The CyberWire Daily Podcast 9.29.17
Ep 445 | 9.29.17

Whole Foods breached. Illusion gap and Windows Defender. Exposed AWS S3 buckets. Equifax incident response. Reality Winner proceedings.


Dave Bittner: [00:00:01:06] The CyberWire Podcast is made possible in part by listeners like you, who contribute to our Patreon page. You can learn more at

Dave Bittner: [00:00:13:17] Whole Foods has been breached, if you've been to the taproom look to your credit cards. An illusion gap could help bypass Windows Defender says Cyber Ark. Microsoft says don't sweat the small stuff. A MAC firmware issue may be giving users a false sense of security. Equifax is offering a lifetime of free credit freezing, but observers are dubious. A study suggests there are still a lot of improperly secured clouds out there. ISIS and the Taliban resume their inspiration operations online. And alleged NSA leaker Reality Winner remains in custody, at least for now.

Dave Bittner: [00:00:52:14] It's time to take a moment to tell you about our sponsor, Recorded Future. RFUN 2017 is back, and Washington DC's got it. Join Recorded Future and other leaders in the threat intelligence space this October 4th and 5th. Get industry insight, hear from top cybersecurity and corporate strategy experts as they share their ideas and experiences. Teresa Shea, now of In-Q-Tel, formerly NSA's Director of SIGINT. The Grugq, expert in most things infosec and a connoisseur of intelligence and info operation. Mike Cole, author and cyberthreat intelligence analyst with a major Metropolitan Police Department. Priscilla Moriuchi, former Enduring Threat Manager for East Asia and Pacific at NSA. And, finally, Robert M. Lee, founder and CEO at Dragos Security and National Cyber Security Fellow at the New America Think Tank. And say hello to us, the CyberWire will be there and podcasting from the floor on the 5th. If you're a threat intelligent enthusiast register now at And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:04:07] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Friday, September 29th, 2017.

Dave Bittner: [00:02:14:15] Whole Foods disclosed that it's been hit with a breach that exposed customer paycard data. This is the second breach of a retailer to come to light this week. The other disclosure earlier this week involved the breach of Sonic's drive-in restaurants. Whole Foods says the breach was limited, affecting only transactions at the taprooms and sit-down full-service restaurants found in some of their stores. They also stress that the breach did not affect their new corporate parent, Amazon, which purchased the upscale grocery chain on August 28th of this year. The breach was detected and reported by an unnamed third-party.

Dave Bittner: [00:02:50:07] Researchers at security firm CyberArk have found an "illusion gap" technique that could enable attackers to bypass Windows Defender. The technique essentially creates a pseudo-SMB server that presents a benign file to Windows Defender for inspection, instead of the actual malicious payload the attackers are causing to execute on the victim machine. Microsoft says the danger is exaggerated, it's possible it could work, but, says Redmond, you'd have to click through lots of warnings to fall into the illusion gap.

Dave Bittner: [00:03:20:09] CyberArk says that when it reported the problem to Microsoft, Microsoft said that what CyberArk was describing was really a feature request and not a vulnerability, and so they've forwarded the information to Engineering.

Dave Bittner: [00:03:32:18] Microsoft told the Register that, "The technique described has limited practical applicability. To be successful, an attacker would first need to convince a user to give manual consent to execute an unknown binary from an untrusted remote location. The user would also need to click through additional warnings in order to grant the attacker Administrator privileges. Should the attacker successfully convince a user to carry out the manual steps mentioned, Windows Defender Antivirus and Windows Defender Advanced Threat Protection will detect further actions by the attacker."

Dave Bittner: [00:04:04:14] Researchers at Duo Security have released results from their inquiry into Mac firmware vulnerabilities. They conclude that a large number of systems, including some running the most recent versions of MacOS, are susceptible to exploitation. Evidently the Extensible Firmware Interface (EFI) in many devices was not actually installing the security updates users thought they'd applied. Duo notes that firmware exploitation isn't easy and requires a relatively high level of sophistication on the attackers part, but the vulnerability is nonetheless a serious one. Some observers think it likely the problem extends into the Windows and Linux worlds as well.

