The CyberWire Daily Podcast 9.18.17
Ep 436 | 9.18.17

Russian dogs not yet barking in German elections. ISIS is doing a lot of howling at lone wolves. Equifax updates. CCleaner found unclean. OurMine hacks Vevo to avenge its honor.


Dave Bittner: [00:00:01:04] We got a bunch of new Patreon subscribers last week, I want to thank you all for signing up, it really does help us do what we do and keep the doors open, so, we truly appreciate it. It's at, we'll hope you check it out, thanks.

Dave Bittner: [00:00:17:06] Germany will hold elections Sunday, and the Russian cyber operators seem quiet, too quiet. Switzerland and Singapore both report sustaining state sponsored cyber espionage attempts. ISIS howls for its lone wolves to hit soft targets. The Equifax breach news isn't getting any better. Cisco finds a back door in an Avast security product. OurMine hackers hit Vevo to redress an insult delivered over LinkedIn.

Dave Bittner: [00:00:47:24] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future's user conference, RFUN 2017, is coming to Washington DC October 4th and 5th, 2017. The sixth annual edition of this threat intelligence conference, brings together the talented diverse community of analysts and operational defenders who apply real time threat intelligence to stay ahead of adversaries. And, since it's real time threat intelligence, you know it's organized by Recorded Future, the people who know a thing or two about collection and analysis. Recorded Future's customers, partners and threat intelligence enthusiasts are cordially invited to attend RFUN 2017. Improve your analysis, stay ahead of the cyber attacks by learning about the latest threat intelligence techniques and best practices and say hello to us, the CyberWire will be there and podcasting from the floor on the 5th. If you're a threat intelligence enthusiast and really, who among us isn't? Register now at and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:55:24] Major funding for the CyberWire Podcast is provided by Cylance, I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, September 18th, 2017.

Dave Bittner: [00:02:06:02] As Germany prepares for Sunday's federal elections, the country remains on high alert for last minute Russian election meddling. This is especially true after reports of vulnerabilities in the nation's electronic voting systems led people to fear manipulation of the count, and after episodes of apparent attempts at influence operations earlier this summer.

Dave Bittner: [00:02:26:02] But so far, with the election less than a week away, the mystery is that Russian influence operations and attempts at disruption have fallen off dramatically. So the dog isn't barking. It's unknown whether this is because Russian involvement in the election is a myth, basically this is the official Russian position, well represented in the media by RT, but taken seriously by few, or because German security measures have been remarkably effective during the electoral season's endgame, or for some other reason.

Dave Bittner: [00:02:56:08] Switzerland's Defense Ministry has announced that it detected and blocked "state sponsored" attempts at intruding into the ministry's networks. The incident, said to have occurred in July, isn't attributed to any specific nation, but sources suggest that it showed similarity to Turla activity. Turla has been connected by many security researchers with Russian espionage services.

Dave Bittner: [00:03:19:18] Singapore's government has also said that an unnamed agency was probed by a foreign cyber espionage campaign late last year. Sources don't name the state suspected, but said that it was one that had hitherto not been particularly active in the East Asia and Pacific region.

Dave Bittner: [00:03:37:11] ISIS has claimed responsibility for Friday's fizzled but damaging bombing in London's tube. The ISIS "soldier" suspected in the attack is in custody, apparently tracked down in large part because security cameras, practically ubiquitous in London, followed him and his distinctive red hat away from the scene of the attack.

Dave Bittner: [00:03:58:13] Last week officials of the US Department of Homeland Security said that recent hurricanes had raised US vulnerability to terrorist attack. Resources are stretched thin, law enforcement and first responders are coping with damaged infrastructure, and large concentrations of potential victims are crowded into necessarily weakly secured emergency location sites, and ISIS appears primed to take advantage of the natural disasters. The Caliphate has been howling to its lone wolves over Twitter to point out the opportunity they have to strike. Law enforcement authorities are calling the chatter more aspirational than operational, but they're watching it closely.

Dave Bittner: [00:04:38:09] ISIS continues to lose ground in its core areas of operation. Indeed, the physical territory it can be said to control has largely vanished under military pressure. Even ISIS rivals in the region, like the more-jihadist-than-ISIS- hard-core represented by, Hayat Tahrir al-Sham, are fragmenting under external pressure and internal dissent.

