The CyberWire Daily Podcast 6.6.17
Ep 364 | 6.6.17

Report leaked on Russian influence operations (alleged leaker in custody). ISIS continues inspiration; anarchist groups said to follow same playbook. The DarkOverlord is back.


Dave Bittner: [00:00:01:05] Hey, I get it, you're in the car. It's dangerous to check out our Patreon page while you're driving. But when you get where you're going, go to and check out ways you can support our show. Thanks.

Dave Bittner: [00:00:15:04] A leaked report describes 11th hour Russian influence operations during last year's US elections. An alleged leaker is already charged and in custody. The UK's investigation into last week's terror attacks continues, online as well as in physical space. Apple hints it's helping out. The attackers seem to have been known to authorities. In its continuing campaign of online inspiration, ISIS claims responsibility for the destruction of a church in The Philippines and a lethal standoff in Australia. Violent anarchist groups seem to be following the ISIS playbook in cyberspace. Some thoughts on wolves. And the DarkOverlord is back.

Dave Bittner: [00:00:56:04] Here's some research from our sponsor, Cylance, that we think you'll enjoy. If you've been a CyberWire listener or reader, you're familiar with Eye Pyramid, a cyber espionage tool that had been quietly active in Italy's political and financial services for several years until the brother and sister duo who were controlling it were snapped up by Italian police. It's a clever keylogger that exfiltrated sensitive information from infected machines and it did so while quietly disabling firewalls in various Windows updates and services, the better to remain undetected. You can get the lowdown on the still dangerous Eye Pyramid at See what Cylance's threat spotlight can show you about Eye Pyramid and how to protect yourself against it. That's And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:44:10] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, June 6th, 2017. There's been another leak of a highly classified NSA report but in this case an alleged leaker has already been taken into custody and charged. Late yesterday the Intercept published a document taken from an NSA study of Russian influence operations targeting the US elections. It's noteworthy in that it indicates that such operations continued, apparently unabated, well after the former Administration's naming-and-shaming of Russian intelligence services and US President Obama's cut-it-out-or-else warning to Russian President Putin. An alleged leaker has already been taken into custody and charged. The US Department of Justice announced yesterday that on Saturday the FBI interviewed and arrested a 25-year-old US Air Force veteran, Reality Leigh Winner, who since leaving the Service in February had been employed in the state of Georgia by Federal contractor Pluribus International. The Justice Department says she'd been charged with "removing classified material from a government facility and mailing it to a news outlet, in violation of 18 U.S.C. Section 739(e)." She is alleged to have printed and removed the classified report from a secure facility less than a month ago, on May 9th. Authorities learned of the leak last week when a news organization, unnamed in reports but presumably the Intercept, began asking questions about the material. The Intercept has refused to name its source and in any case it's likely they received the material anonymously.

Dave Bittner: [00:03:28:08] Internal evidence in the document itself, including printer dots and evidence that it had been folded, suggested to FBI investigators that the leaked report had been physically printed. This narrowed the search down rapidly and Ms Winner was questioned and taken into custody on June 4th. The story is, of course, developing and we'll continue to follow it here.

Dave Bittner: [00:03:48:23] For many of us following the goings on of the security world, Russia has certainly been top of mind lately. The folks at Endgame were curious to know about the general public's perceptions of Russia and the ability of the US to defend against them. So they surveyed over 2,000 people to try to find out. Andrea Little Limbago is chief social scientist at Endgame.

Andrea Little Limbago: [00:04:09:10] Over half of Americans are concerned about influence within-- the Russian influence in the White House and then it also had, you know, the aspect on insider threat as well as a key concern. That's something that often gets overlooked when focusing on some of these things and that may manifest itself as well. There's aspect of feeling that Russia's a bigger threat now that it was during the Cold War, which on one hand isn't terribly surprising. You know, if we'd taken the survey a few years ago, say right after OPM, I'm sure many would say that China was the biggest threat. So what happens, with a lot of these cases, is that whatever the most recent-- you know, it's sort of a cognitive bias where the most recent events remain the ones that are overestimated as far as the likelihood.

