The CyberWire Daily Podcast 9.7.17
Ep 429 | 9.7.17

DragonFly 2.0 in power grids. Cyberespionage in the South China Sea. Russian Facebook ads. "Fake News" survey.


Dave Bittner: [00:00:01:07] If you are in a financial position to do so, we hope you'll consider supporting our show by going to Thanks.

Dave Bittner: [00:00:12:19] DragonFly 2.0 is up to some very bad things in several nations' power grids. China ramps up cyberespionage against South China Sea rivals. Facebook finds that a Russian front company bought more than $100,000 in influence-ops ads on its service over the last two years. US info ops stumble over a dog and a Japanese 13-year-old is in hot water for trying to sell malware.

Dave Bittner: [00:00:42:07] As our sponsors at E8 Security can tell you, there's no topic more talked about in the security space than artificial intelligence, unless, maybe it's machine learning, but it's not always easy to know what these could mean for you. So go to and see what AI and machine learning can do for your organization's security. In brief, they offer not a panacea, not a cure all, but rather an indispensable approach to getting the most out of your scarce, valuable and expensive human security analysts - let the machines handle the vast amounts of data. If you need to scale your security capability, AI and machine learning are the technologies that can help you do it. So visit and see how they can help address your security challenges today and we thank E8 for sponsoring our show.

Dave Bittner: [00:01:40:02] Major funding for the CyberWire podcast is provided by Cylance, I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, September 7th, 2017.

Dave Bittner: [00:01:49:12] The warnings about DragonFly sounded this week by Symantec continue to reverberate. It amounts, observers say, to a sabotage warning, since the threat actor is believed to have established access to operational networks controlling the power grid. The US, Switzerland and Turkey are said to be particularly heavily infested. A nation-state is said to be behind Dragonfly; which nation-state hasn't yet been publicly identified.

Dave Bittner: [00:02:16:06] DragonFly's been seen before, starting in 2014, as we're reminded by Moreno Carullo of Nozomi Networks. He commented to us that the earlier wave of DragonFly heavily targeted pharmaceutical firms. He said, "DragonFly 2.0 appears to have been weaponized to specifically target industrial control systems' field devices and then feeds that information back to the command and control server which will be monitored by the attackers."

Dave Bittner: [00:02:44:02] He notes that DragonFly 2.0 is patient. He said, "Rather than installing an infection immediately, this latest iteration of DragonFly bides its time, waiting eleven days before automatically installing a ‘backdoor’. Using this new entrance, the attacker can then install or download applications to infected computers, particularly targeting Windows XP with known vulnerabilities and even circumventing permission restrictions on user accounts."

Dave Bittner: [00:03:12:13] Carullo says that research by Nozomi supports the conclusion that DragonFly 2.0 is exploring ICS works in depth and that such knowledge could readily be used to disrupt operational networks.

Dave Bittner: [00:03:25:19] Representatives of the electrical power industry at the Intelligence and National Security Summit made the familiar point that there are no easy solutions to this threat. It's an aspect of risk that must be known and managed. Those we heard speaking made two points. First, when the power industry talks about intelligence, they're talking about the intelligence they themselves develop, they're not waiting to be fed by Government, although they welcome cooperation with and assistance from Government. Second, they reject the notion that security should be something that affords a company a competitive advantage and they advocate sharing intelligence within the sector as much as possible.

Dave Bittner: [00:04:04:10] Votiro, Fortinet, and FireEye re-emphasize findings that groups associated with Chinese intelligence services are working actively against countries with whom China is disputing territorial claims in the South China Sea: Indonesia, the Philippines, and Vietnam, especially Vietnam.

Dave Bittner: [00:04:24:04] Facebook says that over the last two years between $100,000 and $150,000 in some 3000 Facebook ads were placed by the Internet Research Agency, a St. Petersburg outfit known to operate on behalf of the Russian security and intelligence organs. The topics the ads addressed were characterized as "divisive," concentrating on race, immigration, equal rights and so on.

Dave Bittner: [00:04:48:04] $150,000 is not much in terms of advertising dollars. If it was a Russian ad buy aimed at disruption, then Moscow achieved a spectacular return-on its-investment. Some, like Virginia Senator Warner, who addressed this news at the Intelligence and National Security Summit this morning, are calling this "the tip of the iceberg." The ads were fairly well distributed across the political spectrum, not, apparently, pushing any consistent viewpoint, but rather they were evidently placed to exacerbate the worst tendencies of those who might read them.

