The CyberWire Daily Podcast 6.8.17
Ep 366 | 6.8.17

Qatar—provocation, and disinformation online. Influence operations move from doxing to disinformation. 2FA still a good idea. Former FBI Director Comey testifies. And assume the boss is watching.


Dave Bittner: [00:00:01:01] I agree wholeheartedly that the Wonder Woman movie was awesome but instead of spending $15 to see it a third time, why don't you take that money and use it for the CyberWire? Check out to find out how.

Dave Bittner: [00:00:16:12] Qatar remains in bad odor with its neighbors over a recent online provocation. Russia denies any involvement. Anomali talks about influence operations, especially with respect to elections where they may be moving from doxing to disinformation. Leaks about election hacking shouldn't turn you off to multifactor authentication. It's not the technology. It's us. Former FBI Director Comey testifies before the Senate Intelligence Committee. And a lesson from the NSA leak arrest. Assume the boss is watching.

Dave Bittner: [00:00:52:08] A few words to tell you about research from our sponsor, Cylance. Have you heard about Shamoon, the destructive worm that's made at least two turns through Saudi Arabia's energy sector? Well, it's also known as DisTrack and Cylance has a full report on it and how it works. DisTrack is back too by the way since it first hit Saudi Aramco back in the summer of 2012. It's most recently been found infesting banking targets. DisTrack is worrisome because it's destructive. It's highly targeted and you don't want to become a target. But if you are, learn how the worm works and how Cylance can protect you. Visit to get the skinny on DisTrack. You don't want to get caught short so read up on DisTrack and while you're there you can learn all about how Cylance can help protect you too. We thank Cylance for sponsoring our show.

Dave Bittner: [00:01:50:13] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, June 8th, 2017.

Dave Bittner: [00:02:00:17] The hacking of the Qatar News Agency with broadcast and Twitter content that represented that country's government as sympathetic with both Israel and Iran has opened a wide rift between Qatar and its neighboring members of the Gulf Cooperation Council. Several of its neighbors including Bahrain, Saudi Arabia, Yemen, and the United Arab Emirates have suspended diplomatic relations with Qatar. In the United Arab Emirates this has taken the severe form, severe for an online political crime, of a law that could punish expression of agreement with, or support for Qatar in social media, with up to 15 years in prison. So if you find yourself in Dubai, think twice before hitting like or thumbs up or retweet. The law took effect yesterday.

Dave Bittner: [00:02:46:00] In this context putative Iranian sympathies are probably the most serious offense. Sunni Saudi Arabia and its Arab allies in the Gulf have long been at loggerheads with Shi'ite Iran over where regional power would reside. The present incident began on May 23rd with hoaxed broadcast news and a coordinated Twitter campaign. Qatar has stood out somewhat from other states in the region for its financial support of terrorist groups in Libya and Syria, for its closeness with both the Muslim Brotherhood and Hamas and, by Arabian Gulf standards, for its relatively less chilly relationships with Iran.

Dave Bittner: [00:03:21:12] According to Motherboard which cites anonymous security industry sources, the news agency's content management system is weakly defended and hacking it would have been a relatively simple matter. Who might be behind the hacking is a matter of dispute. Here are the leading theories, in descending order of probability.

Dave Bittner: [00:03:38:21] First, the Russian government did it. Qatar is host to important US bases in the region and disrupting security and military collaboration among the US and the Gulf's Arab nations would tend to serve Russian interests. This theory appears to be favored by the US Intelligence Community. The FBI is said to have personnel on the ground in Qatar assisting investigation.

Dave Bittner: [00:04:01:07] Second, Russian criminals did it. The style of the hijacking is said to be a little brassy even for Fancy Bear in her brassiest moments but in other respects it resembles some of Fancy's prancing and there has long been pervasive inter-penetration of Russian intelligence services and criminal elements. How the criminals would have gained from the hack is unspecified.

