The CyberWire Daily Podcast 7.24.17
Ep 397 | 7.24.17

Buckets leak, but so do CDs. NotPetya and Sandworm. Fruitfly versus Macs. ISIS strained in cyberspace. A look at dark web souks. Hacked fish tank.


Dave Bittner: [00:00:00:23] Hi, everyone. We are excited to announce a new listening option for the CyberWire podcast. One of the top requests from our listeners has been for an ad-free subscription based option for listening to the show and, starting today, we are offering just that. If you go to you can find out how to become a contributor and at the $10 per month level you gain access to the ad-free version of our show. It's the same CyberWire, just without the ads. And don't worry, the free ad supported version will still be available, but now you can choose to support our show and get that ad free version. So check it out - Thank you.

Dave Bittner: [00:00:41:15] AWS misconfigurations leak data, so pay attention to your Access Control Lists. Wells Fargo data is leaked in the course of e-discovery. We've got more NotPetya fallout and investigation. ISIS is still active in cyberspace, but its online presence begins to fray. Fruitfly has been buzzing through Macs, quietly, for a decade. Other dark web markets are poised to take the place of AlphaBay and Hansa Market. And Ocean's 11 meet the IoT.

Dave Bittner: [00:01:15:12] Now I’d like to tell you about an opportunity from our sponsor, Cylance. If you’re going to be in Las Vegas for this year’s Black Hat, be sure to stop by Booth 716 and let Cylance show you how artificial intelligence and machine learning power technology that predict attacks and prevent them before they can execute. They’ll show you how Cylance Optics, with its prevention based endpoint detection and response, detects hard-to-find threats across the enterprise. See what this new technology can do to give your team the insight security analysts need to take corrective action fast. What goes on in Vegas shouldn’t, in this case, stay in Vegas. Once you see it, you’ll want to take Cylance Optics home with you. Visit for more on endpoint detection and response and write down Booth 716. We thank Cylance for sponsoring our show.

Dave Bittner: [00:02:13:10] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, July 24th, 2017.

Dave Bittner: [00:02:23:15] We've heard a lot, recently, about misconfigured Amazon Web Services S3 data buckets, and the sensitive data found exposed in them. Configuration, as Amazon points out, is the customer's responsibility and not Amazon's - after all, it's up to the customer to decide what they want to protect and what they want to share, and with whom they want to share it. Amazon has a point. Access Control Lists govern who can see the contents of an S3 bucket, and users of Amazon Web Services should look at their buckets to ensure that public read-access is enabled only where it's supposed to be.

Dave Bittner: [00:02:57:12] Of course, where there's data, there are risks, and some of those risks are more earthbound than any cloud. Witness Wells Fargo's misfortune. The bank learned this past week that outside counsel it had retained mistakenly shipped CDs in the course of discovery to an attorney representing a former Wells Fargo employee suing another employee for defamation. The CDs contained personal and financial information on about 50,000 high-net-worth customers. The mistake must be particularly galling given that Wells Fargo is not even a party to the lawsuit.

Dave Bittner: [00:03:31:21] This may not only be a third-party breach, but at least a fourth-party breach as well. The outside counsel, which the New York Times identified as Bressler, Amery & Ross, says it used an "outside vendor" in the course of e-discovery. Bressler, Amery & Ross have asked that the data be returned. The plaintiff who received them said it's fortunate he's a good guy - a less scrupulous person would have spread the info all over the Internet.

Dave Bittner: [00:03:57:09] Companies affected by NotPetya are still working on recovery and damage assessment. Maersk and other victims emphasize one point - customer data do not appear to have been compromised in the attacks.

Dave Bittner: [00:04:09:11] WannaCry and NotPetya continue to look like state-sponsored works of disruption. We heard from security firm, FireEye, who's working with the Ukrainian National Police on the investigation. They note that the Sandworm Team has a history of attacking Ukraine. FireEye says it has more technical evidence of connections between Sandworm and NotPetya. They also note that Sandworm has a history of destructive wiper attacks, which, effectively, the last round of NotPetya amounted to.

