The CyberWire Daily Podcast 10.13.17
Ep 454 | 10.13.17

Germany's BSI sees no problem in Kasperky software. Equifax, TransUnion, suffer from third-party malvertizing code. ISIS expected to change its inspiration. Notes on the dark web.


Dave Bittner: [00:00:01:03] The CyberWire podcast is made possible in part by listeners like you who contribute to our Patreon page. You can learn more at

Dave Bittner: [00:00:12:18] German authorities say they see nothing bad up with Kaspersky software, but they're in the Western minority on this one. ISIS messaging looks as though it's shifting toward a different narrative. Hyatt discloses a significant credit card breach. Equifax and its competitor TransUnion both remove third-party malvertising code from their websites. And the dark web is in many ways a lot like the regular web, down to seasonal sales, customer reviews, and cat pictures.

Dave Bittner: [00:00:39:21] A brief note about our sponsor E8 Security. We've all heard a lot about artificial intelligence and machine learning. Who of a certain age doesn't know that Skynet achieved self-awareness and sent the Terminator back to take care of business. But that's science fiction, and not even very plausible science fiction. But the artificial intelligence and machine learning E8 is talking about aren't science fiction at all, and they're here today. E8's white paper available at can guide you through the big picture of these still emerging but already proven technologies. We all need to turn data into understanding and information into meaning. AI and machine learning can help you do that. See what they can do for you at And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:42:22] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, October 13th, 2017.

Dave Bittner: [00:01:52:19] BSI, Germany's principal information security organization, has said it's found no evidence confirming claims in the US and Israel that Kaspersky software has been exploited for espionage by Russian intelligence services. This hasn't induced German security companies to slow down their marketing of their own products as "made in Germany", and, most importantly, "not Kaspersky". But in Germany at least the pressure on Kaspersky is coming from the private and not the public sector.

Dave Bittner: [00:02:22:16] RT touts Kaspersky's recent deal to share threat intelligence on cyber-crime with Interpol as more evidence that the Russian security firm is on the up-and-up, and that US strictures against the company's products are so much protectionist, anti-Russian gamesmanship. Most other observers, however, are taking the reports that Kaspersky AV software was able to inspect and report on files resident in the systems it protected more seriously.

Dave Bittner: [00:02:49:02] Terrorism experts are predicting the next wave of ISIS inspiration as the caliphate continues to vanish from its core territories. Any expectations that the reality of battlefield defeat would mute or at least humble the jihadist group are, War on the Rocks argues, bound to be frustrated. The old inspirational narrative of a just state ruled by godly men will indeed fade, but we can expect it to be replaced by one framed in terms of Hegira, which is to say strategic retreat after glorious, dead-ender resistance to the infidel. The Prophet himself conducted the first Hegira in 622, when he and his followers left Mecca for Medina to escape persecution. The Prophet of course returned, and ISIS can be expected to announce that its own return and ultimate triumph are equally sure things.

Dave Bittner: [00:03:39:00] Hyatt discussed yesterday that 41 of its hotels in 11 countries around the world – China being most heavily affected – had suffered a breach that exposed credit card data. The breach was discovered in July; investigation just concluded. The chain is notifying affected customers directly. If you used a card at a Hyatt between March 18th and July 2nd of this year, you should be alert for fraudulent charges. This is the second breach Hyatt has sustained within the past two years; an earlier breach was disclosed in December of 2015.

Dave Bittner: [00:04:13:11] There's more bad news for Equifax. Not only was it reported that their massive breach lost driver's license information among the other personal data the company held, but its website was infected with bogus, malicious links. The floundering credit bureau yesterday said it had taken down some third-party code it was using to track website performance. The code was serving up malvertising, directing users to a bogus (and malicious) Flash update site. Equifax says that its own systems weren't penetrated in this incident, which is no doubt true enough, and after all, if it's true, what else are they going to say? But at this point there seems little the company can do to recoup the loss of trust it's suffered.