Dave Bittner: [00:04:24:05] Third the Saudis hired someone, maybe Russian hoods, to do it, presumably out of their animus towards a difficult neighbor. This theory verges on the paranoid but stranger things have happened.

Dave Bittner: [00:04:37:02] If we had to bet, we'd take door number one. It's only fair to say that Russian authorities have denied, with some heat, that they had anything to do with it. In any event US President Trump has walked back his initial serves-them-right reaction to the diplomatic rift and has been making increasing efforts to pacify the parties in the dispute.

Dave Bittner: [00:04:57:04] If the Russians indeed are responsible, this would indicate a strategic shift away from simply doxing, what some wags last year called "enforced transparency," and toward outright disinformation and provocation. We spoke this morning with Travis Farral of the security firm Anomali and a lead investigator in producing that company's report, "Election Security in an Information Age," released this week.

Dave Bittner: [00:05:20:21] Farral noted that in the 2016 US Presidential election, the authenticity of the emails taken from the Democratic National Committee and released online wasn't seriously questioned. By the time the same threat actors worked their way into this year's French presidential election they had begun to fabricate some of the more scurrilous material released about Emmanuel Macron, that election's ultimate winner. Farral also noted that Macron's campaign, En Marche!, was better prepared than the US DNC to counter such disinformation. They expected it. They established honeypots and other time-wasting diversions for attackers and they were quick to denounce false rumors. In the elections currently being held in the United Kingdom where results are expected later tonight, there have been reports of a large and active campaign of sockpuppetry mounted on behalf of the Labor Party's leader Jeremy Corbyn.

Dave Bittner: [00:06:12:09] Farral thinks it's possible that we are seeing a strategic shift in Russian influence operations away from leaking and into classic black propaganda and front operations, tuned and updated for an online world where disinformation faces very low barriers to entry.

Dave Bittner: [00:06:28:12] Here in the US the kids are getting out of school and many families are getting ready for summer vacation. Drew Paik is from Authentic8, a supplier of secure virtual browser technology and he warns travelers to be extra cautious while away from home.

Drew Paik: [00:06:43:05] Travelers are prime targets, whether it's for personal or for business because all data has some value. Travelers also have less control and fewer defenses protecting them. So, they don't own the Internet connection, they don't control the network, sometimes they don't even own the device, like if they're using a computer in a hotel business center, for example. Criminals want the data because they can use it or they can sell it or they can hold it hostage and they can make money from all of these different exploits.

Dave Bittner: [00:07:18:04] So is this a matter of people on vacation sort of bumbling into situations where they might not be secure, or is it a matter of the bad guys actually seeking out people who might be traveling?

Drew Paik: [00:07:29:24] I think it's a little bit of both. You might have criminals who are targeting specific hotels or resorts which happens all the time with their point of sale infections. You might also have just general purpose infections with malware that spread far and wide, and that's just hitting people everywhere, as many people as possible because the more people you infect, the higher the chances that you're going to get some information you can actually use and sell and make money off of.

Dave Bittner: [00:08:00:11] What kinds of things should people do to protect themselves?

Drew Paik: [00:08:03:16] There's a couple of basic things. People have heard this over and over again but it bears repeating. One: you can keep everything updated and backed up. That includes the operating system, the device itself. Your web browser is the number one target for hackers and exploits. Any kind of dedicated apps, even on your phone, your mobile apps, those should be updated on a regular basis. This can help limit any damage. The second thing is: if you think about your Internet connection like sending a postcard, would you write something sensitive like your social security number on a postcard? Probably not. So just remember that public Wi-Fi is basically like sending a postcard. It's trivial to compromise. And I think the third thing is to always use an encrypted connection when you're on the Internet. That might be a VPN, a virtual private network that you have to set up yourself, or it could be a dedicated app that helps encrypt all your data. If connecting to a Wi-Fi hotspot is like sending a postcard then encrypting your data is like putting it in an envelope and sending it, so it gives you a little bit more protection.

