The CyberWire Daily Podcast 5.26.17
Ep 358 | 5.26.17

WannaCry aftershocks. Influence ops and data corruption. Samba patched. Biometrics and impersonation. GDPR approaches. US legislation update.


Dave Bittner: [00:00:00:20] The CyberWire podcast is made possible in part by listeners like you, who contribute to our Patreon page. You can learn more at

Dave Bittner: [00:00:13:16] Bogus WannaCry remediation apps are hitting the Play Store. More on the complexities of WannaCry attribution, and EternalRocks worm may have been withdrawn by its authors. Citizen Lab finds evidence that influence operations against targets in almost 40 countries are now corrupting data. Samba gets a patch as observers fear emergence of a worm. Biometrics and impersonation - experts advise complexity. GDPR is just one year away, but preparation still lags. We hear from the founder of Code Like a Girl, and two noteworthy pieces of legislation are introduced into the US House and Senate.

Dave Bittner: [00:00:52:14] Time to take a moment to tell you about our sponsor, Recorded Future. You've heard of Recorded Future. They're the real time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insights into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. That's, and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:56:13] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Friday, May 26th, 2017.

Dave Bittner: [00:02:06:18] Observers have come to regard WannaCry as the campaign that brought ransomware to the attention of ordinary, individual users as opposed to the enterprises that have suffered ransomware infestations in the past. One sign of this common touch are the bogus WannaCry remedies currently gurgling around Google's Android Play Store. Don't bite, they won't help you, and they're at best going to wind up as unwanted software; at worst they're quite malicious.

Dave Bittner: [00:02:33:08] Symantec as stuck with its attribution of WannaCry to the Lazarus Group, and the Lazarus Group to North Korea. Critics have emphasized the circumstantial character of the attribution and point to other bits of evidence that suggest other explanations.

Dave Bittner: [00:02:47:13] Flashpoint linguists think the authors of WannaCry spoke Chinese and English. They point out that this doesn't constitute attribution, and isn't inconsistent with Symantec's linkage of the ransomware campaign to North Korea. It's additional circumstantial evidence that eventually may contribute to an understanding of WannaCry's origins.

Dave Bittner: [00:03:06:18] It's also worth noting, as Flashpoint itself emphasizes, that there's a large Chinese diaspora, and an awful lot of people in many places who are fluent in English. A point they do make is that it seems the authors of the ransomware pass its natural messages through Google translate a few times. Whether that's designed to clarify or obfuscate is unclear, it could go either way.

Dave Bittner: [00:03:31:14] A worm that exploited EternalRocks vulnerabilities, and that seemed to be quietly staging future attacks, may have been pulled by its creators, according to researchers at Croatia's CERT. Good news, maybe, but crying victory would be premature.

Dave Bittner: [00:03:47:14] Influence operations targeting the elections of France and the US centered on leaked emails. Some are reckoned to have been damaging, like those affecting the US Democratic National Committee, while others are thought to have had a negligible effect, like the emails taken from French President Emmanuel Macron's En Marche. But, in those cases, there were few suggestions, even from the victims, that the stolen emails had been faked or tampered with to make the targets of the influence operations look worse than they otherwise would.

Dave Bittner: [00:04:16:10] That may no longer be holding true. A study by the University of Toronto's Citizen Lab finds leaked emails belonging to a Russian journalist and critic of the government were doctored to discredit the opposition. Their investigation also led them to a large phishing campaign against more than 200 high profile targets in 39 countries. Citizen Lab is reticent about attribution, but says there's "clear overlap" between what they're seeing and evidence others have presented concerning "Russian-affiliated threat actors." So, while Mr. Podesta may have said all the stuff in those emails, in the future caveat lector: data corruption may become as much a part of the information operations playbook as data theft currently does.

Dave Bittner: [00:05:01:17] Reuters reports that hackers acting apparently on behalf of the government of Vietnam are attacking Philippine targets. The larger issue is the dispute over sovereign rights in the South China Sea.

Dave Bittner: [00:05:14:05] This week, Samba, the popular Linux file-sharing system, was found to have a bug that's apparently endured for some seven years. The Samba team patched it Wednesday, and users are urged to apply the patch. Samba is also a significant component in a number of network-attached storage servers. The vulnerability has drawn inevitable comparisons to WannaCry.

Dave Bittner: [00:05:35:12] We heard from security firm Cyphort's Nick Bilogorskiy. He said, "Think of it as EternalBlue for Linux, affecting all versions of Samba for the past seven years, since 2010." While there were few signs of exploitation in the wild, Samba has come under attack in the recent past, and Bilogorskiy thinks there's some risk of a new worm appearing. A proof-of-concept is already on Metasploit. "I think at this point, attackers are already developing ways to weaponize ransomware or other malware with this."

Dave Bittner: [00:05:38:12] You may have seen reports that a proof-of-concept unlocking of Samsung Galaxy S8's biometrics has been achieved with a camera, a contact lens and a printer. The demo comes courtesy of Germany's Chaos Computer Club. It's like a sophisticated version of the old Gummi-bear fingerprint hack, but it points out that simple biometrics aren't necessarily the panacea we might hope for in authentication and identity management.

