The CyberWire Daily Podcast 11.27.17
Ep 482 | 11.27.17

Breach disclosure: fast and slow. Mirai's minor comeback. Anti-ISIS Hacktivsts strike Amaq. North Koreans studying blockchain. Alleged Game of Thrones hacker indicted.


Dave Bittner: [00:00:01:01] You can show your support for the CyberWire by visiting, and signing up today to help support our show. Thanks.

Dave Bittner: [00:00:12:16] Imgur discloses a data breach. Uber faces regulatory attention and possible post-hack headwinds for its anticipated IPO. Mozilla's working on a Firefox add-on to warn you that a site you're visiting has been breached. There's a minor resurgence of Mirai, mostly from routers in Argentina. Anti-ISIS hacktivists school the Caliphate in information operations. What did the FBI know about Fancy Bear? North Koreans study blockchain. And winter is coming for an Iranian hacker.

Dave Bittner: [00:00:45:23] A quick note about our sponsors at E8 Security. They understand the difference between a buzzword and a real solution, and they can help you disentangle them too, especially when it comes to machine learning, and artificial intelligence. You can get a free white paper that explains these new, but proven technologies, at We all know that human talent is as necessary to good security as it is scarce and expensive. But machine learning and artificial intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that while we might assume supervised machine learning, where a human teaches the machine, might seem the best approach? In fact, unsupervised machine learning, can show the human something unexpected. Cut through the glare of information overload, and move from data to understanding. Check out and find out more. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:52:15] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Monday, November 27th, 2017.

Dave Bittner: [00:02:03:09] Imgur, the image sharing service, disclosed Friday that it had been hacked in 2014, losing some 1.7 million email addresses and passwords, probably to a brute-force attack against the SHA-256 hashing algorithm it was using at the time. Imgur has since moved to bcrypt, reckoned a more secure algorithm. Researcher Troy Hunt, who operates the site "Have I Been Pwned?" discovered the breach on Thursday and immediately informed Imgur. Their swift disclosure, just one day later, is being widely commended. Detection of course, was slow, but once they learned of the breach, they were very fast indeed. As Hunt put it, "I want to recognize Imgur's exemplary handling of this: that's 25 hours and ten minutes from my initial email to a press address to them mobilizing people over Thanksgiving, assessing the data, beginning password resets, and making a public disclosure."

Dave Bittner: [00:02:58:20] The obvious contrast here, of course, is the disclosure practiced by Uber, which not only kept mom about its own 2016 breach until about a week ago, but also appears to have paid the hackers hush money to the tune of a hundred grand to keep it quiet. Uber's breach occurred on the watch of former CEO, Travis Kalanick, who, according to Reuters, knew about the breach in December of last year. The current CEO, Dara Khosrowshahi, took over the company at the end of August. Now in the process of mopping up the damage, Khosrowshahi is said to have learned of the incident in September, about two weeks after moving into the CEO job. He did not immediately disclose it, taking about two months to investigate and assess the damage.

Dave Bittner: [00:03:41:08] Opinion differs on whether this delay was a proper course of action. On the one hand, the incident was complex, involved the conduct of senior members of Uber's management team, and was probably not then well-understood. On the other hand, people need to be warned quickly when their personal information has been compromised.

Dave Bittner: [00:04:00:02] Uber faces a variety of legal and regulatory actions in many jurisdictions. At least three US states have opened investigations: New York, Connecticut, and Illinois, and there are said to be investigations in progress by the Federal Trade Commission, the FBI, and the US Attorney for the District of Manhattan. International investigations are said to be under way in both Australia and the United Kingdom.

Dave Bittner: [00:04:23:12] Uber is privately held. It's believed, in fact to be the most valuable privately held tech company in the world, but it's preparing for a 2019 IPO. Crucial to that IPO is a tender offer, expected tomorrow, from Japan's SoftBank. Observers think Uber may find its value damaged by the data breach, and wind up paying what some are calling a "Kalanick risk-premium". Ousted as CEO in June, Kalanick remains on Uber's board.

