The CyberWire Daily Podcast 9.20.17
Ep 438 | 9.20.17

German election update: nichts neues. Equifax breach. Viacom dodges a bad bucket. Like Sandworm, but from Tehran. Less than fully successful criminals.


Dave Bittner: [00:00:00:20] Don't forget that one of the benefits you get at the $10 per month level on our Patreon page is access to an add-free version of the CyberWire Podcast. You can check that out at

Dave Bittner: [00:00:15:15] No Russian dogs are heard barking in Germany, yet. Iran's APT33 turns from spying to sabotage. Equifax woes continue, but don't appear to include cover-up of an earlier breach. UpGuard helps Viacom dodge a cyber bullet. You may be party to a contract you didn’t know about. Criminal boneheads are again more common than criminal geniuses. And don't be a gazelle.

Dave Bittner: [00:00:45:06] Time for a message from our sponsor, Recorded Future. Threat intelligence enthusiasts will be joining Recorded Future in Washington, DC this October 4th and 5th. This annual conference, now in its sixth year, brings together the analysts and operational defenders who apply real-time threat intelligence to out-innovate the adversaries. So come and meet the Recorded Future team. They love chatting with new and old friends. Recorded Future cordially invites its customers, partners and all threat intelligence mavens to RFUN 2017. Share tips, insights and challenges; improve your analytical skills, hear from industry leaders and learn from the best. We'll be there too. We're going to be podcasting from the event on the 5th. Find out about the latest threat intelligence techniques and best practices. Register now at, that's RFUN. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:46:07] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire Summary for Wednesday, September 20th, 2017.

Dave Bittner: [00:01:57:08] The news from Germany, where federal elections are just four days away, is still the case of the Russian cyber-dog that didn't bark. German authorities have been bracing themselves for at least a year expecting a landslide of Russian influence operations, and perhaps hacking, as Moscow undertakes its expected campaign to tweak and delegitimize the Federal Republic's vote. But so far, nothing, not a bark, not a whimper, not a howl or a whine. Either nothing's in fact going on, or it just hasn't been discovered yet, or Vladimir Vladimirovich has a September surprise up his sleeve. We should know before the end of Oktoberfest.

Dave Bittner: [00:02:36:24] FireEye is describing an Iranian threat group, APT33, which has been operating since 2013, and which FireEye has been tracking since May 2016. The news is not APT33's existence, but rather its new approach. The group had hitherto been for the most part an espionage operation serving up spyware, but it now appears to be running a new destructive malware campaign similar to the Sandworm effort that's been associated with Russia.

Dave Bittner: [00:03:05:22] Reports yesterday that Equifax had sustained an earlier breach that was only now being disclosed, turn out to be only partially true. The Credit Bureau did indeed sustain a breach in March, well before the incident disclosed on September 14, but the company did in fact disclose that breach in a relatively timely manner. The industry press picked it up; big media didn't. Who was breaching Equifax is still unknown. Some observers say it had to have been a nation-state, but that's based on the less-than-circumstantial evidence that the hack seemed pretty complicated.

Dave Bittner: [00:03:39:10] Lawsuits and regulatory scrutiny of Equifax continue. This morning, a class action suit was filed in the Atlanta Federal Court on behalf of small businesses who claim injury from the breach. Equifax's two big competitors, Experian and TransUnion, aren't alleged to have done anything wrong, but New York's Attorney General is pressing them for answers on their own data security posture.

Dave Bittner: [00:04:03:22] The security firm, UpGuard, has discovered another unsecured AWS S3 bucket, this one belonging to Viacom, and exposing the company's IT infrastructure. Among the items exposed were Viacom's cloud keys. UpGuard researchers found the exposure on August 30th, and they describe it as having had the potential to enable "malicious actors to launch a host of damaging attacks, using the IT infrastructure of one of the world’s largest broadcast and media companies."

Dave Bittner: [00:04:34:10] Viacom acted promptly to secure its cloud infrastructure after UpGuard warned it, so the gaffe seems to have had little effect. The reputational damage of exploitation could have been very great, to say nothing of the direct damage to the company, and those who would have been touched by the botnets and attack platforms that could have been spawned.

Dave Bittner: [00:04:54:15] The series of hurricanes from the Atlantic this season, is responsible for tragic loss of life and unimaginable destruction in some of the areas worst hit. It's also left millions without power, highlighting people's reliance on the electrical grid. Even when the power goes off for just a few days, it can have a serious impact and put lives at risk. Eddie Habibi is founder and CEO of PAS Global, a company that focuses on the security of the industrial control systems that keep the power flowing.