Dave Bittner: [00:04:37:12] Sandworm has also shown a predilection for hitting Ukrainian targets. FireEye points out that evidence of Russian government responsibility is, given the sort of information available, inevitably circumstantial. As they conclude, however, "We can’t be 100% sure that it’s a state sponsored group, but there are many strong signs that point towards this."

Dave Bittner: [00:05:00:19] Both WannaCry and NotPetya propagated rapidly; comparable spreader technology is appearing in other strains as well. Fidelis has been tracking spreader functionality as it's been added to the widely used Emotet loader, so we haven't seen the last of such rapidly metastasizing attacks.

Dave Bittner: [00:05:19:07] The Islamic State's recent setbacks on the ground have cost ISIS territory and much of its pretension to being a government, even as Interpol circulates a list of 173 suspected members of Caliphate suicide units. ISIS has maintained its Russian-language propaganda service, but other operations in cyberspace are showing signs of strain.

Dave Bittner: [00:05:41:19] Malwarebytes and Synack are tracking Mac malware that's quietly infested the Mac ecosystem for years, going largely undetected. "Fruitfly," as it's called, is regarded as both primitive and mysterious. It's infection mechanism and purpose both remain unclear.

Dave Bittner: [00:05:59:02] In industry news, healthcare cybersecurity startup Protenus has received an additional $3 million in funding, bringing its Series A total to $7 million. Nyotron, which offers a threat-agnostic defensive solution designed to be effective against unknown threats, has raised $21 million in its recent funding round.

Dave Bittner: [00:06:20:18] Authorities are expected to continue to look for more participants in dark web contraband markets. Demand will in all likelihood shift elsewhere now that AlphaBay and Hansa Market have been taken down. AlphaBay was successor to Silk Road as the black market leader, and Hansa Market was called, until its take down last week, "the World's Most Secure dark net market place." There are other dark web markets out there. We heard about some of them from Patrick Martin, a cybersecurity analyst at RepKnight, a firm specializing in the dark web.

Dave Bittner: [00:06:52:23] Martin points out that these markets aren't all about drugs and guns. They're also a marketplace for stolen data and corporate intellectual property. He said, "The shutdown of AphaBay and Hansa is certainly great news, but when you consider that 80% of the Internet is made up of the deep and dark web, you realize that these two sites are only the tip of the iceberg." Some of the other big markets that are still in operation include Dream Market, Valhalla, and Wall St. Market. Martin says they're already seeing criminals who supplied wares to AlphaBay and Hansa Market shift their operations over to these.

Dave Bittner: [00:07:28:15] So it's a good idea to keep an eye out for the possibility of your data being traded on the dark web. But that said, it's not a good idea to do so yourself. As Martin puts it, "the dark web is definitely not “safe surfing” - signing up to dark web sites yourself is really not a good idea, not only because of the disturbing nature of other things you’ll come across but also the risk of getting phished by cybercriminals, or a knock on the door from the police." So look to the experts and get some help.

Dave Bittner: [00:07:59:17] Finally, in what sounds like a high-concept caper movie, crooks found their way into a casino and exfiltrated data to a command-and-control server in Finland. The casino is somewhere in North America, but that's all investigators are saying. But here's where the high-concept gets high, cats - the hackers got in through the IoT, specifically through a smart fish tank on display in the casino. Security firm Darktrace, which investigated, says that the hoods exploited a recently introduced device and used their access to bypass the casino's other, normally formidable, defenses. The kind of fish in the tank are unknown, but they were probably just innocent bystanders. Danny Ocean, call your office, and bring the Rat Pack with you.

Dave Bittner: [00:08:48:18] Now another message about some research from our sponsor, Cylance. You know good policy is informed by sound technical understanding. The crypto wars aren’t over! Cylance would like to share some thoughts from ICIT on the surveillance state and censorship and about the conundrum of censorship legislation. They’ve concluded that recent efforts by governments to weaken encryption introduce exploitable vulnerabilities into applications and develop nation state dragnet surveillance programs will do little to stymie the rise in terrorist attacks. These efforts will be a detriment to national security and only further exhaust law enforcement resources and obfuscate adversary communiques within a massive cloud of noise. Backdoors for the good guys mean backdoors for the bad guys and it’s next to impossible to keep the lone wolves from hearing the howling of the pack. Go to and take a look at their blog for reflections on surveillance, censorship and security. We thank Cylance for sponsoring our show.