Dave Bittner: [00:04:51:24] Mozilla is working on an enhancement to its Firefox browser, to warn Internet users when they visited websites known to have sustained data breaches. The feature is said to use data provided by "Have I Been Pwned?" An alert would come up, saying, "You visited hacked site (fill in the blank)," followed by an input field that appears to let visitors enter their email address to determine whether their data were among those lost. It's one approach to raising awareness about data loss. Bleeping Computer thinks it might be more useful if it put less emphasis on the incident and more on encouraging affected users to change their credentials. Mozilla's add-on is still in development.

Dave Bittner: [00:05:31:15] Security researchers at Qihoo 360 NetLab, have told Bleeping Computer they've noticed an increase this month in Mirai botnet activity. They connect it to the publication of proof-of-concept exploit code on Halloween. There was a three week lag. Scans using the proof-of-concept began on November 22nd. The exploit posted online takes advantage of a hidden superuser password on older Zyxel routers. The password apparently was shipped with the routers that used CenturyLink and Qwest Modem default Telnet credentials. Most of the newly herded Mirai bots appear to be in Argentina. The new Mirai campaign has yet to have had serious consequences, especially since the malware isn't persistent. The bots drop out once the routers are rebooted.

Dave Bittner: [00:06:18:12] A group of anti-ISIS Muslim hacktivists, "Daeshgram", has succeeded in breaking into ISIS news agency Amaq, and introduced fake news into Amaq's sites. Their goal, they say, is to contribute to the discrediting of ISIS by flooding Amaq users with bogus and scandalous, yet plausible, content. They have attempted to craft the fake news for believability, announcements that an ISIS radio station had been destroyed in an airstrike, things like that. ISIS handed Daeshgram a victory when it told followers not to trust links presented in Amaq. Mistrust of Amaq and other ISIS outlets is something the civilized world would welcome. The Caliphate's inspiration continues to prompt great suffering. ISIS struck a Sufi mosque in Egypt over the weekend, killing more than 300 worshipers, many of them children. An attack on a mosque is unusual for the terrorist group, but they've been denouncing Sufism online for some time.

Dave Bittner: [00:07:14:20] The Associated Press reports that the US FBI knew for about a year that Fancy Bear was going after officials email accounts, but generally didn't inform the targets that they were being prospected by a Russian intelligence service. The report is new, and what the FBI did or didn't do, and why, isn't yet clear. The story is, as they say, "developing".

Dave Bittner: [00:07:37:01] Observers note with misgivings an increase in North Korean University training on blockchain technology. Recorded Future, for example, dismisses the notion that this is an innocent intellectual trend, like a lot of ambitious undergrounds from Sinanju looking for a career in the Next New Thing. Most see the training as a harbinger of more attempts to loot Bitcoin and other cryptocurrencies on behalf of the Pyongyang regime.

Dave Bittner: [00:08:02:22] Criminal interest in cryptocurrency theft is rising across the board. The SANS Institute has been blogging about an increase in scans for Bitcoin and Ethereum wallets, so hold onto your blockchains.

Dave Bittner: [00:08:13:24] Finally, winter is coming. Let's see, that's 20, 21, 22, 23, right, 24 days from today, up here in the Northern Hemisphere. But it's also coming for one Behzad Mesri, sometime Iranian military contractor and alleged member of the Turk Black Hat Security hacking team. Mr. Mesri was indicted last week for his alleged role in hacking the HBO series Game of Thrones. Acting US Attorney Joon Kim, who's obviously a fan of the show, pointed out that "Winter is coming" is the motto of the House of Stark, and that as Mr. Kim put it, "Today, winter has come for Behzad Mesri." Of course, there's no way Tehran is going to serve a US warrant on Mr. Mesri, but in some ways it's the thought that counts when you're naming and shaming. As Mr. Kim pointed out, "For the rest of his life, and he's a relatively young man in his late twenties, he will never be able to travel outside Iran. The memory of American law enforcement is very long."