Dave Bittner: [00:09:17:10] And of course, you know, really, you're on vacation - unplug, right? Just give it a break.

Drew Paik: [00:09:21:17] You should be spending time with your family instead of online.

Dave Bittner: [00:09:26:08] That's Drew Paik from Authentic8.

Dave Bittner: [00:09:30:12] Former FBI Director Comey testified this morning before the US Senate Intelligence Committee. His testimony was wide-ranging and avoiding matters touching on current investigations and on sensitive matters that would be addressed later in a closed session. But he was clear on one thing. He has little doubt the Russians attempted to influence US elections and that this is a very serious matter indeed.

Dave Bittner: [00:09:55:16] And finally the story of alleged NSA leaker Reality Winner, now in custody in Georgia facing charges of violating 18 U.S.C. Section 793(e), has one lesson for anyone who uses IT in their workplace. Don't assume that the boss can't watch what you're up to. It took the FBI just four days from when the intercept sought to authenticate the leaked documents to interview Ms Winner and take her into custody. So the mills of justice proverbially grind slowly but this time they were more like a blender, on high speed.

Dave Bittner: [00:10:33:14] As our sponsors at E8 Security can tell you, there's no topic more talked about in the security space than artificial intelligence, unless maybe it's machine learning, but it's not always easy to know what these could mean for you. So go to and see what AI and machine learning can do for your organization's security. In brief they offer not a panacea, not a cure-all, but rather an indispensable approach to getting the most out of your scarce, valuable and expensive human security analysts. Let the machines handle the vast amounts of data. If you need to scale your security capability, AI and machine learning are the technologies that can help you do it. So visit and see how they can help address your security challenges today. We thank E8 for sponsoring our show.

Dave Bittner: [00:11:28:09] And I'm pleased to be joined once again by Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, welcome back. Certainly the state of healthcare security is top of mind for a lot of people and you wanted to share some statistics from a recent report?

Dale Drew: [00:11:44:12] Yes. So there was a recent study released by HIMSS on the increase in volume and sophistication of security breaches against the healthcare industry. What this really sort of talked about was, the bad guys are beginning to commoditize your healthcare profile, for the purposes of selling that information online. And so a number of attacks are being more and more oriented toward the healthcare environment, and really taking that industry by surprise and the shock and awe approach.

Dale Drew: [00:12:18:11] Some of the key takeaways from that study which I found to be pretty interesting were that the employee still becomes the single largest source of threat. About 80% of the respondents said that employee security awareness was the largest loophole, with regards to attacks. And that's everything from employees clicking on phishing emails that gain access to the healthcare environment, answering social engineering phone calls, and responding with things like names and passwords, or other assets to get in. About 97% of them said that uptime was of greatest importance to them, which means that we are seeing a pretty significant, I think it's third in the ranking of industries that are being targeted by DDoS attacks. And so when the bad guys can't steal identity information, they begin to extort the healthcare industry by launching DDoS extortion attacks and attempting to gain money out of those enterprises.

Dale Drew: [00:13:21:24] I think the last thing that I thought was surprising is a lot of the healthcare companies still rely on fairly traditional security techniques to be able to protect themselves, and this is everything from trying to protect remote access using fairly basic controls - names and passwords. About 85% rely purely on education awareness, and 75% rely on outside consultants to be able to direct them on how to control their systems. While I've got nothing against outside consultants, I think that bringing in outside parties needs to provide a point in time view of how to improve your in-house security program, not being the sole focus point for it.

Dave Bittner: [00:14:08:08] Interesting stuff. Dale Drew, thanks for joining us.

Dave Bittner: [00:14:14:04] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit Thanks to all of our supporters on Patreon. Another way you can support the CyberWire is by leaving a review for our podcast on iTunes. It really is a great way to help other people find our show.

Dave Bittner: [00:14:36:02] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.