The CyberWire Daily Podcast 8.11.17
Ep 411 | 8.11.17

HBO offered Mr. Smith a bug bounty, but no takers. Fancy Bear's in hotel Wi-Fi. DNC leak argument resumes. Locky and Mamba ransomware are back. ISIS on eBay. NotPetya arrest. WikiLeaks dumps more from Vault7.


Dave Bittner: [00:00:01:08] The CyberWire podcast is made possible in part by listeners like you who contribute to our Patreon page. You can learn more at

Dave Bittner: [00:00:13:19] Mr. Smith turns down HBO's offer of a $250,000 bug bounty. Fancy Bear uses EternalBlue tools against hotel Wi-Fi networks. An argument over who leaked DNC emails last year flares again. New versions of Locky and Mamba ransomware circulate in the wild. The US Department of Defense is ready to use rapid acquisition to buy cyber tools and services. The FBI says a Maryland man used eBay and PayPal to receive ISIS funds for possible terror activity. Ukraine makes an arrest in the NotPetya case and WikiLeaks dumps the video intercept to "CouchPotato."

Dave Bittner: [00:00:55:12] We've got a quick note from our sponsor E8 Security. We've all heard a lot about artificial intelligence and machine learning. Those of us of a certain age remember when Sky-net achieved self awareness and sent the terminator back to 'take care of business' but that's science fiction. The artificial intelligence and machine learning that E8 is talking about isn't science fiction at all and it's here today. E8's white paper available at can guide you through the big picture of the still emerging but already proven technologies. We all need to turn data into understanding and information into meaning. AI and Machine Learning can help you do that. See what they can do for you at And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:49:00] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, August 11th, 2017.

Dave Bittner: [00:01:59:14] The HBO hacker or hackers going by "Mr. Smith" released an email yesterday from HBO that offered them, Variety reports, a 'bounty payment' of $250,000 as part of a program in which 'white hat IT professionals' are rewarded for 'bringing these types of things to our attention' Mr. Smith wasn't buying - the hackers want millions. So it appears that one of the following happened: either HBO offered ransom covered by the fig leaf of a bug bounty, or HBO hoped to finesse the hackers into becoming harmless white hats, or HBO hoped to wrap them up for delivery to law enforcement. Whatever was going on, the hackers spit the hook and called Variety.

Dave Bittner: [00:02:41:09] "Mr. Smith's" demand for a salary is curious but an article in the Register suggests some interesting background. The ransom note HBO received indicated that "Mr. Smith" has an annual budget of $500,000 which it uses to buy zero-days. So they're investing in tools that will enable them to compromise corporate networks, which would make them a zero-day broker gone rogue, using tools themselves as opposed to selling them to, for example, governments who might want them for lawful intercept purposes. In any case, HBO and "Mr. Smith" appear for now to be at an impasse.

Dave Bittner: [00:03:17:15] Fancy Bear is back in the news. FireEye reports that the threat actor who comes courtesy of Russia's GRU has undertaken an ambitious program of spying on "high-value hotel guests" through hotel Wi-Fi systems. Fancy Bear is apparently using EternalBlue tools, believed to have leaked from NSA, and posted on-line by the ShadowBrokers, to propagate surveillance code across targeted networks.

Dave Bittner: [00:03:43:07] The attacks, which affected "moderately high-end" hotels in seven European and one Middle Eastern capital, began as usual, with phishing. Once access was gained by phishing, the attackers used EternalBlue to move swiftly through the networks and then, once the servers were compromised, installed the Responder tool. Responder both monitors traffic across a network and harvests credentials from machines connected to that network.

Dave Bittner: [00:04:09:24] FireEye began noticing the hotel attacks in late 2016. They say an important piece of circumstantial evidence pointing to Fancy Bear is the discovery of two GRU-connected malware strains, GameFish and XTunnel, installed on victim devices. The company also says it's got more dispositive evidence in the form of observations they've made of the incidents' command-and-control, but for now FireEye is holding that evidence close.

Dave Bittner: [00:04:38:20] Fancy Bear, along with its FSB colleague Cozy Bear, are generally believed to have gotten into the systems of the US Democratic National Committee and the Clinton presidential campaign during the 2016 US election cycle. Emails damaging to both the DNC and the campaign were publicly exposed by WikiLeaks and it's been generally thought, on circumstantial grounds, that WikiLeaks got the material it released from Russian intelligence services. WikiLeaks' Julian Assange has denied this, but few have given the denials much credence.

