover from destruction and capitalize on opportunities. In short, they bring order to chaos and reassurance to anxiety. Let Control Risk help you spend money where it really counts, protecting what really matters. Find out more at That's And we think Control Risks for sponsoring our show.

Dave Bittner: [00:11:37:13] And I'm pleased to be joined once again by David Dufour. He's the Senior Director of Cybersecurity & Engineering, Webroot. David, welcome back. I know you all there at Webroot recently published your annual threat report and you wanted to share some of the findings from that report with us.

David Dufour: [00:11:51:22] So, let’s start with polymorphic malware. I think we all are probably familiar with that, but just in case some of your listeners might not be. That's when a piece of malware is existing in the wild and it changes from every computer that it lands on. So it's never the same file. It might do the same type of attack, but it never looks the same on any machine that it lands on. And last year we saw 94 percent of all malware we saw at Webroot was polymorphic. And that means it only landed on a single machine. We again know that lists and older ways of doing analysis on threats that are attacking computers, they really have broken down at this point and you do have to use a lot of newer technologies around machine modeling and watching the behaviors of these files, rather than trying to identify the structure of the file.

Dave Bittner: [00:12:44:14] So let's talk some about phishing.

David Dufour: [00:12:46:07] So phishing is my favorite topic, well that and ransomware, they're kind of tied. I mentioned before, David, that I was in the Air Force back in the 80s and when I was in the Air Force, the very first training I had, once I was out of basic at my security in the computer work we were doing, was that the number one way that people actually hacked into computer system was social engineering your username and password. It was nothing fancy. It was that basic and this, you know, just social engineering. And this is the 80s. And here we are almost 30 years later and phishing is still the number one way of getting into computer system and it, it is literally another form of social engineering someone's username and password.

Dave Bittner: [00:13:33:14] Yeah, there were some pretty sobering statistics in the report.

David Dufour: [00:13:36:10] Yes. So we see 84% of these phishing websites that kind of grab this information are gone, they're out of existence in less than 24 hours. And what that means is you have to find active ways to protect yourself against phishing sites, one of which being through simple education. Trying to, you know, learning about how phishing works and I know your maybe average listener's not gonna spend time reading about phishing, but they really do need to know what they're clicking on and why. And then also they need to-- you have tools that will actively block against phishing websites, allowing them to go there. And it needs to be dynamic, not just list based, because these sites disappear so quickly.

Dave Bittner: [00:14:21:18] All right, interesting stuff. David Dufour. As always, thanks for joining us.

Dave Bittner: [00:14:28:01] And that's The CyberWire. Thanks to all of our sponsors who make The CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can protect you from cyberattacks, head on over to

Dave Bittner: [00:14:39:19] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.