The CyberWire Daily Podcast 5.1.17
Ep 339 | 5.1.17

NSA changes collection policy in a privacy-friendly direction. Latest Vault7 leaks look anodyne. Election influence concerns in Europe and the US. Blocking social media. DarkOverlord returns with extortion caper.


Dave Bittner: [00:00:02:07] NSA revises its interpretation of Section 702 collection, to the general approval of privacy advocates. WikiLeaks drops another alleged tool from Vault7. The UK and France are on alert for influence operations, and the US Congress takes testimony on such marketing-in-battledress. South and Southwest Asian governments move to block or censor social media. The DarkOverlord returns, extorting TV and movie content owners over stolen shows.

Dave Bittner: [00:00:35:17] Time to thank our sponsor, Palo Alto Networks. You can visit them at With the adoption of software as a service applications, data now lives beyond the traditional network parameter. What are you doing to keep your organization's data protected in this new environment? Palo Alto Networks integrated platform provides detailed software as a service visibility and granular control, data governance, automated risk remediation and malware prevention so organizations can achieve complete Cloud security, even in SaaS applications. Palo Alto Networks has the broadest, most comprehensive cyber security for all Cloud and software as a service environments. Because secure clouds are happy clouds. Find out how to secure yours at And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:01:38:05] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, May 1st, 2017.

Dave Bittner: [00:01:48:19] Late Friday the National Security Agency, NSA, announced changes in how it will henceforth collect information under Section 702 of the Foreign Intelligence Surveillance Act, the law commonly known as FISA. The law had hitherto been interpreted to authorize collection of information that mentioned a specific foreign intelligence target. As NSA described the change in its Friday announcement, "NSA will no longer collect certain Internet communications that merely mention a foreign intelligence target. This information is referred to in the Intelligence Community as 'about' communication in Section 702 'upstream' Internet surveillance. Instead, NSA will limit such collection to Internet communications that are sent directly to or from a foreign target."

Dave Bittner: [00:02:37:12] Instituted after an internal review of Section 702 collection that revealed lapses in compliance, the change is intended to, as NSA puts it, "reduce the chance that it would acquire communications of U.S. persons or others who are not in direct contact with a foreign intelligence target." Privacy advocates have generally welcomed the announcement. Among the groups commenting on the change are the Center for Democracy and Technology, the Electronic Frontier Foundation, the American Civil Liberties Union, and the Open Technology Institute. Most of them have gone on to say that this should make it easier for Congress to reform Section 702, which expires at the end of this year in a privacy-friendly direction, or, failing that, at least make it less likely that legislators will authorize increased surveillance authority.

Dave Bittner: [00:03:26:10] WikiLeaks on Friday released another tranche of its Vault7 leaks, these purporting to reveal a CIA document-tracking tool. The tool is called "Scribbles," and it appears to watermark documents in ways that would serve as a web beacon to determine whether a document had leaked, and if so, when it leaked and what users were involved. Scribbles is thought to be effective with Microsoft Office documents. The CIA of course refuses to comment on this, or any other Vault7 dump, but observers note that the technology Scribbles uses is neither surprising nor novel, but rather a standard tool in data loss prevention efforts.

Dave Bittner: [00:04:04:12] Concerns over influence operations continue to roil governments on both sides of the Atlantic. The Sunday Times revealed that GCHQ has gone on "high alert", that's a journalistic characterization, not necessarily an operational one, to prevent cyberattacks during the run-up to the UK's June 8th general election. France's presidential run-off is in its last week of campaigning as voters prepare to go to the polls on May 8th and 9th. The campaign of Emmanuel Macron has received the ministrations of Fancy Bear (Russia's GRU). And the US Congress received testimony about the information operations last week, the RAND Corporation has published its testimony in the form of an overview of the current state of the art. In sum, that state indicates that marketing in battledress now effectively targets group fears, desires, and insecurities, that barriers to entry have fallen deeply, and that Russia maintains a lead in this form of conflict.

Dave Bittner: [00:05:03:15] Facebook has noted that its platform is susceptible to use by information operators, "malicious actors" as they call them. Various political leaders, prominently in the UK, excoriate Facebook and other social media providers for "not doing enough to tackle hatred," although how they might do so without full-scale censorship remains unclear. Turkey's government, at least, has opted for full-scale censorship, blocking Wikipedia and censoring Twitter. And India's government is undertaking measures to ban social media in Kashmir, how successfully remains to be seen.

Dave Bittner: [00:05:40:06] Finally, the Verizon Data Breach Report highlighted the growth of ransomware, but it's worth remembering that there are other kinds of online extortion, too. An example of blackmail unrelated to ransomware emerged over the weekend. The DarkOverlord, an on line gang that's been responsible for similar shakedowns in the past, obtained copies of the show Orange is the New Black, and demanded that Netflix pay them an unspecified, but presumably large amount of blackmail. Failure to pay would be met with release of the stolen and as-yet un-aired episodes. Netflix did not pay and the DarkOverload followed through with its threat. Variety reports that content owners other than Netflix are affected. The DarkOverlord claims to also have episodes of “The Catch,” “Celebrity Apprentice", “NCIS Los Angeles,” “New Girl,” “Portlandia," “It’s Always Sunny in Philadelphia,” “Breakthrough” “The Arrangement,” “Bunk’d” and “Bill Nye Saves the World.”