Eddie Habibi: [00:05:24:17] The challenges or the awareness of the ICS industrial control systems being a vulnerability, came to be about ten to fifteen years after the typical enterprise IT security was found to be a challenge for companies. It wasn't until disclosures around Stuxnet that we realized, as an industry, that the manufacturing sector, the process, power and other industrial sectors, were affected as well. With that in the background, there have been certain misunderstandings as to how we should handle industrial control systems. In fact there is this notion that industrial control systems are not at the risk, if you will, of being a target of cybersecurity attacks. The threat is real. There is this notion that there is hype in the media, that the threat of cyber is overblown. That may be the case in the enterprise IT, but in our view, there's not enough conversation going on around the threats posed towards control systems.

Dave Bittner: [00:06:47:05] I think there is a tendency for the general media, certainly outside of the cybersecurity industry, particularly when they see something like the threat of the electrical grid going down, to imagine a worst case scenario. But I've heard other people say, "Yes, we should be worried but let's also not get carried away."

Eddie Habibi: [00:07:08:02] Any time there is exaggeration you have the cry wolf syndrome, the boy who cried wolf. It does not serve us. It does counteract the real message and the real message is, if you follow the following set of what-if scenarios, you will very quickly realize that the threat is real and we have to take it seriously. You have control systems that are at the heart of the industrial sector, including power, refining oil and gas. These systems are vulnerable. Bad actors have proven that they can penetrate them and they can cause shutdown. Simultaneous attacks on a number of these systems could have a similar consequence to a natural disaster.

Eddie Habibi: [00:08:00:08] You combine that with the knowledge that certain foreign nation states have shown that they are interested in cyber as a weapon and they are testing those weapons, it is easy to see what the consequences could be. That a simultaneous shutdown of water, utilities, power and the oil and gas industry, and it doesn't take very much of that, you could literally cripple a city, a state or a part of a country.

Eddie Habibi: [00:08:36:20] In our estimation, based on conversations we have had, only a small fraction of industrial companies have implemented what we refer to as foundational cybersecurity measures to deal with the issue. They have performed what we would call perimeter defense measures; firewalls, antivirus. However, there is much more to do that has not been done.

Dave Bittner: [00:09:04:14] That's Eddie Habibi from PAS Global.

Dave Bittner: [00:09:09:02] Yesterday's conference at the Johns Hopkins University covered ground of interest to business leaders, especially with respect to the implications cyber risk has for their legal and contracting activities.

Dave Bittner: [00:09:20:06] In his opening remarks, Anton Dahbura, Director of the Information Security Institute at the Johns Hopkins University's Whiting School of Engineering, reviewed his "Unlucky Top 13" list, an inventory of recent security horror-shows. He thinks these incidents, the Equifax breach being the one that's arrived with most éclat, may have induced the public to pay attention, and may finally be moving people away from what Dahbura called "the gazelle mentality," that is, the comforting thought that if you stay close to the herd, you'll be okay. You won't.

Dave Bittner: [00:09:52:08] Other speakers discussed the opportunity costs sound security inevitably imposes on organizations. One new addition to the faculty at the Johns Hopkins School of Advanced International Studies, Thomas Rid (who'd just arrived from his previous appointment in London) offered an overview of the attribution challenge. Historically informed, Rid's account argued that attribution is as much art as science. A panel of legal experts offered advice for businesses. One highlight: Whiteford Taylor Preston's Howard Feldman reminded everyone of the importance of contracts, and that you may be bound by contracts you hadn't realized were contracts at all. For example; he said, "Your privacy policy, on your website, is a contract."

Dave Bittner: [00:10:37:04] And Bob Olsen, CEO of event sponsor COMPASS Cyber Security, closed with some effective analogies security professionals can use to communicate with the business leaders they support. Compare security to a house; the keys are like credentials, security consultants are like security guards, and so on. The analogies may be homey, but they may also be an overlooked way of approaching the kind of story-telling security experts continue to tell CISOs and consultants they need to do with business leaders. We'll have more detailed coverage of the discussions later this week. Watch the CyberWire Daily News Briefing for updates.