Dave Bittner: [00:04:56:04] Equifax isn't alone in its industry either, with respect to suffering a bogus Flash malvertising infestation. Rival credit bureau TransUnion was also afflicted. Malwarebytes found that TransUnion's Central American site was exhibiting the same problem, and that's not, as Malwarebytes deadpanned, "something users want to have." TransUnion issued a statement similar to Equifax's: they've addressed the issue, and their systems weren't hacked.

Dave Bittner: [00:05:23:08] New York State's Attorney General Eric Schneiderman is investigating the Equifax breach. Schneiderman has also announced that he's opened an investigation of the security incident Deloitte suffered.

Dave Bittner: [00:05:34:20] Finally, we spent yesterday at CyberMaryland, where the annual conference closed with an overview of the dark web from Terbium Labs' always interesting dark web expert Emily Wilson, who you've here on the CyberWire regularly. We'll summarize the takeaways she left us: the dark web works in repeatable and understandable ways. You can measure and track it.

Dave Bittner: [00:05:55:13] The fraud trade is alive and well, and it too operates in predictable ways. When AlphaBay was taken down, the fraudsters went their way as if nothing had happened.

Dave Bittner: [00:06:04:22] If you weren't breached, but information about you was, it's still your problem.

Dave Bittner: [00:06:09:10] She was at pains to emphasize that the dark web isn't all criminal, or even predominantly criminal. Nonetheless a lot of criminal activity is conducted there. Contraband (especially drugs) are sold there, and personal information useful for fraud (especially credit card numbers and financial credentials) are also widely traded.

Dave Bittner: [00:06:27:21] In Wilson's view the bad stuff is organized much the way the good stuff is. The dark web is still part of the Internet, and even its criminal precincts have typical Internet features: customer reviews, advertising, cat pictures, and even special offers. Those special offers on contraband are even structured like sales and timed seasonally, just like legitimate sales. Drug sales get their holiday boost around Halloween and New Year's Eve. Credit card numbers get the special offer, act now, treatment around Black Friday.

Dave Bittner: [00:07:00:01] So even in the cyber underground sometimes the boss is on vacation and we've all gone crazy, crazy for low prices.

Dave Bittner: [00:07:10:00] Time to share some information from our sponsor Cylance. We've been following WannaCry, Petya, NotPetya, and other forms of destructive ransomware for weeks. Cylance would like you to know that they can prevent Petya-like ransomware from executing in your system, and they'd also like you to know that they've been doing that since October of 2015. How's that for getting ahead of the threat? Their success against NotPetya demonstrates the benefit of their temporal predictive advantage. Cylance Protect stops both file and fileless malware. It runs silently in the background and best of all it doesn't suffer from the blind spots in legacy defenses that NotPetya exploited to such devastating effect. If you don't have Cylance Protect, and if you'd like to learn more about how it can defend your enterprise, contact them at and find out how their AI driven solution can predict and prevent the unknown unknowns from troubling you. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:08:13:24] And joining me once again is Malek Ben Salem. She's the Senior Manager for Security Research and Development at Accenture Labs. Malek, you wanted to describe today a new attack surface involving software define network controllers. What's going on here?

Malek Ben Salem: [00:08:27:11] Thanks David, yes. Probably most our listeners know that software-defined networking has been slowly changing the networking industry. We certainly see it at Accenture with some of our clients who are adopting the software-defined networking paradigm, typically referred to as SDN. Just to remind the listeners, SDN basically is a new networking paradigm that separates the control layer or the logical programmable control plane that manages the physical devices which we refer to as the data plane. By doing that separation we're able to enable several new innovative use cases such as traffic engineering, data center visualization, dynamic network segmentation or even some security use cases such as fine grained access control and quarantining of compromised devices.

Malek Ben Salem: [00:09:33:21] Now a lot of people get excited about these new capabilities that SDN introduces and they forget about the new attack surface that is brought by the SDN technology and the SDN controllers. Which is, you know, expected since now we're controlling the network through software. The SDN controller is an application, is a piece of software. So it has its own bugs so that introduces a new attack surface, but also the nature of SDN which is a synchronous nature also introduces the opportunity for race conditions to happen, for harmful race conditions, that can be exploited by an attacker to launch an attack against the network, to compromise service, to crash a service or even crash the entire network.

