The CyberWire Daily Podcast 7.25.17
Ep 398 | 7.25.17

Google Groups oversharing. E-discovery don'ts. Energetic Bear may be back. The CopyKittens seem to be Persian cats. Ethereum hacks (and white hats).


Dave Bittner: [00:00:01:16] Just a quick reminder that there is now an ad free version of the CyberWire podcast. You can find out more about it at

Dave Bittner: [00:00:12:22] Google Groups shouldn't be set for oversharing, 100s of enterprises are learning. Wells Fargo works to recover from botched e-discovery. Energetic Bear may be back, with some cunning phishbait. Pravda says Russians feel strange new respect in cyberspace. The CopyKittens appear to be Persian cats. Another Ethereum ICO is pilfered, but, contrary to expectations, the White Hat Group looks like a genuine group of white hats. And some notes from Vegas.

Dave Bittner: [00:00:46:08] I want to tell you about an offer from our sponsor Cylance. Who doesn't like augmented reality? We know we do. So if you're going to be in Las Vegas for Black Hat this month, why not forget about the stage magic, and stop by booth 716 for some magic you can actually learn from? Cylance will let you experience augmented reality and see how you can learn from the anatomy of a cyber attack. You'll gain real insight into how modern cyber attacks originate, how they work and how they can be prevented before they cause harm to your environment. It's all there for you at booth 716. Visit the Events section of in cyberspace for more on augmented reality and what it can do for security. And more importantly, in physical space at Black Hat, get on over to booth 716 and check it out for yourself. We thank Cylance for sponsoring our show.

Dave Bittner: [00:01:43:03] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, July 25th, 2017.

Dave Bittner: [00:01:53:15] We've been hearing a fair amount about inadvertently exposed data. In several cases of misconfigured Amazon Web Services S3 buckets, businesses and government organizations have seen some sensitive data made accessible to casual web surfers. And of course this is user issue, AWS users need to devote proper attention to their Access Control Lists.

Dave Bittner: [00:02:14:10] And not only AWS users, but now Google Groups users as well. Security firm RedLock has announced that it's found 100s of cases in which enterprises have left their information out for inspection. The problem seems to arise from users casual choice to make their Google Groups public on the Internet. Again, this is a user issue, so if you're a devotee of sharing via Google Groups, make sure you're not oversharing.

Dave Bittner: [00:02:40:21] Wells Fargo, whose outside counsel released information on about 50,000 high-value customers in the course of an e-discovery snafu, is now receiving the attentions of FINRA, the Financial Industry Regulatory Authority. That outside counsel said they relied on a vendor to prepare the CDs on which the required documents were provided, which would make this, we suppose, a case of fourth-party risk. At any rate, Wells Fargo itself has petitioned the courts to order the return of the data. "We take the security and privacy of our customers’ information very seriously," Wells Fargo said in a public statement. "Our goals are to ensure the data is not disseminated, that it is rapidly returned, and that we ensure the discovery process going forward in the cases is working as it should."

Dave Bittner: [00:03:29:08] Security company CyberInt reports that it's found a new campaign that appears to be prospecting energy utilities. They're not sure who's behind it, but they think they see signs that it may be Energetic Bear, again. This campaign installs credential harvesting malware by an email attachment, specifically a Word document that purports to be an innocent resume, the kind of thing HR and recruiting offices open all the time. Neither the document nor the email that carries it has malware embedded in it. Instead, the document contains a template reference which, upon loading, connects via Server Message Block to an attack server, after which it downloads a Word template that does carry malicious payloads. The electrical utilities being prospected appear so far to be largely American, but the campaign is likely to have more widespread effects.

Dave Bittner: [00:04:19:08] Energetic Bear, like NotPetya, is thought to be the work of Russian intelligence services. Pravda offers some perhaps uncharacteristic candor about what's up. At last, they say, citing a poll of Russian attitudes, the foreigners have to respect us. A spokesman for President Putin tells the information outlet that Russia is a war elephant in cyberspace, and now needs to begin making its hardware as good as its software.

