The CyberWire Daily Podcast 10.4.17
Ep 448 | 10.4.17

No insight yet into Las Vegas gunman's motive as ISIS inspiration generally discounted. Yahoo! breach affected 3, not 1, billion user accounts. Equifax updates.


Dave Bittner: [00:00:01:01] Perhaps today is the day that you will step up and become a supporter of the CyberWire. You can find out how to do that by visiting We do appreciate it.

Dave Bittner: [00:00:14:14] ISIS claims of responsibility for Las Vegas murders continue to lose plausibility, but the shooter's motives remain a mystery. Yahoo!'s epic breach just got even more epic. Equifax looks little better in the wake of its CEO's Congressional testimony. A major breech seems to be unfolding in India. And does and does Star Fleet still run Windows XP? Who's responsible for information security on that bridge anyway?

Dave Bittner: [00:00:44:12] A few words from our sponsors at E8 Security. If you've been to any security conference over the past year, you've surely heard a lot about Artificial Intelligence and Machine Learning. We know we have. But E8 would like you to know that these aren't just buzz words, they're real technologies and they can help you derive meaning from what an overwhelmed human analyst would see as an impossible flood of data. Go to and let their white paper guide you through the possibilities of these indispensable emerging technological tools. Remember, the buzz around Artificial Intelligence isn't about replacing humans, it's really about Machine Learning, a technology that's here today. So, see what E8 has to say about it, and they promise you won't get a sales call from a robot. Learn more at And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:42:13] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, October 4th, 2017.

Dave Bittner: [00:01:53:02] The motives of the Las Vegas gunman remain a mystery. Few credit ISIS claims in its online news service Amaq that the shooter was a jihadist soldier. But the absence of any discernible motive is baffling. Clark County Sheriff Joseph Lombardo did say that they were still looking into the possibility of some unknown radicalization, but that still appears unlikely.

Dave Bittner: [00:02:17:07] Yahoo!, under its new status as a Verizon unit has determined, and disclosed, that all three billion of its email users were in fact compromised in its already massive, now more massive than anyone believed, 2013 breach. Last night's disclosure multiplies the largest breach in history by a factor of three. Yahoo!'s current corporate parent, Verizon, which closed its acquisition of Yahoo! This summer, disclosed the new figure late yesterday on the basis of what it characterizes as fresh evidence.

Dave Bittner: [00:02:49:12] Verizon's acquisition of Yahoo! Had been delayed by Yahoo!'s belated disclosure in September and December 2016 of breaches it sustained in 2013 and 2014. And the purchase came at a renegotiated price that knocked some $335 million off the original sticker.

Dave Bittner: [00:03:07:17] Yahoo!'s security FAQs are unlikely to provide much comfort. They read in part, "Yahoo is providing notice to additional user accounts affected by an August 2013 theft of user data previously announced by the company in December 2016. This is not a new security issue. In 2016, Yahoo previously took action to protect all user accounts."

Dave Bittner: [00:03:29:13] So there you go, it's a known issue, and anyway all user accounts are still protected under previously taken action. So is this latest disclosure much ado about nothing? A billion here, a billion there. Maybe one person's lost data is a sad inconvenience, one retiree's stolen pension a tragedy, but a billion users compromised? Isn't that just a statistic?

Dave Bittner: [00:03:51:19] Well, no, at least according to what we heard from security firm Centrify's Corey Williams: "Does this make the breach three times worse than before?" Williams asked, and then answered four times yes.

Dave Bittner: [00:04:04:12] Yes, because nearly every online user in the entire world was impacted. Yes, because an email notification is being sent to an additional two billion people announcing that Yahoo! Failed in its responsibility to protect user information. Yes, because this is another reminder of the black eye on the world’s cybersecurity. Yes, because it reminds us that Russian intelligence conspired to protect, direct, facilitate, and pay criminal hackers to collect information through computer intrusions in the United States and elsewhere.

Dave Bittner: [00:04:36:15] So, more than a statistic, and yes, it's not good.

Dave Bittner: [00:04:42:09] Coming on the heels of the Equifax debacle and numerous other data exposures we're now conditioned to regard as relatively small, this slow-developing mess has reinforced calls for data-security regulation at least as stringent as GDPR. It may also prompt stricter liability for corporate officers, perhaps even for government officials. We heard from Willy Leichter at security company Virsec Systems. He tells us this news will increase building momentum for breach disclosure legislation. He told us in an email, "This news will add more fuel to fire for having legal standards on how quickly breach information is revealed and how much detail is required. As we've seen in the Equifax hearings, even conservatives are calling for legislation moving in the direction of the European GDPR."