Malek Ben Salem: [00:10:25:19] Now what has been demonstrated is a way of launching this attack where the attacker does not need to have access to the SDN controller itself to compromise the SDN controller; they don't need to have access to the network. All they need to have is a compromised device to launch the network into certain states that can cause a system crash, basically, for the SDN controller. And a system crash in that case means a denial of service attack against the network.

Dave Bittner: [00:11:03:09] So how do we protect against this sort of thing?

Malek Ben Salem: [00:11:05:05] A couple of things that can be done, these are new research areas. One of them obviously is to introduce more safety checks into the SDN controller software and its applications. Perhaps have some deterministic execution run times for the functions that check the network variables and access the network variables. But also there maybe a new opportunity for research around using anomaly detection to identify suspicious update events in the network.

Dave Bittner: [00:11:42:21] Interesting stuff as always. Malek Ben Salem, thanks for joining us.

Dave Bittner: [00:11:50:06] I'd like to take a break and tell you about an exciting CyberWire event happening in a few weeks'. The 4th annual Women in Cyber Security Reception, it's taking place October 17th at the Columbus Center on the beautiful waterfront in downtown Baltimore. The Women in Cyber Security Reception highlights and celebrates the value and successes of women in the cyber security industry. The focus of the event is networking and it brings together leaders from the private sector, academia and government from across the region, and women at varying points in their career spectrum. The reception also provides a forum for women seeking cyber security careers to connect with the technical and business professionals who are shaping the future of our industry. It's not a marketing event, it's just about creating connections.

Dave Bittner: [00:12:34:22] This year we're pleased again to be partnering with the great people over at the Cyber Security Association of Maryland, CAMI. We're grateful to our sponsors CenturyLink, Cylance, Exelon, E8, IBM, LookingGlass, Cyber, Booz Allen Hamilton, the Brown University Executive Masters in Cyber Security,, and CyberSecJobs, CyberPoint International, Defense Point Security, Delta Risk and Creatrix. If your company is interested in supporting this important event we still have some great sponsorship opportunities available. We're also partnering with Maryland Art Place to have a special work of art created for the event that attendees can take home with them.

Dave Bittner: [00:13:12:17] As it's been in previous years, this is invitation-only. We do it this way to ensure a mix of women with diverse backgrounds and at different career levels. If you're interested in getting an invitation to this year's event tell us a little bit about yourself and request an invitation at our website That's We look forward to hearing from you.

Dave Bittner: [00:13:42:14] My guest today is Jeff Schilling, he's the Chief Technology Office at Armor, a managed cloud security provider. Previous to joining Armor he was the Director of the Global Incident Response Practice for Dell Secureworks. Mr Schilling is also a retired US Army Colonel having served 24 years active duty. His last military assignment was the Director of the US Army's Global Security Operations Center under the US Army Cyber Command. Our conversation began with the Russian cyber threat, specifically their effect on the last US national election.

Jeff Schilling: [00:14:17:04] I think that at the end of the day they were in a win-win situation when it came to the US election. If the Russians truly wanted to disrupt and undermine the credibility of our election process I would say they achieved that and they would have achieved that no matter whether Secretary Clinton had won it, or President Trump had won. Their whole goal was to undermine the US's confidence in our election process, and raise doubt to basically disrupt our national policymaking. And I would say if I were to sit back and grade how effective they'd been on that I would say they've been very effective. To me it just feels like they were really just hoping to create chaos in our national system and keep us from doing international policy development. Because I think that there are a lot of policy initiatives both that would be led by a Democratic-led government as well as a Republican-led government that would not admit the national interest of the Russians. And today what we have is essentially a paralyzed government that's torn with mistrust on both sides. And I'd say that they've been pretty effective.