Dave Bittner: [00:05:21:07] The US continues its minor stumbles over information operations. Anti-Taliban leaflets dropped in Afghanistan alienated their target audience by carelessly juxtaposing the Taliban flag, with a Koranic verse, and a dog, a ritually unclean animal.

Dave Bittner: [00:05:37:18] An international panel of counterterrorism experts at the Intelligence and National Security Summit discussed information operations by both state and non-state actors. In response to a question about developing technology that could monitor social media, they replied that the technology was already here, right in front of us. It's Facebook, Google and Twitter. They know the content that's transiting their networks. What they, or a government, might do with that knowledge, however, remains an open and contentious question.

Dave Bittner: [00:06:09:04] By now, we're all familiar with the phrase, "Fake News" and the variety of ways it gets invoked, the folks at DomainTools wanted to get a snapshot of how cyber security professionals perceive fake news, so they conducted a survey this year at Black Hat, Kyle Wilhoit is a senior security researcher at DomainTools.

Kyle Wilhoit: [00:06:26:17] How does the fake news issue get solved? Realistically, from a majority of the respondents from the actual survey had gone out and said that realistically this falls back on social media sites themselves. Meaning the Twitters of the world, the Facebooks of the world, they're the ones that actually would need to go out and write algorithms and figure out ways to help filter out some of this fake news. So that was one of the more interesting questions that we were asking kind of surrounding this and additionally, we had asked if the government needs to intervene and help to shut down these actual sites and a majority of the respondents also had answered that the government does in fact need to intervene and shut down those actual websites. So, a couple of interesting data points there, just kind of gaging, again, what cyber security professionals are kind of feeling and what they view and how they view fake news in general. It's interesting, I didn't really expect it to kind of come out that way.

Dave Bittner: [00:07:23:01] There's some other interesting results from the survey, you had a significant percentage of people thought that cyber was is the current state of warfare, explain that to us.

Kyle Wilhoit: [00:07:32:17] Yeah, so realistically, whenever we were asking kind of, around the current state of cyber warfare, etc., we asked a specific question, essentially asking, "Is there specific reasons that you might view the United States, for instance, as being targeted etc," and many respondents were saying that the US realistically had the most to lose. Meaning from an intellectual property standpoint, it makes a very attractive target. Now, we're not necessarily downplaying other nations or other good information or other proprietary information that other nations state to generating, what the respondents seem to think is that, you know, the US realistically, had the most to lose and that ultimately made them one of the more attractive targets.

Kyle Wilhoit: [00:08:15:06] Then we also asked, specifically, about where we think or where do you specifically think that attacks will actually happen? And a majority of individuals in the actual survey had said that electricity generation systems were going to be, more than likely, one of the first assets to fall victim to an attack and then closely following that was telecommunication systems.

Dave Bittner: [00:08:41:24] Was there any sense from the survey as to whether people think that things are getting better or worse in terms of our ability to protect against those types of attacks?

Kyle Wilhoit: [00:08:49:04] So though really we didn't go into great detail as far as how they feel from a protection standpoint or if they feel that everything is good. But ultimately, what it boils down to is that a majority of the individuals, meaning 63 percent of the people had mentioned that the cyber security architecture or the lack of robust cyber security architecture is one of the main driving forces that could cause one of those breaches, which again, I think is a pretty accurate assessment, a pretty accurate realization as to what's happening in the world. Also, ultimately, what was also interesting was the simple fact that some of the biggest factors from a policy perspective is the fact that many people think that inadequate policy is actually second or third in place behind inadequate security architecture. So most respondents to the survey had gone out and said, "Hey, we think that the security architecture is bad," but other respondents, meaning the second place was inadequate policy. So other individuals are also realizing that there's policy gaps, there's policy issues, that I think is also accurate.

Dave Bittner: [00:10:02:17] That's Kyle Wilhoit from DomainTools.

Dave Bittner: [00:10:06:15] Google's September Android Security Bulletin addressed eighty-one bugs, thirteen of them critical remote code execution vulnerabilities.

Dave Bittner: [00:10:15:20] In other industry news, Webroot is welcoming a new CEO. Mike Potts will take over for Dick Williams, who's retiring after leading the Colorado-based cyber company through 14 consecutive quarters of growth. Best wishes to Mr. Potts and congratulations to Mr. Williams, enjoy your retirement.