Dave Bittner: [00:04:47:18] We don't have school kids doing duck and cover exercises, you know, like they did in the Cold War, so it seems-- I'm glad you mention that. It seemed to me, perhaps a little cognitive bias, a little disconnect, a, you know, a fuzzy memory of what the actual fear was during the Cold War.

Andrea Little Limbago: [00:05:03:22] That's my interpretation of it as well, absolutely and, you know, if, all of a sudden we had-- you know, if North Korea-- you know, if there was another Sony, an event similar to Sony, North Korea could very well be the one that pops up. So on the one hand, you know, that's why it's important to do these surveys and some sort of plural consistency to see how it changes over time and that's where you get a lot of insight. So it's useful for this one time stamp, to see how the public feels now. Also, if we were to gauge and look further and dive deeper into, you know, their understanding of what the Cold War was actually like and so forth, you know, I'm sure some different analyses would pop out of that as well. You know, and another interesting thing is that, even during the Cold War, toward the end, when there was a little bit more of a détente, you know, Japan actually was the number one threat for Americans toward the very end of the Cold War. Public perception and sort of the reality don't always go hand in hand.

Dave Bittner: [00:05:56:03] Yeah, to that point there's an interesting statistic in the report. The question was, do you think Russia hacked the 2016 US election? And people came up pretty evenly split with their response to that.

Andrea Little Limbago: [00:06:06:17] Right, and I think that, you know, it's pretty indicative of just how divided our country is right now along party lines. It's one of those things that the information that people are consuming and sort of reinforcing people's own biases and that's what we tend to-- you know, everyone tends to read the stuff that reinforces their own perception and so it is, you know, we're still-- we're a very divided country right now, I think and that's reflected in the survey. You know, one of my recent pet peeves is if you ask about, you know, what does it even mean to have an election hacked. You know, on the one hand, you know, the DNC and the DCCC, they actually had a cyber attack, a computer network attack, but that's different than the information operations. Like, it's similar to what we just saw in the French election, you know. I think it was intentionally left of the broad question but it's one of those things that I think, as we move forward, need to be more specific with the, with the words and it's not just semantics, I think it has good im-- you know, implications on how we, as a country, respond to those things, how you respond to a cyber attack, which could be part of an information operation, maybe different than how we'd respond to information operations that may or may not have a cyber attack associated with them.

Dave Bittner: [00:07:08:06] That's Andrea Little Limbago from Endgame. The full report is on the blog section of their website. It's called A Majority of Americans Think Russia is More Dangerous Now Than During The Cold War.

Dave Bittner: [00:07:20:11] The UK terrorists appear to have been very well-known wolves indeed, one of them even having appeared on a television documentary about radicalization and having been in close association with an extremist British Muslim cleric long-known to authorities. Apple's CEO Tim Cook hinted yesterday that his company had supplied investigators with meta-data relevant to the suspects' activities online and British authorities continue to follow the attackers' spoor to possible collaborators and enablers.

Dave Bittner: [00:07:49:24] ISIS continues its efforts to inspire, posting video online of the Caliphate's "soldiers" destroying a church in the Philippines. The terrorist group has also claimed responsibility for a murderous standoff in Melbourne, Australia, an incident that, absent the Caliphate's claims, could easily have been lost in the sad background noise of ordinary violent crime. ISIS isn't alone in seeking to inspire and recruit online. Violent anarchist groups, particularly ones originating in Greece, appear to be going down a similar path in cyberspace. That phenomenon remains young and small, but will bear watching. Such howling seems largely overt, which has induced some observers to call into questions calls for restrictions on end-to-end encryption, like those issued Sunday by British Prime Minister May. While command-and-control might well benefit from encryption, mass marketing of ideas probably doesn't.

Dave Bittner: [00:08:45:15] Our use of the tropes "lone wolf" and "known wolf" perhaps calls for some explanation, as at least one reader has objected that calling someone a "wolf" could be taken as an honorific, wolves being intelligent predators and, of course, the immediate ancestors of our beloved domestic dogs. After all, sports teams are often given names like Timberwolves, Wolfpack and so on. Clearly, we have no such honorific intent. Killers like those who rampaged against innocents in London Saturday merit no respect and even less honor. But the wolf usage seems to us to have a place. Inspiration seems analogous to the howling of a pack to its dispersed members and "known wolf" conveniently rhymes with "lone wolf." So think of the evil wolves of European folklore and understand that it's no honor to be compared to them.