Dave Bittner: [00:04:44:14] At midweek Equifax's interim CEO has offered people affected by the company's breach a free lifetime credit freeze, with the ability to lock and unlock it at will. A number of observers say that sounds good, but they doubt Equifax will be able to pull it off. New York's Department of Financial Services has subpoenaed the credit bureau as it continues to dig into the incident.

Dave Bittner: [00:05:07:11] If you've wondered at the number of breaches connected with unsecured data exposed in the cloud, Skyhigh Networks research has a partial explanation. The company's studies have led it to believe about 7% of AWS S3 servers worldwide are exposed because their users have simply configured them improperly.

Dave Bittner: [00:05:27:15] ISIS and the Taliban have each released new inspirational pieces online as reverses on the ground push the terrorist organizations into cyberspace. The Taliban videos feature, among other things, clips of President Trump calling Afghanistan a "complete disaster." The ISIS audio (no video for this one) purports to show the elusive ISIS leader al-Baghdadi repeating his familiar theme that the US is growing weary of the war of attrition his jihadists are waging. Al-Bahgdadi, if it's indeed him; so far the audio is unconfirmed and there haven't been reliable sightings of him since November of last year, Also praises North Korean nuclear threats and sees nothing but good as having come out of the bloodshed in the cities he enumerates: Mosul, Raqqa, Sirte, Ramadi and Hama. All of these ISIS has either lost or is in the process of losing. As its physical territory shrinks, ISIS is expected to move its center of gravity to cyberspace.

Dave Bittner: [00:06:27:13] Turkish hacktivist group Aslan Neferler Tim claimed responsibility for Wednesday's take-down of sites belonging to Denmark's Ministry of Immigration and Ministry of Foreign Affairs. The attacks were apparent retaliation for the Immigration Minister's remarks praising Kurt Westergaard’s famous cartoon depicting the prophet Mohammed wearing a bomb as a turban. Some Ministry of Information sites remained inaccessible as late as yesterday.

Dave Bittner: [00:06:54:07] Alleged NSA leaker Reality Winner has petitioned to be released from pretrial confinement, but Federal prosecutors want her to stay put. They quoted a number of the statements she's said to have made to the FBI Special Agents who arrested her, expressing her hatred of America prompted by environmental outrage and triggered by her co-workers watching Fox News, and denying she removed the classified material she's alleged to have given to the Intercept, while she explained at the same time how she smuggled it out. Her desire for release is said to be connected with her dietary restrictions being unmet in confinement, she keeps both vegan and kosher. The prosecutors call her a flight risk and a highly attractive target for recruitment by foreign intelligence services.

Dave Bittner: [00:07:39:06] Many in and around the US Intelligence Community have called for a serious overhaul to the security clearance process. Most of the calls for reform have centered on the potential continuous monitoring offers as a better, less expensive, and faster alternative to the current practice of regular reinvestigation. But, as recent cases of leaks seem to suggest, the problems may run deeper than any easy technical fix can reach.

Dave Bittner: [00:08:08:15] A brief note about our sponsor, E8 Security. We've all heard a lot about artificial intelligence and machine learning. Hey, who of a certain age doesn't know that Skynet achieved self awareness and sent the Terminator back to take care of business? But, that's science fiction, and not even very plausible science fiction. But the artificial intelligence and machine learning E8 is talking about aren't science fiction at all, and they're here today. E8's white paper, available at, can guide you through the big picture of these still emerging, but already proven technologies. We all need to turn data into understanding and information into meaning. AI and machine learning can help you do that. See what they can do for you at And we thank E8 for sponsoring our show.

Dave Bittner: [00:09:02:00] And joining me once again is David Dufour. He's the Senior Director of Engineering and Cybersecurity at Webroot. David, welcome back. You know, we talk a lot about machine learning and artificial intelligence, lets just start with some basics here. Explain to us what's the difference?

David Dufour: [00:09:16:15] Thanks for having me back, David. Yeah, this is pretty near and dear to my heart. ML is a subset of artificial intelligence, ML being machine learning, of course. People do use them interchangeably, and I feel like I've lost that war around the office, I don't bother. But, let's start with AI. AI is the field of trying to build a technology so that it acts and behaves like something we know, like a human. Or maybe you want to build something that acts like a cat or a dog or something. But it's actually trying to behave in a way that mimics behaviors or the semblance of intelligence of some living things.