Dave Bittner: [00:05:33:04] Speaking of Equifax, the credit bureau's departed CEO Richard Smith's Congressional testimony yesterday mollified few, and it reinforced a picture of poor preparation and response. He said the breach originated with someone's failure in March to communicate that Apache Struts needed to be patched. A subsequent scan to identify software needing updates also failed to catch the oversight. That second scan is being called a 'failsafe' measure, which seems incorrect. It was a redundant check; a failsafe system by way of contrast would have shut a system down rather than permit its continued operation in an unsafe mode. Smith said the failed scan is "still under investigation by outside counsel."

Dave Bittner: [00:06:17:18] Among the unpleasant details that emerged in the hearing is the fact that Equifax hired outside counsel about a month before it disclosed the breach. They brought King and Spalding in on August 2nd to investigate suspicious activity on a customer portal that Smith said came to his attention on July 31st. This has led WIRED and others to note that early August was the same period in which Equifax's General Counsel approved sales of the company's stock by three executives, one of them the CFO. There is therefore this apparent dilemma. Either the CFO and General Counsel were aware of non-public material information, or they weren't. If the former, then, as many have said, it looks like illicit insider trading. If the latter, then who in the world should be involved in incident planning and response if not the CFO and the General Counsel?

Dave Bittner: [00:07:10:12] Given all of this, many are surprised to learn that the US Internal Revenue Service just gave Equifax a $7.25 million contract for tax fraud prevention work. The contract is a bridge contract to provide taxpayer identity and validation services the IRS says are essential until the new contractor, which won the business in July, can take over. And presumably the T-men can't just do a dark web search for your tax information.

Dave Bittner: [00:07:38:05] It's not just the US, either. A large data breach affecting some 6,000 businesses and government agencies seems to be unfolding in India.

Dave Bittner: [00:07:49:02] It's Wednesday, that means it's time to take a quick look at our CyberWire event tracker. Coming up in Kraków on the 9th and 10th of October there's an event called Dealing with Cyber Disruption. That's from CYBERSEC, the European Cyber Security Forum. On October 11th, in Rockville, Maryland, there's a cybersecurity graduate program's information session sponsored by UMBC. And coming up October 11th and 12th, it's Cyber Maryland 2017. That's at the Baltimore Convention Center. The 2017 International Information Sharing Conference is coming up at the end of the month, October 31st to November 1st in Washington DC. The tag for that event is Cyber Security is a Team Sport. You can find out more about these events and list your own on our CyberWire event tracker at

Dave Bittner: [00:08:35:03] We also want to highlight our own event. It's the 4th Annual Women in Cyber Security Reception. That's taking place October 17th at the Columbus Center, here in Baltimore. You can find out more information about that event at One of our presenting sponsors for the event is CenturyLink. Dave Mahon is the Chief Technology Officer there, and he offers his thoughts on the benefits of attending an event like the 4th Annual Women in Cyber Security Reception.

Dave Mahon: [00:09:02:24] Yeah, it's important to attend these events, because people are going to be in the workforce for very long periods. I think the average person will probably be working anywhere between 30 and 40 years. So why not take a profession that is dynamic, that is flexible, that is growing? And it's these types of events that allow people, particularly young women, to become exposed to the profession, number one, but very importantly to the people in the profession. And I would encourage young women, in particular, that network as much as you can as these type of events. And when you meet professionals who are already in the profession, I would recommend that you ask them at least three questions. The first one I would suggest you ask is, what do you like most about your profession? The second one is, what do you like least about your profession? And the third is, where do you see this profession in the next five to ten years? That begins to give you information about the industry and see if your skills, your talent, your capabilities, your desires, align with the profession. Because you want to be happy. You're going to be working for many, many years. You want a path that allows for flexibility and growth.