Dave Bittner: [00:11:13:14] Finally, we've all heard of criminal masterminds, but we think they're probably as fugitive and scarce as Sasquatch. The criminal bonehead is a much more representative variety. For your consideration, one Christopher Ricardo Gonzalez, age 18, and one of the ten most wanted by the State of Texas. Mr. Gonzalez, with whom the Dallas Police Department very much desired to speak, was located in the leafy, laid-back Los Angeles neighborhood of Woodland Hills the other day. The Dallas PD noticed that Mr. Gonzalez had proudly posted an Instagram video of himself displaying his arsenal of weapons. The Dallas police extracted Mr. Gonzalez's geolocation (also proudly on display), sent it to the LAPD and asked them for a solid. The LAPD obliged, and Mr. Gonzalez is now a temporary guest of Los Angeles' mayor while he awaits extradition to the Lone Star State. So kids, remember, if you must embark on an alleged life of alleged crime, never forget: those who live by the selfie get nabbed by the selfie.

Dave Bittner: [00:12:22:07] A few words from our sponsors at E8 Security. If you've been to any security conference over the past year, you've surely heard a lot about artificial intelligence and machine learning. We know we have. But E8 would like you to know that these aren't just buzzwords, they're real technologies and they can help you derive meaning from what an overwhelmed human analyst would see as an impossible flood of data. Go to and let their white paper guide you through the possibilities of these indispensable, emerging technological tools.

Dave Bittner: [00:12:52:06] Remember, the buzz around artificial intelligence isn't about replacing humans, it's really about machine learning, a technology that's here today. So see what E8 has to say about it and they promise, you won't get a sales call from a robot. Learn more at And we thank E8 for sponsoring our show.

Dave Bittner: [00:13:17:00] And I'm pleased to be joined once again by Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. Imagine the scenario. You're sitting home, minding your own business, or maybe even asleep at night, and suddenly FBI agents come pounding on your door, coming in and they say that they are ready to search your house for child pornography.

Ben Yelin: [00:13:39:12] Yes, this happened actually, in the town of Davis, California, which is just a little bit west of Sacramento. This innocent person heard a bang on his door. He and his roommate panicked. It was the FBI, they were executing a search warrant based on information they received from an AT&T wireless router, that somebody within the confines of that house was using child pornography. Of course, the problem was that neither of the two people who occupied the house were using child pornography. It was the 22 year old man in the apartment next door who used his "great computer savvy" to hack the password protected account. He was basically viewing child pornography through his neighbor's wireless service.

Ben Yelin: [00:14:29:24] The person who was actually committing the crime and viewing child pornography has gone through this long, arduous prosecution. He has been convicted, he is going to prison, they're in the sentencing phase right now, and it looks like law enforcement is seeking a strict 17 and a half year sentence on counts of possession and distribution of material involving the sexual exploitation of minors. And the 22 year old living next door has admitted to downloading this pornography, has admitted to having a problem, viewing underage males on line but, nevertheless, he says he's not any sort of sexual predator, he's never acted upon these impulses. He's just somebody who is computer savvy and was able to, at least temporarily, disguise his online whereabouts to avoid detection. But luckily, justice is being served for that individual.

Dave Bittner: [00:15:26:16] And for the neighbors, the people whose WiFi he hopped on, this was not a matter of them having an unsecured WiFi, they had done everything right.

Ben Yelin: [00:15:35:16] They sure have and Dave, none of us really change our WiFi passwords. I don't think I've changed mine since I've moved to my house. This is just not something the average lay person focuses on, and it can be an extremely traumatic experience for people to have the FBI come in at odd hours of the night, bang on a door, execute a search warrant.

Ben Yelin: [00:15:55:13] For the story in the Sacramento Bee, they interviewed these two individuals who occupied the apartment and they seemed pretty traumatized. One of the people said that he didn't want to feel that shadow of guilt or to have memories come bubbling back up when he least expects it, like staring at a train window on his commute home or when he's trying to fall asleep. I mean, it's almost like having a post traumatic experience. And it would be good if there were some accountability avenues when the FBI does this to innocent people.

Ben Yelin: [00:16:24:09] The FBI here made a good faith mistake and they would be able to win any civil suit just based on that justification. There has to be some way for there to be accountability when innocent people are being subject to these, often violent, FBI raids. That's the problem with a probable cause determination. In order to execute a search warrant like this, you don't have to be 90 percent sure that a crime has been committed, you just have to have probable cause; it has to be more probable than not that there is evidence of a crime. And from the FBI's perspective, they think it's coming from the wireless server in this house, that makes it more probable than not that the people in the house are the ones searching this pornography and that's highly unfortunate, but I don't see that the legal standard is going to change.

Dave Bittner: [00:17:10:16] Alright, Ben Yelin, thanks for joining us.

Dave Bittner: [00:17:15:10] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit

Dave Bittner: [00:17:27:09] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.