Dave Bittner: [00:05:10:20] The principal alternative theory of the leaks is that they originated with disgruntled insiders, perhaps supporters of Senator Sanders' campaign. This has been largely a partisan theory, advanced by opponents of the Clinton presidential run. But this week both Bloomberg and the Nation, neither one a right-wing media operation (indeed, the Nation is decidedly left-wing) have reported that sources close to the US Intelligence Community, some of whom are described as retired intelligence officers, say there's in fact considerable forensic evidence that the material WikiLeaks received indeed came from disgruntled insiders. The DNC has told the Nation that they're disappointed in them: "U.S. intelligence agencies have concluded the Russian government hacked the DNC in an attempt to interfere in the election. Any suggestion otherwise is false and is just another conspiracy theory like those pushed by Trump and his administration. It’s unfortunate that The Nation has decided to join the conspiracy theorists to push this narrative."

Dave Bittner: [00:06:12:08] Bloomberg View argues that the theory and the evidence behind it are worth a look. The sources, Bloomberg notes, have names and reputations, and while there's a great deal of evidence pointing toward Russian intelligence services, it's certainly possible that more than one actor was interested in DNC emails. The names and reputations of the Nation's sources, members of Veteran Intelligence Professionals for Sanity, may be controversial but Bloomberg View's op-ed piece thinks them worthy of at least a hearing.

Dave Bittner: [00:06:42:15] In more ordinary crime news, two familiar strains of ransomware have resurfaced in the wild. Both Locky and Mamba are out in an enhanced, more virulent form. Mamba is best known for encrypting entire drives. It's been active mostly against targets in Brazil and Saudi Arabia. Locky has seen widespread distribution. It's now being carried in a large, malicious spam campaign.

Dave Bittner: [00:07:08:04] In the US some Defense Department rapid acquisition tools are coming into use. Both DIUx and SCO have received enhanced purchasing authority. US Cyber Command will begin using its rapid acquisition authority by the end of September. These are of particular interest to the security industry, since these more agile procurement methods are designed to get quickly advancing technology into the hands of operators. Security tools figure prominently among the products the Department of Defense has in mind.

Dave Bittner: [00:07:39:08] An unsealed FBI affidavit says that a Maryland man, arrested last year in connection with alleged ISIS activities, was involved in using eBay and PayPal to siphon cash to the terrorist group. Mohamed Elshinawy, a US citizen, is alleged to have "pledged allegiance to Islamic State". The FBI says he had run bogus printer sales on eBay as a cover for his receipt of ISIS money through PayPal. The funds, the Government alleges, were probably intended to have been used in terror operations in the US.

Dave Bittner: [00:08:12:06] Ukrainian police last week arrested a man in Nikopol for distributing NotPetya. The arrest of the fifty-five year-old unnamed man was announced by the cyber division of Ukraine's national police last Saturday.

Dave Bittner: [00:08:25:21] And, finally, WikiLeaks' weekly dump from Vault7 features documents covering "CouchPotato," said to be a CIA tool that remotely collects video streams. One has to give credit where credit is due: CouchPotato is a nice name for a tool that lets you sit back and watch…whatever those video streams are showing. Investigation into where WikiLeaks is getting the contents of Vault7 proceeds, but so far without publicly disclosed results. And, of course, the same can be said of the ShadowBrokers, who are expected to resurface around the end of the month.

Dave Bittner: [00:09:02:12] A word about our sponsor, the upcoming Cybersecurity Conference For Executives. The Johns Hopkins University Information Security Institute and Compass Cybersecurity will host the event on Tuesday, September 19th, in Baltimore Maryland on the Johns Hopkins Homewood Campus. The theme this year is emerging global cyber threats and the conference will feature discussions with thought leaders across a variety of sectors. You can find out more and register at Learn about the current and emerging cybersecurity threats to organizations and how executives can better protect their enterprises data.

Dave Bittner: [00:09:37:19] One of the keynotes will be presented by the Johns Hopkins University Stephanie Reel, who will discuss the ins and outs of managing security in a hybrid organization. She'll draw on her Hopkins experience of the challenges faced by a world leading research university that's also a world leading health care system. You can check out the details at and we thank the Cybersecurity Conference for Executives for sponsoring our show.