Dave Bittner: [00:05:00:03] This seems to have had the effect of causing jihadist extremism to metastasize outside the Middle East. General Joseph Votel, Commander of US Central Command, said last week that this was to be expected. In his closing keynote at last week's, Billington CyberSecurity Summit, he said, "As we've taken away the physical caliphate, a virtual caliphate has arisen. We need to defeat ISIS in cyberspace." He emphasized that ISIS was active mainly in attempts to shape the information environment, not in traditional hacking. Thus its concentration on inspiration, and the perceived necessity of finding some effective countermessaging. In the meantime, vigilance online would seem to be in order.

Dave Bittner: [00:05:45:09] Effects of the Equifax breach continue to expand, as do investigations. Some 400,000 individuals in the UK are now known to have been affected, as have an unknown number of Canadians. Canadian authorities have opened an investigation, as have at least 31 US states. The incident is now explained unambiguously as exploitation of a known but unpatched Apache Struts vulnerability.

Dave Bittner: [00:06:10:18] Equifax has attracted generally bad reviews not only for a failure to patch, but even more so for its slow disclosure and less than fully successful incident response. The public communications aspects of that response have been notably poorly executed. The company has been punished in the stock market, with its share price down sharply since the breach was disclosed on September 14th. That drop may have reached at least a temporary bottom today, as the stock as of this writing, appears to be trading sideways.

Dave Bittner: [00:06:42:16] The effects of the breach are being felt elsewhere in the sector, as representative, Carolyn Maloney, a Democrat from New York, has asked the CEOs of rival credit reporting agencies Experian and TransUnion for details of their own security measures. Congressional dissatisfaction with credit bureau security seems clearly bipartisan, "just awful," is how the Republican chair of the House Energy and Commerce Committee characterized some of the poor digital hygiene revealed under the scrutiny prompted by the breach. Representative Greg Walden, a Republican from Oregon, was commenting specifically on the use of, "Admin" as the password on administrative accounts, but he also offered a foreshadowing of what's likely to come next: "You can't stop stupidity. You can't legislate against it, but you can hold people accountable for it."

Dave Bittner: [00:07:34:11] Cisco reports that Avast's CCleaner security product, version 5.33, was infected with a multistage back door, apparently introduced in the supply chain. Cisco's Talos research group observed suspicious activity from the CCleaner app, and, upon investigation determined that when the app was downloaded its installation executable was signed with a valid digital signature. CCleaner, however, wasn't the only application that arrived in the download. It was accompanied by a malicious payload that included both a Domain Generation Algorithm and hardcoded command-and-control functionality. Talos reads this as an indication that somewhere along the line the development or signing process was compromised. The security company recommends that users of the Avast product either restore to it its pre-August 15 state or upgrade to version 5.34.

Dave Bittner: [00:08:29:06] We're spending tomorrow with our friends and neighbors at the Johns Hopkins University, as we attend the fourth annual Cyber Security Conference for executives. Watch for live tweets tomorrow and coverage this week.

Dave Bittner: [00:08:41:10] We launched Research Saturday this weekend, a new weekly podcast that concentrates on current research in cybersecurity. The first edition was a conversation about the Cobian RAT with Deepen Desai, senior director of security research and operations at Zscaler, we hope you'll give it a listen.

Dave Bittner: [00:08:59:05] Finally, the phony gray hats of OurMine have gone after Vevo, breaching the video service and offering to leak over three terabytes of stolen data, most of which strike observers as fairly anodyne, neither sensitive, nor discreditable, nor even valuable. It was, however, a breach, as Vevo acknowledged, and that in itself is embarrassing.

Dave Bittner: [00:09:19:19] The motive for the attack seems to be petty, it's apparently revenge for the disrespect and consequent wounded self regard OurMine says it suffered from a Vevo employee who was rude to them on LinkedIn. So when we say "phony gray hats" with "petty motives," we mean that in the nicest and most respectful way possible.

Dave Bittner: [00:09:43:21] Time for a message at our sponsors at E8, we've all heard a great deal about artificial intelligence and machine learning in the security sector and you might be forgiven if you've decided that maybe they're just the latest buzz words. Well, no thinking person believes in panaceas but, AI and machine learning are a lot more than just empty talk. Machine learning, for one thing, is crucial to behavioral analytics, you can't recognize the anomalies until you know what the normal is and machines are great at that kind of baselining. For a guide to the reality and some insights into how these technologies can help you, go to and download E8's free white paper on the topic. It's a nuanced look at the technologies that have both future promise and present day pay off in terms of security. When you need to scale scarce human talent AI and machine learning are your go to technologies. Find out more at and we thank E8 for sponsoring our show.