Dave Bittner: [00:09:57:11] Those of us who are old enough may remember the old ELIZA program.

David Dufour: [00:10:00:21] That's exactly right. And then machine learning is in fact a subsect in the field of AI, but machine learning itself is focusing on building algorithms and models that consume data and analyze that data in a way that it can then learn from that data. Make decisions about that data, that maybe a human, just from a sheer capacity prospective, would not be able to see. So it provides potentially insight into large data sects that a human would not be able to do on their own just from the volume.

Dave Bittner: [00:10:38:20] What would be the thing that would make machine learning cross into being pure true AI?

David Dufour: [00:10:44:09] What you would potentially do, your AI unit, lets say it's a robot, is gathering volumes and volumes of data, and the whole AI component, let's just pretend you're trying to make act like a human, it's objective is to act like a human. So it has all this feature functionality to mimic humans and know how to speak or how to respond. But the machine learning component of that would be to build models that take the input, potentially let's say your question that you would say to the AI unit. The machine model would then analyze that question and try to determine the proper response, hand it back to the AI unit, which would then say that response.

Dave Bittner: [00:11:26:24] I see. So, the machine learning is taking care of things under the hood, but the AI is the part that makes you think that you're talking an intelligent being?

David Dufour: [00:11:36:06] That is exactly right.

Dave Bittner: [00:11:37:21] Well, interesting stuff, as always. David Dufour, thanks for joining us.

Dave Bittner: [00:11:45:23] Time to share some information from our sponsor, Cylance. We've been following WannaCry, Petya, NotPetya, and other forms of destructive ransomware for weeks. Cylance would like you to know that they can prevent Petya-like ransomware from executing in your system, and they'd also like you to know that they've been doing that since October of 2015. How's that for getting ahead of the threat? Their success against NotPetya demonstrates the benefits of their temporal predictive advantage. Cylance protects, stops both file and fileless malware, it runs silently in the background, and best of all, it doesn't suffer from the blindspots in legacy defenses that NotPetya exploited to such devastating effect. If you don't have Cylance Protect, and if you'd like to learn more about how it can defend your enterprise, contact them at and find out how their AI-driven solution can predict and prevent the unknown unknowns from troubling you. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:12:50:01] My guest today is R.P. Eddy. He's co-author, along with former White House National Security Council veteran, Richard A. Clarke, of the book Warnings: Finding Cassandras to Stop Catastrophes. The book examines those who made dire predictions were largely dismissed, but were later proved right. Along with current experts in a variety of fields, who are now making consequential predictions yet to be verified or disproven. As well a framework for determining the likelihood that a modern day Cassandra deserves a second look.

R.P. Eddy: [00:13:20:15] We realized that not only was Dick and those of us who were working on Al-Qaeda and Bin Laden, pre-9/11 largely ignored before 9/11, but that there was a whole series of other people in the world that had the same phenomena happen to them. And it turns out in Greek mythology there is a character named Cassandra who suffered the similar fate, where she predicted disasters, and in this instance, she foretold the fall of Troy, her hometown, and no one believed her. She saw it perfectly and no one believed her. And, of course, the city burned to the ground, and she got to watch that happen. And that frustration and that curse, the curse of Cassandra, became something that was a little fascinating to us.

R.P. Eddy: [00:14:05:00] So, we weren't sure if these different Cassandras had anything in common, because, as I said, discovering the fact there are Cassandras I guess is noteworthy. But, if I can't help you find the next Cassandra, the next accurate predictor of doom, I'm not doing my job. So, we didn't have a clue if they had things in common. So, Dick and I split chapters. He would talk to one Cassandra, I would talk to the other. We found, not only did they just seem to have a lot in common, but when we looked at the transcript and listened to the words, every single one of the proven Cassandras used two sentences, two identical sentences, almost word for word, even if it was in Japanese. One was, "When I discovered this data, I wanted to be wrong, so I went to my colleagues and said, "Please show me that this isn't correct?"" So, that was the first thing. All these guys are data-driven and they didn't want this to happen. And they went to verify their data with others, and in every instance, the other stock analyst, the other seismologist, the other experts on climate, said, "You're right."