Dave Bittner: [00:10:09:24] And I'm pleased to be joined, once again, by David Dufour. He's the Senior Director of Engineering and Cybersecurity at WebRoot. David welcome back! We wanted to go through some of the basics today, some of the nuts and bolts sort of basic cyber hygiene that you think people should be paying attention to.

David Dufour: [00:10:26:09] You bet and David thanks for having me back and, you know, with WannaCry and all of this going around ransomware, I thought it would be good if we could just talk about your basic security tool box and some very simple things that would have prevented you from being, you know, a victim of, WannaCry. A little anecdote I'd like to talk about is, you know, everybody wants to find ways to, you know, reduce traffic accidents and things like that but the number one way is if we all just drove 55, there'll be fewer accidents right?

Dave Bittner: [00:10:57:09] Right. Put on your seatbelt, right?

David Dufour: [00:10:59:04] Exactly, it's that simple. So in the cybersecurity world, I always am excited to talk about the new machine modeling or new ways of identifying threats, but it's the mundane things David that actually do the most benefit for us.

Dave Bittner: [00:11:15:21] What kinds of things are we talking about here?

David Dufour: [00:11:18:04] Making sure you're got off-line backups so that those backups can't get encrypted by ransomware. This would be backups of important files. You know, the world can't live without all those selfies of you David...

Dave Bittner: [00:11:28:09] [LAUGHS]

David Dufour: [00:11:28:19] we need to make sure they're backed up.

Dave Bittner: [00:11:30:16] It's true.

David Dufour: [00:11:31:07] In addition to that, we want to make sure we're applying regularly the security patches for our operating system, whether that be OSX, whether that be Windows. Having those latest up to date security patches, having backups, you know, Ransomware, the WannaCry issue, you, you wouldn't have even felt it because you would have been prepared to recover from it.

Dave Bittner: [00:11:52:09] And why do you think people have ongoing consistent trouble with this? It seems like we say this over and over again and yet time and time again people aren't taking care of these things.

David Dufour: [00:12:03:07] Probably it's kind of like going to the gym. You have good intentions but, trying to get there is the hard thing. It's boring, it's mundane, it's something you have to keep up with all the time. If you do that and you keep a good anti-virus software up to date, you're going to mitigate almost every security problem that you will come across.

Dave Bittner: [00:12:21:09] Right, good advice. David Dufour, thanks for joining us.

Dave Bittner: [00:12:28:22] Now a few words about our sponsor Domain Tools, the company that helps security analysts turn threat data into threat intelligence. They've got some new insight into DNS Forensics, which as they explain in the new white paper, is where intuition needs experience. Their integration of human and machine intelligence brings into high belief the footprints intruders into your networks leave behind. Go to to learn more. Domain tools takes indicators from your network and connects them with nearly every act of domain on the Internet. Fortune 1000 companies, global government agencies and leading security solution vendors use the Domain Tools platform to investigate and mitigate threats. Find out more by going to To learn about the leverage the domain name system can bring to your investigations of virtually every cyber attack that's snuffling around in the wild today, check out And we thank Domain Tools for sponsoring our show.

Dave Bittner: [00:13:36:19] My guest today is Barmek Maftah, he's the President and CEO at AlienVault. A cybersecurity company that claims to be on a mission to provide organizations throughout the universe with highly intelligent security that is affordable and simple to use. He's been at the helm there since 2011 and before that served as Vice President of the Enterprise Security Product's Division at HP. He has over 20 years experience in the industry.

Barmek Maftah: [00:14:02:03] I think the big change is the trend towards integration, orchestration and simplicity in cybersecurity. I think, you know, for a long period of time the industry is focused on inventing point products to counteract threat vectors that we've observed over the last 20, 30 years and the problem has become the explosion of these point products and it's very evident. I think the easiest way to see that is walk the show floor as a black cat or RSA and you see sort of the exponential growth of how many cybersecurity companies are out there and they're all doing great stuff. But the unfortunate truth is that the majority of the companies out there just don't have the skill set, the talent, the affordability to be able to glue and integrate all these point products together to come up with more of a comprehensive end to end security story for their company.