Dave Bittner: [00:09:56:22] Joining me once again is Rick Howard. He's the Chief Security Officer at Palo Alto Networks and he also heads up Unit 42 which is their Threat Intel Team. Rick, you've got an interesting announcement here, a pretty broad announcement that Palo Alto has developed an application framework. Give us the details here. What's going on?

Rick Howard: [00:10:14:19] Well, you and I have talked about how many vendors there are in the cybersecurity space. When I went to RSA this year, there were over 650 of them trying to display their wares. I talked to a lot of them, and every one of them has the very best idea that's going to save the Internet - if I would just take their product, I would be secure forever. Even if I found one that I liked and it did save the Internet, I still have to deploy it and manage it and it's just really hard and very expensive. I called that the, security vendor mambo - the dance that all network vendors must do to install a product. What the vendors don't tell you though is that their product alone won't be enough. In order to completely cover the attack lifecycle, network defenders like me have to do the same security vendor mambo dance with several products.

Rick Howard: [00:11:09:09] Small organizations have at least 20 different security tools that they deploy. Medium sized companies have deployed at least 50 and large organizations, like the big financials, have over 200 tools to deploy just for security. What this tells me is that the security product consumption model is broken. Network defenders like me consume those products; it's too hard to do. Therefore, it is ripe for disruption and the organizations that could get this done are the firewall vendors. We're a firewall vendor but there are others. If you just consider what a firewall does - the firewall is the one security tool that every network defender has deployed. They have other things, but everybody has a firewall. They're very complex systems and they do many tasks but if you reduce the idea of a firewall to its basic functions, it really does three things. First, it's a way to collect intelligence and telemetry on Internet traffic coming in and leaving the organization. Second, it is a processing engine that looks at the intelligence and telemetry to determine malicious behavior. Finally, it is an enforcement point that network defenders can use to either automatically block malicious behavior or manually block that behavior, once a human has looked at it.

Rick Howard: [00:12:27:13] What firewall vendors have done in the last couple of years is they have moved the data collection and processing functions out to the cloud. There are lots of reasons for this, but mainly, for all intents and purposes, vendors have infinite storage capacity and processing power in the cloud, where the deployed firewall does not - it's kind of a finite thing. If a vendor wants to add a new service to the firewall, say like an anti-APT or an intelligence analytical service, vendors build that as an application in the cloud, and not as a new hardware service for the deployed physical platform.

Rick Howard: [00:13:05:00] So the vendor collects the data in the cloud, the new anti-APT service runs its algorithms on the cloud data, and then sends blocking decisions back down to the infrastructure to its customer. That's where the industry has gone the last couple of years. If you take that evolution and think about what could happen next, the consumption model for security products could get flipped on its head. This disruptive, logical next step is for firewall vendors to allow those other 650 tools to use the same infrastructure that is already deployed for the firewall. Instead of network defenders doing the security vendor mambo for 20, or 50 or 200 tools, firewall vendors will allow those same security tools to run as applications on top of the data cloud and use the deployed physical firewall as the enforcement point.

Rick Howard: [00:13:56:24] So consuming a new security product will become as easy as it is to download the next Angry Birds game to your iPhone. That's what we're going for here. Network defenders will go to the security app store, download the cool new security tool they saw at RSA in the last conference, turn it on and then the security vendor mambo, that dance we always have to do now, will be replaced by an on/off switch - that's where we're going. We call it the application framework. That is a fantastic name - I know it's really sexy. I expect all the firewall vendors will offer something similar in the very near future.

Rick Howard: [00:14:33:02] The bottom line to all this application framework is a completely disruptive idea, and is the next logical extension of automatic orchestration, vendors making it easier to deploy security tools.

Dave Bittner: [00:14:45:07] Rick Howard, thanks for joining us.

Dave Bittner: [00:14:50:02] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit Thanks to all of our sponsors, who make the CyberWire possible especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit Thanks once again to all of our supporters on Patreon, and to find out how you can contribute to the CyberWire, go to

Dave Bittner: [00:15:16:05] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. Social Media Editor is Jen Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.