Dave Bittner: [00:06:37:06] The incident appears to be another example of a third-party breach. The stolen episodes were apparently obtained by hacking a post-production company. We heard from security firm Prevalent's Jeff Hill, who pointed out that this is a good example of the "penetrate-once, compromise-many" attack we see so often in third-party risk. "Although cyber criminals have, lately, made this look easy, compromising a network without being detected takes time, patience, and expertise, not to mention a little luck. Being able to leverage a successful attack across multiple companies that the initial victim works for is exceptionally appealing to the bad guys. The military has a term for a similar effect: force multiplication. Hackers just call it their lucky day."

Dave Bittner: [00:07:23:12] The FBI is investigating, and the Bureau is said to have been closely questioning a person of interest in Texas. Good hunting, to the Feds.

Dave Bittner: [00:07:36:19] And now a moment to tell you about our sponsor Control Risks. Control Risks thinks like your adversaries and knows that they attack is a means to an end. Whether you're worried about malicious insiders stealing intellectual property, state supported foreign competitors targeting M&A data, or hacktivists looking to smear your reputation. One thing is clear. A standard technical approach to incident response is not enough to address the entirety of your problem and protect your business's future growth, profit and brand. Control Risks has conducted more than 5500 complex investigations in nearly 150 countries. Their 360 degree response framework pulls together their expertise in investigations, crisis management, network and host forensics, data analytics and legal compliance support. Effective response often requires more than standard incident response, and how you respond can mean the difference between an isolated incident and an enduring crisis.

Dave Bittner: [00:08:35:07] Let Control Risks navigate you through it. Find out more at That's And we thank Control Risks for sponsoring our show.

Dave Bittner: [00:08:54:17] Joining me once again is Professor Awais Rashid. He heads up the Academic Center of Excellence in Cybersecurity Research at Lancaster University. Professor, welcome back. There are certain risks posed by having data in the Cloud, I want to talk about some of those risks today.

Professor Awais Rashid: [00:09:09:21] A lot of organizations and individuals are now using Cloud services for their day to day operations. And of course, in general, these services are highly secured and a lot of effort goes into securing these systems. Yet, we have to bear in mind that attackers also aim to exploit various architectural features of the Cloud to try and extract data from the Cloud. There has been work in the research community that has demonstrated that for example, malicious virtual machines can be placed or made co-resident on the physical machine and then attacks can be launched for example, against caches or the hypervisor itself, to try and extract data from potential victim machines. Or simply by, for example, looking at a side channel leakage in terms of the kind of resources that that particular virtual machine may be using to try and gain understanding on particular types of issues like, for example, processing times.

Professor Awais Rashid: [00:10:11:14] It's worth bearing in mind, that yes, you know, the Cloud is secure for a lot of purposes. Yet, attackers can use very sophisticated tactics to try and gain access, particularly if they have a particular target in mind.

Dave Bittner: [00:10:26:05] During the transition to the Cloud, you know, there was this whole notion that many people would say, "I like to have my server where I could see it, you know, I want to be able to--" I heard someone say, "I like to be able to reach out and hug my server to know where my data is." But what about the notion of being able to verify that when I say that I need this data deleted to know that in that remote location, it actually happened?

Professor Awais Rashid: [00:10:48:00] It's a very interesting question and I'm not sure that there is an easy way to provide that guarantee. The reason being that there are a lot of features of the Cloud that are designed to provide this ease of use in terms of storing your data and getting access to it from anywhere, anytime. But that for example in the first instance, requires replication of data. There are, of course, backup features available within the Cloud, automatic backup features and for a lot of different purposes, Cloud providers will for honest reasons, handle your data in a lot of different ways. So when you are trying to delete that data, ultimately, if you want what you would call "assured deletion" then you have to have some kind of a guarantee that all possible copies of the data have been destroyed. And it is very, very difficult to do because for example, if you delete your virtual machine from the Cloud, the space may not be reclaimed straight away, it will be reclaimed at a future allocation time.

Professor Awais Rashid: [00:11:50:07] In many cases there are delayed deletion requirements in place in a lot of terms and references. So for example, when you delete your data from the Cloud, it doesn't actually get deleted straight away, in a lot of the cases from services such a Dropbox because, if you've done it by mistake you can actually go back and recover it. So there are recovery periods and these kinds of features in place. So all these features mean that as users, unless we have a very clear picture of what happens with our data, we cannot be sure. But also, even if Cloud providers wish to provide those guarantees, it's really, really difficult given the very nature of the Cloud architecture to provide those guarantees.

Dave Bittner: [00:12:28:16] Alright, Professor Awais Rashid, thanks for joining us.

Dave Bittner: [00:12:33:13] And that's The CyberWire. For links to all of today's stories, interviews, our glossary, and more, visit Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. They're the company keeping your data safe with artificial intelligence. You can check them out at

Dave Bittner: [00:12:52:00] A quick reminder about the new podcast we're excited to be producing in partnership with our friends at Recorded Future. It's focused on threat intelligence. It comes out once a week and we hope you'll check it out and help spread the word. You can search on iTunes for Recorded Future, or visit Thanks for checking it out and we'd love to know what you think.

Dave Bittner: [00:13:11:17] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.