Dave Bittner: [00:06:31:20] The countdown to GDPR this week entered its final year: the new European Union privacy rules take effect in mid-spring 2018. They'll affect enterprises worldwide. Studies continue to suggest that few are prepared, and time is running out.

Dave Bittner: [00:06:48:00] There are two new proposed bills introduced in the US Congress that bear watching. A revised draft of the Active Cyber Defense Certainty Act, what people are calling the "hack back law", is out. This one includes both mandatory notification and permission for victims to recover or destroy stolen data on the attackers' systems. It seems likely that the bill will undergo further revision before it leaves the House, but US Representatives are clearly in a mood to consider a return to marque and reprisal.

Dave Bittner: [00:07:17:12] And, in the US Senate, the Department of Homeland Security is the intended beneficiary of the Hack DHS Act. Senators Hassan of New Hampshire and Portman of Ohio introduced the bipartisan measure today with the intention of establishing a pilot bug bounty program for the Department of Homeland Security. The Senators point out that, since DHS is responsible for security the dot gov domain, they have hopes that this could do for the Federal Government as a whole what the "hack the Pentagon" has begun to do to help secure the Department of Defense.

Dave Bittner: [00:07:52:17] A brief note about our sponsor, E8 Security. We've all heard a lot about artificial intelligence and machine learning. Hey, who of a certain age doesn't know that Skynet achieved self-awareness and sent the Terminator back to take care of business? But that's science fiction and not even very plausible science fiction. But the artificial intelligence and machine learning E8 is talking about aren't science fiction at all, and they're here today. E8's white paper, available at can guide you through the big picture of these still-emerging but already proven technologies. We all need to turn data into understanding and information into meaning. AI and machine learning can help you do that. See what they can do for you at, and we thank E8 for sponsoring our show.

Dave Bittner: [00:08:46:06] And I'm pleased to be joined once again by Malek Ben Salem. She's the Senior Manager of Security and R&D at Accenture Labs. And you wanted to share some information that Accenture has put together, sort of a vision statement about self-sustaining enterprises. What do we need to know about that?

Malek Ben Salem: [00:09:00:15] Yes. Doing business today in this new digital ecosystem is different, right? We notice a lot of trends that are increasing the security challenges that companies have to address. For example, the proliferation of insecure devices, the blur of the physical, the personal and professional lives; the blur of physical also and digital is another trend. And then the third trend is the weaponization of the internet. All of these trends, basically, are raising new challenges for companies. So we came up with this concept of a self-sustaining enterprise where self-sustaining here refers to sustaining the business itself but also being resilient about protecting that business and addressing security threats.

Malek Ben Salem: [00:09:53:10] What we advocate for is, really, understanding and assessing trust in a different way in this new ecosystem. So when you're doing business in this environment and dealing with third parties, partners, vendors, et cetera, you can think of this physically as your own neighborhood, and visitors are coming and leaving. So who do you trust in that neighborhood? If somebody knocks on your door, do you trust that person? Do you let them in? Do you ask them for credentials? What do you do?

Malek Ben Salem: [00:10:26:01] Similarly, when you have a business, you have all of these devices connecting to your network, whether they're personal or professional devices, meaning that they're owned the company. Do you trust those devices connecting to your network? What do you do if an insecure device tries to access some of your assets? How do assess how much you trust that device? We are encouraging our clients to think about trust-based authentication and assess that level of trust based on the identity that the device proclaims through its own attestation, based on the degree of control that the enterprise has over that device so whether it's a corporate device or a third party device or it's a device owned by a person.

Malek Ben Salem: [00:11:18:16] There are several factors that can help with that trust assessment, including what the exposure is to that unknown device. Or, if the unknown device is added to that neighborhood, can it be used to attack other devices? That could be used, not only to assess that trust, but also to build a persistent identity for that device. When you can track or have that persistent identity, then you be more confident in the authentication decisions that you make for that device.

Dave Bittner: [00:11:53:19] I see. Interesting stuff, as always. Malek Ben Salem, thank you for joining us.

Dave Bittner: [00:12:03:04] As research from our sponsors, Cylance, will tell you, DLL hijacking isn't a new threat but that doesn't mean it's no longer dangerous. Cylance has found a Graftor variant that's up to no good, and that shows the ability to hide quietly in plain sight. Whatever the malware controllers are up to, you can learn something about their malicious code, how to recognize it and what you can do to protect yourself by visiting the Threat Spotlight piece of Graftor, at Understand the threat. If you want to feel truly lucky, go beyond relying on Lady Luck or at least realize that fortune is fatuated with the efficient and the prepared. Learn more at, and we thank Cylance for sponsoring our show.

Dave Bittner: [00:12:37:05] My guest today is Dinah Davis. She's the Director of R&D at Arctic Wolf Networks, and founder of Code Like a Girl, an online community that aims to break down the perception that women aren't able to thrive in tech. She started Code Like a Girl in part out of frustration.