Dave Bittner: [00:10:34:10] Finally, we're all for teaching kids to code, but kids, sometimes you go too far. Witness the 13-year-old Japanese boy who's come to the attention of the Nara Prefectural Police. They youngster was busy looking for a dark web market in which he could hawk malware he'd written. Boy, boy, these wild ways of yours will break your mother's heart.

Dave Bittner: [00:11:01:08] And now I'd like to mention an offer from our sponsor ThreatConnect, the experts in threat intelligence. Effective security depends upon a team that can make fast sound decisions and put them into effect when and where they'll do the most good. ThreatConnect can explain how you can combine threat intelligence with analytics and orchestration to give your security teams the wherewithal to understand and parry cyber threats before they can take down your business. Register for their September 14th webinar at and hear what the experts have to say. Andy Pendergast, ThreatConnects Vice President of Product and Jon Oltsik, Senior Principal Analyst at the Enterprise Strategy Group, will bring clarity to the topic, that's and we'll see you there at 1pm eastern on September 14th and our thanks again to ThreatConnect for help making today's CyberWire possible.

Dave Bittner: [00:12:00:23] Joining me once again is Johnathan Katz, he's a professor of computer science at the University of Maryland and also Director of the Maryland Cyber Security Center. Jonathan, we want to get back to some basics today and we want to talk about bit depth when it comes to encryption. Give us an overview, how does bit depth affect things?

Jonathan Katz: [00:12:17:06] Well, the strength of the key or the strength of the encryption that's being used is directly related to the length of the key. That's at least the case for symmetric algorithms like we're talking about here. And essentially if your encryption algorithm is good enough, then the only way to break it is to do a brute force search or a renumeration of all possible keys that can be used. So if you have, let's say, a four bit key, that means you have two to the four or sixteen different possibilities which isn't very much. If you have a 256 bit key, then the number of possibilities for the key is two to the 256 which is an astronomically large number and essentially what that means is that every bit you add on to the key, is going to double the difficulty of doing a brute force search for the key.

Dave Bittner: [00:12:59:14] So as computing power increases, is it inevitable that today's uncrackable encryption will be crackable in the future?

Jonathan Katz: [00:13:06:10] Well that's a great question and it turns out, actually, that you can do the calculation and you can find exactly how long it might take, to do a brute force search over keys of a particular length. And for example, if you imagine that you have a computer that's capable of checking a key, once every computer cycle and its been running, say, since the beginning of the universe, then it turns out, if you do the calculation you can search through a 96 bit key space. So it looks pretty safe to say that we're not going to be cracking keys that long any time soon. And in fact you can even use the laws of physics to get an upper bound on how many keys you could potentially search through. There is a calculation online somewhere where if you even extract all the energy coming out of the sun and do this brute force searching over the time scale of the universe, you can search through about keys of length 187 bits. So 256 bit keys, look pretty safe until we start computing with things, other than matter and energy.

Dave Bittner: [00:14:00:13] Alright, so we're safe for the time being, but why use a key that complex? Is there a computational penalty for using a key that's that complex?

Jonathan Katz: [00:14:11:10] Right, well so everything I was talking about so far, assumes that the best way to attack the system is a brute force search over the entire space of possible keys and so from that point-of-view, a 256 bit key would protect you forever. The concern that people have, of course, is that the encryption algorithm may not be perfect, somebody five or ten years from now, may come up with a method to break the encryption scheme that's slightly faster than brute force search. And so you want protection, even in the event that people are able to kind of shave a few bits off the affected strength of the key. People are also concerned about the possibility of Quantum computers that might be able to speed up the attack, the jury is still out over whether that's actually possible in practice. But the theory says that on a Quantum computer, you can cut the effective key strength in half. So from that point-of-view, a 256 bit key, would have only the strength of a 128 bit key against a Quantum computer.

Dave Bittner: [00:15:00:16] Jonathan Katz, thanks for joining us.

Dave Bittner: [00:15:05:12] And that's the CyberWire, for links to all of today's stories, along with interviews, our glossary and more, visit Thanks to all our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, using artificial intelligence, visit

Dave Bittner: [00:15:22:15] Thanks again to all of our Patreon supporters, we do appreciate it and if money is tight and you just can't afford to pony up a few bucks a month for the CyberWire, another way you can support is by leaving us a review on iTunes, it really is one of the best ways you can help people find our show.

Dave Bittner: [00:15:37:04] The CyberWire podcast is produced by Pratt Street Media, our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner, thanks for listening.