R.P. Eddy: [00:15:02:06] Now, the second thing they all said was, "Okay, so then when I took my data and brought it to the decision makers, I kept saying to the decision makers, "Why are you ignoring your own data? This is publicly available data. I'm not making this up. It's not propriety."" So, we knew right away there was a going to be a lot of correlation between these Cassandras. And as we dug in deeper and deeper and spent time with these amazing people, we realized it's not just about the characteristics of each one of those warners, it's also about what are they warning about? Who's the decision maker? And what are the critics saying? And so we came up with 24 different characteristics that describe when you basically need to ask the next question. When do you need to dig deeper? When you shouldn't kick that person out of your office. When you should take their warning more seriously.

R.P. Eddy: [00:15:49:17] And I'll give you a couple that are interesting, we won't do 24, of course. But one that's fascinating is called the Initial Occurrence Syndrome, we call it. And effectively what we're saying there is, a lot of these disasters were ignored by decision makers because they'd never happened before. Nothing like that ever happened before. A tsunami never breached a sea wall and caused a near nuclear meltdown. The chairman of Nasdaq never ran a $65 billion Ponzi scheme. An Arab country never invaded another Arab country, and then Saddam invades Kuwait. So, all these things, everything we talk about, hadn't happened before, and it's very hard for decision makers to believe that something will happen that hadn't happened before. So, one thing is, Initial Occurrence Syndrome.

Dave Bittner: [00:16:35:19] How do you deal with the issue of hindsight being 20/20? That it's easy to spot your Cassandras in the rear view mirror. How do you keep from cherry picking your Cassandras, particularly in the past?

R.P. Eddy: [00:16:47:24] So, David, you are the first person to ask me that question and it is the obvious criticism of this book and no one has made it yet, so congratulations.

Dave Bittner: [00:16:56:02] Well, thank you very much.

R.P. Eddy: [00:16:57:14] Hindsight bias is a real bias. And we talk a lot about biases in these books and I've just been waiting for someone to say, "Ah, the whole book's hindsight bias." It's an easy criticism. Thankfully, it's not right. If we go back and look at the seven people we picked as Cassandras, and there's some we didn't pick for this reason, we believe that they had a series a characteristics that, at least going forward, if we pay attention to these characteristics, we'll know we shouldn't ignore them. They are proven technical experts. They are data-driven. They think differently. They are questioners. They're asking hard, hard questions. They have a sense of personal responsibility, it really matters to them that the message get out there. And finally, all of our Cassandras had the sense of high anxiety. They were going crazy that they weren't being listened to.

R.P. Eddy: [00:17:47:12] So, we think those characteristics mean that the folks that we said should have been listened to, in the future you'll be able to see them a little more easily.

Dave Bittner: [00:17:56:17] For those of us who are in cybersecurity, I'm thinking of that Executive sitting in their office, or that person sitting on the Board, what's your advice to them for how to best handle when people come to them with these sorts of predictions?

R.P. Eddy: [00:18:11:03] I think the really important thing for any leader, or any person, or any spouse, or any parent, or any coach, or anyone who's really interacting with other people and trying to have influence is, first, this understanding that your intuition is going to fool you time and time again, because you're so bias driven. We are bias driven animals, because 70,000 years ago, or 140,000 years ago, depending on how you want to count the beginning of the current homo sapien brain, biases were actually useful and helped you survive, certainly heuristics did. They don't anymore. So, number one, you're going to make mistakes. Number two, realize it's very, very hard to get away from your intuition and bias. Number three, getting more to the book, when that person walks in the door and starts telling you, you have a real problem, ask the next question. It's something we've been teaching in the counter terrorism world for years. Ask the next question. Don't respond from your heart, respond from your brain and dig a little deeper.

R.P. Eddy: [00:19:13:11] And then, you start getting it in this book, in the conclusion we talk about what do you do? You don't have to say, "Alright you're right. We're going to change the whole mission of the company and spend billions of dollars on this." You can begin to increase the surveillance on the risk as long, as you're specific about what you're looking for, and begin hedging.

Dave Bittner: [00:19:30:03] Our thanks to R.P. Eddy for joining us. He is co-author, along with Richard A. Clarke, of the book Warnings: Finding Cassandras to Stop Catastrophes.

Dave Bittner: [00:19:44:00] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, check out

Dave Bittner: [00:19:56:11] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben. Technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Have a great weekend. Thanks for listening.