Dave Bittner: [00:04:46:14] ClearSky and Trend Micro yesterday released the results of their research into CopyKittens, which they characterize as a cyberespionage group, operating from and on behalf of Iran. The CopyKittens have been operating since 2013 at least. Their interests are consistent with nation-state strategic intelligence objectives, legislative bodies, foreign and defense ministries, the defense and aerospace industry, academic research institutions, and so on. The nations principally targeted include Israel, Saudi Arabia, Turkey, the United States, Jordan, and Germany. Some recent high-profile victims have been Germany's Bundestag and the Jerusalem Post. The group uses DNS for both command-and-control communications and data exfiltration. ClearSky and Trend Micro call CopyKittens' latest campaign "Wilted Tulip."

Dave Bittner: [00:05:38:00] If you're in the US you're surely familiar with your FICO score, the number that credit agencies provide to give lenders a sense of your credit worthiness. Well the folks at FICO are now aiming their ratings analytics at cybersecurity. Doug Clare is vice president of cybersecurity solutions at FICO.

Doug Clare: [00:05:55:18] We got into it as a result of a conversation that FICO had with our breach insurer. Our insurer came out for the usual questions about our business: how it's going, what we do, what our practices are. There was a rhetorical question that was asked, which was, "Wouldn't it be great if there were a FICO score for cyber insurance, for cyber risk?" We scratched our heads and thought about that a little bit, and the more we thought about it, the more we came to realize that it was probably a tractable problem from an analytics perspective. There are behaviors and conditions that are measurable that you can empirically correlate to breach events.

Doug Clare: [00:06:35:22] It is certainly a very interesting space from an analytics perspective, but it is much like a FICO score, or other things that you can tackle with analytics and artificial intelligence and machine learning. It's a tractable problem and it's one that I'm sure we're going to improve upon over time but it's one that analytics can be applied to effectively.

Dave Bittner: [00:06:58:12] Is this something that you apply from the outside, or does a business invite you to take a look at them?

Doug Clare: [00:07:02:22] We're able to just look at it from the outside, and make a determination and we can obviously offer that to the businesses if they're interested. There's really three use cases for this. One is for enterprise self assessment - so if you're a CSO or a CEO or a board member and you want to understand what the risk level is for your organization, and what some of the primary factors of risk are, that's a use case we can support.

Doug Clare: [00:07:31:24] We can also support the ability for third parties to make that assessment. Now in that case, we're very careful about what we share. We don't share a lot but we can tell you what the score is of a third party organization, if they're a vendor of yours, part of your supply chain, or if you're an insurance underwriter and you're looking to bind breach insurance coverage for an organization, we're able through the score, to convey relative risk level to you for that purpose.

Dave Bittner: [00:08:04:11] And so again, going back to my consumer score, if I have a problem or something that I disagree with, can I come to you and say, "Hey, I don't think this is accurate and here's why?"

Doug Clare: [00:08:13:10] Yes you can, and we've recently done some work with a bunch of organizations. This was an initiative that was initially spearheaded by some of the large banks who were asking that very same question. We've worked to establish some principles around this that organizations who provide these ratings, FICO being one of them, can adhere to that will allow that interaction to take place. The principles are geared around best practices, with respect to: transparency, confidentiality, ability to remediate and quality of models and model governance that underpin these scores, so that I think a couple of very important things can happen.

Doug Clare: [00:08:59:16] A, people can have confidence that the scores are empirical, that they're not biased, and that there is recourse if there are disagreements or if there are errors, they can be quickly corrected and the right information can be leveraged.

Dave Bittner: [00:09:16:05] That's Doug Clare from FICO.

Dave Bittner: [00:09:20:02] Criminals have hit another Ethereum initial coin offering. On Sunday about $8.4 million in VERI tokens were stolen from the ICO.

Dave Bittner: [00:09:29:12] After last week's theft of $32 million in Ethereum cryptocurrency via a flaw in the wallets' contract, the White Hat Group said they intended to rescue and return Ether exposed to the same vulnerability. We were skeptical, but our skepticism was misplaced. Apparently the White Hat Group is proving as good as its word. Motherboard reports the White Hat Group obtained control of about $208 million in Ethereum assets, and will finish returning the funds Monday.

Dave Bittner: [00:09:59:18] Black Hat, Defcon, and BSides are all on this week in Las Vegas. We'll be offering some updates from the events. In the meantime, if you're there, do be careful. The environment is a little like a saloon from an old Western movie, so watch your virtual back, buckaroos! Profit from the presentations and your visits to the floor, but don't connect any USB drives or other media you find lying around.