Dinah Davis: [00:13:03:14] I was doing a lot of blogging about women in tech, and I couldn't find a publication that would take my work or that was really interested in it or fit and, as I was thinking about that, I was thinking, "Wow, right now the impact of me is just me, but what if it was the impact of all the voices of all the women in tech?" So I thought if I created a publication I could bring all those voices together and then try to amplify them so more people would hear them, so the impact would be bigger. So, in January of 2016, I created a publication and it took off. It's been a lot of hard work, but zero followers on day one, 2016, and today we have over 23,000 followers.

Dave Bittner: [00:14:00:16] What are the typical types of things we might expect to find on Code Like a Girl?

Dinah Davis: [00:14:06:20] There's actually quite a large range. We have a technical section; there's people's experiences being a woman in tech. There is career advice. There's a whole section on getting kids involved in tech, especially young girls and how to promote that. We also have a focus on role models, so there's whole page on articles about role models, because I think they're one of the key things to changing the view of women in tech and getting more girls and women involved in it.

Dave Bittner: [00:14:38:00] But by day you are Director of R&D at Arctic Wolf Networks. What was your experience like coming up in the tech world?

Dinah Davis: [00:14:44:19] It was pretty typical. I remember being in a computer science class in my university, and my university was seven to one women to men. It just happened to be a school where there were a lot of teachers and that kind of stuff, and we had a lot of women. But I walked into that computer science class and there were 60 guys and two women. I was one of the two women. So even in the university, where it was completely flipped like that, the computer science was still dominated by men.

Dinah Davis: [00:15:15:07] That has been pretty typical. I'm usually the only girl, one of the only girls on a team and that hasn't bothered me terribly much. I wish that there was always more women there, but I just kind of, at the beginning of my career just took it as it was. Then I had a really bad experience and I decided that I didn't really want to stay quiet anymore. Early in my career, I was a little bit afraid of speaking up, that it might impact my career in a bad way. After that experience, I thought, "I don't want other women to be going through this, too. I'm not going to be quiet anymore and if a company is not okay about me speaking up about these things then I don't want to work there."

Dave Bittner: [00:15:54:20] What kind of bad experience did you have?

Dinah Davis: [00:15:56:24] Oh, I just had a terrible boss that was very misogynistic and he was a bully. He was a bully to more than just me, but it really just wasn't fun. I didn't stay there very long, and I have since found much better employers and Arctic Wolf if fantastic. I love working here. We have a female founder and a male founder. It gives a really awesome perspective. You have kind of a yin/yang situation there. Their personalities are different, so they compliment each other. Plus I'm working in security again, which I love.

Dave Bittner: [00:16:32:18] There is certainly a shortage of women throughout tech and in cybersecurity specifically. We don't do a terribly good job of retaining women who do enter our community, and then, even as things filter up, there are even fewer women up in the C-suite. First of all, what's the importance of having women represented at that level and what can we do to improve the situation?

Dinah Davis: [00:16:56:24] Yes, I mean there's lots of studies out there that you can find that shows that, if your C-suite or your board, or just generally, your leadership team is more diverse the company actually performs better. So really it's there in the numbers and the money, and I just think different people from different backgrounds, different genders, give different perspectives, and you see more so you can react better to changes in the market; you get more diversity of thought. It's not just women, it's like diversity of culture, background, gender, it's all important, but the more diversity you have there, the better you can react to when things change in the market. You have more ideas, more experiences to draw from than the single narrative that the older white male has.

Dave Bittner: [00:17:47:05] so what kinds of things do you think companies can do to better provide a good work environment for women and to retain them?

Dinah Davis: [00:17:56:07] There's a fantastic article written recently on our blog, and a woman said, "I don't want to feel like I'm a minority, but I want to be supported when I am." For me that hit it right there. I don't want to feel like I'm somebody who's different, I just want to be treated the same as everyone else, but if there's a problem I want to be supported. It's called, "I'm a Woman in Tech and this is what I want in a Company" by Leah Mitchell, and she really describes it well, I have to hand it to her. She articulated what women in tech want and I think what most minority groups want in tech.

Dave Bittner: [00:18:36:18] What do you credit with the success of Code Like a Girl? What do you think is the reason that it has resonated so well?

Dinah Davis: [00:18:44:15] I think what resonates with them is that it's their stories. These are real stories; these aren't studies. These are things that people have experienced, or they're advice from real people who are in the industry. You get to find out about role models and people you look up to, and they write about what they've learned and how they did things. To me, this has been about building a community to support other women in tech, and then using that community to raise awareness to people who are outside it.

Dave Bittner: [00:19:16:07] That's Dinah Davis from Code Like a Girl. The website is

Dave Bittner: [00:19:27:00] That's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can protect you through their use of artificial intelligence, check out

Dave Bittner: [00:19:40:13] The CyberWire Podcast is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe, and I'm Dave Bittner. Have a great weekend, everybody. We'll see you back here on Monday. Thank you for listening.