Dave Bittner: [00:15:29:13] So what do you suppose an appropriate response would be from the United States and from the rest of the world?

Jeff Schilling: [00:15:36:17] You know that's probably the hardest question to answer because the US is always conducting cyber operations, is always ongoing, every developed country, every G20 level country that has an organized government and organized military is conducting some level of cyber operations. Cyber operations are best conducted when it doesn't get any press, when it doesn't get any traction. So obviously there should be a counter-offensive going on that's happening behind closed doors. It may not necessarily just be cyber related, you know, we have many elements of national power whether it's economic, the whole dime principle, the Diplomatic Informational Military and Economic national power. We should be used all those elements to put pressure on Russia to basically at least roll back their activities and their operational tempo against us.

Jeff Schilling: [00:16:33:18] The second piece that we really need to do as a nation is we need to come together and put this behind us. No matter what element of the political spectrum that you live on, at the end of the day this was an attack on the whole American election process, and governing process, and I think that we need to stop paralyzing ourselves and put this behind us and move forward and go on with some of the policy-making decisions that we need to make that right now the government is paralyzed in making.

Dave Bittner: [00:17:05:03] So looking forward, how do we as a nation, on both the government side and the private sector side, what are some of the best actions we need to take to protect ourselves from these sorts of things in the future?

Jeff Schilling: [00:17:20:16] Well I think the first thing that we need is just basically a mindset. We need people to get into a cyber security mindset, everybody. You know we have tons of customers that come to us because we provide cloud security. I talk to prospective customers all the time as well as go to conferences and I would say that less than 10% of business owners and people that conduct business really, really deeply care about making sure they're doing the right things with cyber security. They just see it as an expense on the P and L. They see it as an L on the P and L, and they really don't put a lot of investment. They put the minimum amount of investment to be compliant.

Jeff Schilling: [00:18:01:11] So I think that's the first thing, we need a complete mind reshape and god knows we've had the global incidents that should have given us that mind reset but we still see events happening like some of the recent major hacks and data breaches that we have and are still ongoing.

Dave Bittner: [00:18:17:04] One more thing I wanted to ask you about, from your experience inside the Army's sock and with US Army Cyber Command, can you give us a little window to what it's like in there? What do you wish people knew about the men and women who are keeping those operations running?

Jeff Schilling: [00:18:34:07] First off, those are the two hardest jobs I've ever worked in my 28 year career. I was working one incident response when I was at Joint Task Force Global Network Operations where I ran the DOD Security Operations Center, I worked for almost 28 days straight, probably 16 to 17 hours a day, doing a global response to a nation state actor. And so those troops work incredibly hard. And the other thing is that I will tell you our nation's secrets are secure on our classified networks but there's so much good information on our unclassified networks that that's really where the department struggles.

Jeff Schilling: [00:19:17:24] You know someone asked me back in 2010, you know when I was running the Army Cyber Command's Security and Operations Center, they actually called it the Army Cyber Information and Intelligence Operations Center, what do you think we should do to get the initiative back from the threat? And that's really how I ended up where I was because no one had ever asked me that question, they just always asked me how bad it is and what I knew. And I really think that the cloud in moving our data centers to the cloud is our opportunity to get ahead of the threat and that's a whole other podcast that we should do sometime because I can tell you that there is, you know from 2010 I would say to about 2015 I was the only guy on the security panel saying that we needed to move to the cloud. Now in 2015 to 1017 now I would say about half the security folks are now saying, you know what this is starting to make sense. I have better ability to build a defend-able architecture in the cloud but we're still not there. I can tell you that if anybody wants to know who is winning the cyber war I will tell you that's classified but I can tell you the good guys are winning.

Dave Bittner: [00:20:32:02] That's Jeff Schilling from Armor. We'll have an extended version of this interview available exclusively for our Patreon subscribers.

Dave Bittner: [00:20:42:24] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence check our

Dave Bittner: [00:20:55:17] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe. And I'm Dave Bittner, have a great weekend. Thanks for listening.