Dave Mahon: [00:10:29:01] And then I would say, as you're coming out of your academic pursuits, think about what people are looking for in you. We're not just looking for people with a high GPA, or that graduated from state universities, or have a technical certification. We certainly want people to be technically competent, but when I consider how I think about people during the job selection process, I'm really looking for behaviors that connect that person intellectually and emotionally to our organizational purpose. I'm looking for people who have an authentic interest in the job. I very much want to see a tenacious intellect in young people, and you're not going to know all the answers, I know that, but do you have the drive to find the solution? I definitely want to see a strong work ethic, you know, someone who can come in, stay with the project, drive it to conclusion. Most important thing for me is integrity. If you have all of the other skills and you lack integrity, then you'll not be successful in your profession.

Dave Mahon: [00:11:44:05] Obviously, we want people to be technically competent. There's another thing I look for in people and that is gratitude. I mean, people who get up every morning, they're respectful and appreciative of where they have found themselves in their lives. They're willing to go out there and make a contribution, both to the company, to their family, to the community. They're the types of people that we're looking for. And add a young woman, when you're at these networking events, gives you an opportunity to seek out leaders in the organization that you might have an interest in, and ask them questions and get to know them.

Dave Bittner: [00:12:23:12] That's Dave Mahon from CenturyLink.

Dave Bittner: [00:12:27:13] Finally, it appears from internal evidence on screen in Star Trek: Discovery, that Star Fleet is still running Windows, and even that it's dealing with Stuxnet. We just hope the Holodeck isn't afflicted with the BlueBorne vulnerability, because, well, we don't even want to go there. The whole Holodeck recreation system is kind of creepy, but mostly awesome. Little creepy, but mostly awesome.

Dave Bittner: [00:12:57:18] Now I'd like to tell you about a new infographic from our sponsor, Delta Risk. Delta Risk is a National Cyber Security Awareness Month champion. As we kick off NCSAM, they put together a handy 31 days cybersecurity calendar full of tips to help the public protect themselves and their communities online. Throughout the month of October, Delta Risk will post additional infographics and blogs that address weekly NCSAM themes to educate and spread awareness around important cybersecurity topics. You can view the infographic by visiting Delta Risk LLC, a Chertoff Group company, is a global provider of cybersecurity services to commercial and government clients. Learn more about Delta Risk by visiting And, again, that link for the infographic is And we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:14:02:04] Joining me once again is Jonathan Katz. He's a Professor of Computer Science at the University of Maryland, and also Director of the Maryland Cyber Security Center. Jonathan, welcome back. We're going to touch on a basic topic today, the subject of random numbers and the importance of truly random numbers when it comes to cryptography.

Jonathan Katz: [00:14:18:04] Well, random numbers turn out to be vital for various applications in cryptography, and the easiest example of that is just the example of generating a cryptographic key. When you generate a cryptographic key that you're going to share with some other party, with whom you're going to communicate, you want that key to be random, so that an attacker, in particular, won't be able to guess it. And the less random your key is, the easier it will be for an attacker to guess it, and once they guess it, of course, all the security of your encryption, or authentication, or what have you, is going to be lost.

Dave Bittner: [00:14:47:21] Are there methods for proving that a number or a string of numbers are truly random?

Jonathan Katz: [00:14:52:23] Well, that's interesting. That gets into the question of what it even means for something to be random, at least for the purposes of cryptography. And the fundamental measure is entropy, which relates to exactly how hard it is for an attacker to guess the value of your random number. And so you want to make sure that any random number you're using for those purposes is really unguessable to the attacker. There have been some advances in the last couple of years actually on quantum mechanical methods for generating randomness, where the device can be proven to output random numbers that are unguessable to within a particular degree.

Dave Bittner: [00:15:27:20] What about using like an irrational number like pi as a source for a random number? Does that get you anywhere?

Jonathan Katz: [00:15:34:10] Yeah, that's kind of interesting. I hear that often. And the problem is that it doesn't really give you the randomness that you need for cryptography. So, there might be some notion of randomness or chaotic behavior in, for example, the digits of pi, but they're not at all random, because the digits of pi are public. So, if you're going to be picking your key based on some consecutive digits of pi, and if an attacker knows that, then it would be trivial for the attacker to figure out exactly what your key is. So, those kind of numbers would not be suitable for cryptographic purposes.

Dave Bittner: [00:16:03:02] Alright. Jonathan Katz, thanks for joining us.

Dave Bittner: [00:16:07:21] And that's the CyberWire. Thanks to all of sponsors for making the CyberWire possible, especially our sustaining sponsor, Cylance. To find out how Cylance can help protect you, using Artificial Intelligence, visit

Dave Bittner: [00:16:19:19] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.