Dave Bittner: [00:10:22:20] And be aware that one of the demonstrations at Defcon will involve the hacking of a smart gun. This particular model, an Armatix IP-1 automatic pistol, is supposed to be fireable only when the user is wearing an Armatix watch that functions effectively as an authentication token. But there are two catches. First, the researcher, who goes by the nom de hack "Plore," has demonstrated that it's possible to block the pistol from being fired even if the authorized user is wearing the watch and holding the weapon. Signals can be interfered with. Second, Plore has also shown you can override the safety by putting a couple of dime-store magnets alongside the barrel. They'll move the electromagnetic servos that were holding the weapon on safe, and the firing pin is free to use. Magnets - freaking magnets!

Dave Bittner: [00:11:17:06] Now some news from our sponsor, Cylance. Cylance has integrated its artificially intelligent Cylance Protect engine into VirusTotal. You'll know VirusTotal is the free online service that analyzes files and URLs to identify viruses, worms, Trojans, and the other kinds of badness antivirus engines and website scanners pick up. Well, Cylance has pledged to help Virus Total in its mission of making the security industry more perceptive and the Internet a safer place.

Dave Bittner: [00:11:45:16] It's like public health for cyberspace. Free tools and services help keep everyone's risk down. Cylance sees their predictive approach to security as a contribution to the fight against cyber attacks, and they're now fully integrated as one of the analysis engines available in VirusTotal. Visit and look at their blog for more on their contribution to our online immune system. We thank Cylance for sponsoring our show.

Dave Bittner: [00:12:16:21] I'm pleased to be joined once again by Emily Wilson. She's the Director of Analysis at Terbium Labs. Emily, personal information gets sold a lot online in the dark web, which is one of your areas of expertise, and we're sort of pondering, what counts as personal information these days?

Emily Wilson: [00:12:34:03] Yes, I think this is something plenty of people are talking about, not just me. I think we're seeing a shift over time naturally as we move, I think especially into questions about things like biometric tokenization. Thank you Apple for being able to read my fingerprint. I was thinking about this as a result of some of the recent point of sale breaches from some different retailers or food service locations - Arby's and Chipotle come to mind. They have these point of sale breaches, information is lost but they put out press releases and they frame it as, "Hey, don't worry, no personal information was compromised."

Emily Wilson: [00:13:13:16] OK, I buy that to a certain extent, these are not health records, this is a skimmer, so you're probably not going to get full card holder information off of it. But what makes personal information? Is that we're saying credit card numbers aren't personal information because they're easily changeable and they're not going to impact you so much because you're not going to bear the burden of the fraud?

Emily Wilson: [00:13:38:02] Well, how does that change something like a home address? If you move every year to a new apartment, is it only personal information when it's actively yours? Where do we draw the line?

Dave Bittner: [00:13:47:22] For example, a phone number. That's easy enough to change.

Emily Wilson: [00:13:51:03] Sure. You may have a series of phone numbers. Are they all personal? Is your work phone number less personal? What about your conference line? What counts as personal information? I don't think there's a clear answer. I think this is an ongoing discussion, but I think it's interesting that these companies are coming out and saying, "Hey, don't worry, your personal information wasn't compromised - just your financial information that's tied to you personally."

Dave Bittner: [00:14:18:02] Well, and certainly anyone who's been through having to change a credit card that you've been using for a serious amount of time, that is a real annoying thing to have to do. It's not fun.

Emily Wilson: [00:14:30:13] No, it is disruptive to say the least.

Dave Bittner: [00:14:33:17] Yes. Speaking of the credit card, I wonder if some of it is, who carries the burden of the change? Because with the credit card, the credit card company will sometimes detect it and just deactivate your card and send you a new one with a phone number. That's not going to happen.

Emily Wilson: [00:14:52:05] Right. A phone number, that's definitely on you, and I think if you're dealing with a phone number or a home address, even a credit card number, there's a certain point at which, it may not be tied to just you as an individual. You may have partners or family members who are also connected to that. At what point does it become more impactful? Say you need to change a home phone number, people still have those I am told, or an address. At that point it's not just your information, it's not just your email address. You're dealing with details that are tied to more than one person or if it's company information that makes it even messier.

Dave Bittner: [00:15:33:10] Right. It's an interesting thing to ponder. Emily Wilson, thanks for joining us.

Dave Bittner: [00:15:41:02] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially our sustaining sponsor, Cylance. You can find out more about how Cylance can help protect you through the use of artificial intelligence at

Dave Bittner: [00:15:54:02] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.