Dave Bittner: [00:09:14:02] So, think of it this way: whenever a wanted hacker is getting ready to book a vacation abroad, the White Walkers will be there to hit him or her with an extradition order. If Mr. Mesri is fond of the beach, may we suggest the Caspian Sea.

Dave Bittner: [00:09:32:06] Time to share some news from our sponsor Cylance. Cylance has integrated its artificially intelligent Cylance Protect Engine into VirusTotal. You'll know VirusTotal as the free online service that analyzes files and URLs to identify viruses, worms, Trojans and the other kinds of badness antivirus engines in website scanners pick up. Well, Cylance has pledged to help VirusTotal in its mission of making the security industry more perceptive, and the Internet a safer place. It's like public help for cyberspace. Free tools and services help keep everyone's risk down. Cylance sees their predictive approach to security as a contribution to the fight against cyberattacks, and they're now fully integrated as one of the analysis engines available in VirusTotal. Visit and look at their blog for more on their contribution to our online immune system. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:10:32:07] And joining me once again is Ben Yelin. He's the Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. We saw an article come by about President Trump who's signed a Cyber Crime Fighting Act, which is set to help with local and state law enforcement. Here's a win for the President.

Ben Yelin: [00:10:53:09] Yes, he signed this piece of legislation just last week. The Strengthening State and Local Cyber Crime Fighting Act of 2017 was introduced in the House of Representatives by a member named John Ratcliffe from Texas, that also had bipartisan buy-in in both the House and the Senate, including sponsorship from Dianne Feinstein, a Democrat in the Senate who has been on the forefront of many of these issues. The legislation authorized as the National Computer Forensics Institute, located in Hoover, Alabama. So whoever is the congressman there, I'm sure a major impact in shepherding this legislation. And the idea is that this Institute will get federal funding to train local officials across all 50 states, and across all of our territories, to become more effective at fighting cybercrime.

Ben Yelin: [00:11:42:20] And I think we've talked about it on other segments, the importance of getting to local officials, especially first responders, to have a glut of skills, but cybersecurity and protecting against cybercrime is not going to be one of them. I think largely, you know, it's just not the practice of the industry to be well-versed in these topics. But I think we're going to see more profile events, where part of the emergency response is going to require at least a basis of knowledge in cybersecurity issues. And since we already have an institute, a body that's capable of conducting these trainings, and they've already trained 7,000 local officials, I think, this is a wise piece of legislation. To expand that program, give it a little bit of government funding, and show that the federal government is willing to be a partner with states and localities in protecting against these threats.

Dave Bittner: [00:12:34:24] Yes, it's interesting with a paralyzed congress, that it seems like these cyber laws are some of the things that are being able to go through without much trouble.

Ben Yelin: [00:12:46:20] Yes, I mean I think fortunately for all of us, this is an issue that hasn't been particularly polarized. I think everyone is beginning to understand the immense threat that cybersecurity poses on our country, particularly our critical infrastructure, and some of our private companies. And I think President Trump, to his credit, has made this a priority. He came out with his Cybersecurity Executive Order earlier this year, and this another piece of legislation, and granted it's not a major legislative accomplishment by any means, a relatively small program, but I think it's showing that he has some interest in these issues, and that he's willing to sign pieces of legislation to assist in this effort.

Dave Bittner: [00:13:28:03] All right. Ben Yelin, thanks for joining us.

Ben Yelin: [00:13:30:12] Thank you.

Dave Bittner: [00:13:32:21] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To learn more about how Cylance can help protect you, by using artificial intelligence, visit

Dave Bittner: [00:13:47:09] We are excited to announce, that over the Thanksgiving break, we've packed up and moved our offices. We are now produced in Maryland out of the start-up studios of DataTribe, where they co-build the next generation of cybersecurity teams and technology.

Dave Bittner: [00:14:00:22] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.