Dave Bittner: [00:09:35:09] Finally, the DarkOverlord has returned. Remember him? His dark lordship is best known for an attempted shakedown of Netflix. This week the DarkOverlord is said to have leaked eight episodes of an ABC show on Pirate Bay after the network refused to pay extortion. So far the torrent caper looks like a flopperoo. There are no Nielsens for torrents, but Bleeping Computer as of last night had found only three people trying to download the program. What was the program? A game show, Steve Harvey's Funderdome, for all of you out there in television land. Happy viewing, but do wait until your local ABC affiliate airs Mr. Harvey's work.

Dave Bittner: [00:10:20:16] A quick note from our sponsors at E8 Security. They understand the difference between a buzz word and a real solution and they can help you disentangle them too, especially when it comes to machine learning and artificial intelligence. You can get a free white paper that explains these new but proven technologies at We all know that human talent is as necessary to good security as it is scarce and expensive, but machine learning and artificial intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that while we might assume supervised machine learning, where the human teaches the machine, might seem to be the best approach. In fact, unsupervised machine learning can show the humans something unexpected. Cut through the glare of information overload and move from data to understanding. Check out and find out more. And we thank E8 for sponsoring our show.

Dave Bittner: [00:11:23:11] And I'm joined once again by Rick Howard. He's the chief security officer at Palo Alto Networks and he also heads up Unit 42, which is their threat intel team. Rick, welcome back. You've been having some conversations with some folks in government that have raised some concerns on your end?

Rick Howard: [00:11:39:02] Yeah, I got a little-- couple of raised eyebrows over here and the reason is I've had the opportunity to talk to several city, state and federal C-level executives about how they're thinking just about cloud deployments, both SaaS applications like Box and Office 365 and Salesforce and IaaS and PaaS deployments in cloud spaces like Google, Amazon and Microsoft. Now, it has been clear in these discussions that these government leaders totally get the value of moving at least a portion of their digital workspaces to these cloud environments. Economies of scale are too much to be ignored. But what was alarming to me was that many of them feel and stated outright that they thought security certifications from third party auditors on these cloud providers, programs like the FedRAMP program for the Federal Government, that all the security they need to make these deployments and, I have to tell you, that cannot be further from the truth. Programs like FedRAMP certify that the cloud service provider has a decent internal security process to protect their own environments. It does nothing to protect the data that you store there. It has no individuality about what you're trying to do with your cloud deployment. So the thing to remember here is that the security of cloud environments is a shared responsibility. Cloud providers protect their systems but the customers are responsible to protect the data they store there. So my recommendation to all government security leaders and to all network defenders is to choose a cloud vendor who can give you the same security services that they are already giving you behind your perimeter and in your data centers for all of your cloud deployments.

Dave Bittner: [00:13:17:01] So what kinds of questions should these folks be asking?

Rick Howard: [00:13:20:03] Well, every cloud provider is a little bit different, okay, and if they get FedRAMP certified like the one I called out here, I would definitely get a list of all the things they are certified for. But when you start looking at that list, and you can look it up on the DHS website, all the things that FedRAMP searches for, it is basic security process, like do they have cameras on the data center doors? Do they check their employees? You know, all this basic security stuff that every company goes through. It has nothing to do with, say, if I put Palo Alto Networks' personal data out there what are they doing to secure that down the cyber kill chain? Right. So there's nothing there for that. So that's what they have to worry about.

Dave Bittner: [00:13:59:24] All right, good information. Rick Howard, thanks for joining us.

Rick Howard: [00:14:03:00] Thank you, sir.

Dave Bittner: [00:14:06:01] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, using artificial intelligence, check out If you find this podcast valuable we hope you'll consider becoming a contributor. You can go to to find out how. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.