Barmek Maftah: [00:15:01:20] And so, you know, the big trends that we're seeing is around orchestration, integration and simplicity in making the complex problem of security more simplified and then also on the threat intelligence side, we're seeing a lot of collaboration in terms of how we can bring the community together to share threat intelligence and threat data more effectively.

Dave Bittner: [00:15:23:08] So, if I'm someone who's walking around on a show floor and I'm trying to balance my need for simplicity, but also not wanting to put all my eggs in one basket in terms of relying on a single vendor, what do you think the best way for me is to approach the sort of tension between those two needs?

Barmek Maftah: [00:15:44:07] It's a great question. In fact, I would actually further that question, because the other question I get often is, you know, if you air on the side of orchestration, simplicity and integration are you going to sub-optimize best of breed approaches to security? So let me address those two. So, the first is sort of the single vendor approach to security, which is more of an all in one approach, and I actually don't believe in that. I think you can have an orchestrated and integrated approach to security without necessarily putting all your eggs in one basket. The analogy I would use is the operating system. So, you typically use one operating system or the other. There's probably about five or six, you know, main operating systems out there, but that doesn't mean that you have to buy your applications from the same vendor over and over again.

[00:16:31:09] In fact, the app store in the case of Apple is full of applications that are from hundreds of thousands of vendors out there and so, you know, what we promote at AlienVault is more of an approach of, you know, having one underlying orchestration platform which is very analogous to an operating system, but then give the ability through a very well defined extensibility layer, again, like an operating system, to third party members to be able to build security controls because these threat factors aren't going to be the same and the hackers will invent new threat vectors. So, there ought to be a way for security vendors to create innovative solutions around both security protection, security detection, security response but without the need to constantly change the infrastructure over and over again. The biggest cost of security for any company is the infrastructure and the operational cost of security of how do you have the security controls talk together in a coherent, integrated, orchestrated way.

Barmek Maftah: [00:17:33:12] So, you know, there is a way to come up with a very elegant, I would argue, cloud driven orchestrated platform and still give the security vendors the ability to innovate and come up with their security controls, because those security controls will change on an ongoing basis. On the second thread, you know, this argument that if you make security orchestration and integration elegant and simplified and, I would argue, affordable so that every company can enjoy security end to end, somehow you're sub-optimizing on the security controls and you make the security controls not as good as to breed. It's just a false argument right, because the side of the brain that makes something very elegant and simple doesn't have to necessarily cease to function to make each security control also extremely good and strong compared to the alternatives.

Barmek Maftah: [00:18:24:20] So, you know, we would argue you could have an orchestrated approach to security, an integrated approach to security, ideally cloud driven, so it makes it really easy and affordable for people to use and not necessarily sub-optimize on the integrity, the strength of each of these security controls that you're building.

Dave Bittner: [00:18:42:01] As you look ahead toward the horizon, what are some of the challenges that you see coming towards us, perhaps things that we don't have to deal with today yet and how do you think, as an industry, we're going to have to adapt to face them?

Barmek Maftah: [00:18:55:04] Well, you know, the good news is because of the prevalence and, more importantly, because of the press that a lot of these breaches are getting, the awareness around security is exponentially increased. I mean I entered the cybersecurity world late 2002, early 2003 and I've got to tell you, over the last 15, 16 years the awareness around security compliance governance has increased dramatically and, as you probably have heard from other people, the role of the CISO has been elevated exponentially in the organization. So, I think the first step is, you know, the treatment of security and risk around IT at the same level that a company would treat risk as it's applied to its own existence and so that's great, you know, that you're getting that position elevated. It's a board level agenda item now and all that stuff is great.

Barmek Maftah: [00:19:55:01] So I think we're actually going towards the right direction, which is the elevation of security and risk basically at the highest level.

Dave Bittner: [00:20:03:12] Our thanks to Barmek Maftah for joining us. There's an extended version of this interview available exclusively to our Patreon subscribers at patreon/com/thecyberwire.

Dave Bittner: [00:20:19:04] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out more about how Cylance can help protect you using artificial intelligence, visit Don't forget that one of the best ways you can help support our show is to leave a review on iTunes. It really does help people find the podcast. The Cyberwire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening. Have a great weekend everybody.