Dave Bittner: [00:10:47:03] And I'm pleased to welcome a new partner to the CyberWire Podcast, Chris Poulin is Principal at Booz Allen Hamilton Strategic Innovations Group, he heads up their internet of things security group at Booz Allen. Chris, welcome to the show.

Chris Poulin: [00:10:59:17] Oh, thanks for having me.

Dave Bittner: [00:11:00:16] Well, as, as we do when we welcome someone new, we want to start off with just some introductions so why don't we learn a little bit about you, why don't you tell us about your career path? What led you to cyber security?

Chris Poulin: [00:11:11:09] Okay, so it's interesting, I will say, as an inflection point about five years ago, the thing that my entire career had been waiting for was when information security converged with physical security. So, I actually started life in the US Air Force, way back when, working on satellite systems and, under the National Reconnaissance Office, which you couldn't say back then, by the way, and then I left the Defense Department and started my own business, grew that, so information security and then I went to work for a startup, Q1 Labs, who makes a security and event management system that was, eventually, bought by IBM and I actually thought that I was not going to enjoy being part of a 450,000 person company but I realized, being an entrepreneur that you are effectively in a country that is under an organizational name of IBM. So, I struck out and sort of made my way and that's, effectively when the IOT came around and so I started to work in connected cars and also taking a little bit of machine learning or, cognitive computing as IBM likes to call it.

Chris Poulin: [00:12:16:18] And then, after about five years, I saw a good opportunity to jump to Booz Allen Hamilton and help to build up their capabilities in what we're calling, connected products, which is effectively connected cars, medical devices, building controls, so the cyber aspect of that for the commercial markets as well as some defense market. My particular focus is commercial despite my entry into the Department of Defense, way back, early in my career.

Chris Poulin: [00:12:44:01] And I also work with the industrial control systems cyber team as well as some of the chain learning folks over here in Booz Allen Hamilton. So, I'm sort of a master of everything but I excel where physical and digital come together.

Dave Bittner: [00:12:57:24] So, what's a typical day for you, what are you doing on a daily basis there?

Chris Poulin: [00:13:01:23] So, well I have a mix of management and technical responsibilities and so, there's sort of a three legged stool that my responsibilities take the form of and so, part of it is actually working with what we call our dark labs team. We have a team of engineers who actually take the trade craft from some of our defense work and they bring it over into our dark lab. And they'll do things like take apart cars and try to find weaknesses in them. They're very good at taking firmware and extracting it and reversing it so. You know, it's funny, because there was one engineer a long time ago, who told me that he wasn't particularly good at writing code but he was really good at reversing it and so it turns out that we have a fair amount of people who actually do that kind of work. And interestingly, by the way, they also because of our defense work, they have been involved in, not only the defensive side, which I'm used to on the commercial side but also offensive trade craft as well, so they get to see it from both sides of the coin. And then I also manage the work, that's part of my job is to move things around and lead people and a little bit more banal, but at the same time, you get to see the fruits of your labor.

Chris Poulin: [00:14:13:13] Working with the commercial teams and clients is sort of another aspect of that, because you always have to keep in touch with what clients are asking for. And then the last thing I do a fair amount of, as you can see from this particular podcast, is I do a lot of evangelism. So, I go out and speak and talk and try to take both what we're learning from our labs and from our clients and bring them out to the general public to inform them with as little fear, uncertainty and doubt as possible. That's sort of my bugaboo, fear and uncertainty is what I call it by the way, I'm not sure where doubt fits in there, but yes, fear and uncertainty.

Dave Bittner: [00:14:46:11] All right, Chris Poulin, welcome to the show, glad to have you.

Chris Poulin: [00:14:49:06] Thank you.

Dave Bittner: [00:14:52:15] And that's the CyberWire, thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit We want to send out a big thank you to the folks over at Treehouse, they are the technology education website. They asked their community of over 163,000 students across the world what their favorite tech podcasts were and, wouldn't you know it, the CyberWire made the top ten. So, thanks Treehouse for the recognition, makes us feel good.

Dave Bittner: [00:15:22:14] The CyberWire podcast is produced by Pratt Street Media, our editor is John Petrik. Social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.