The CyberWire Daily Podcast 11.30.17
Ep 485 | 11.30.17

Breaches, extortion, and insider threats. Credit bureaus and GDPR. HP addresses spyware allegations. When is a snack bag more than a snack bag?


Dave Bittner: [00:00:01:04] Just a quick reminder that one of the best things you can do to help support the CyberWire is to leave a review for us on iTunes. And also, you can help spread the word among your friends, co-workers and colleagues. Thanks.

Dave Bittner: [00:00:15:02] Shipping giant Clarksons refuses to pay hackers extortion. The US House may be reaching consensus on surveillance authorities. INSCOM mops up Red Disk leak. The US Defense Department may have more work to do countering insider threats. HP denies reports of spyware in its PCs. Apple fixes High Sierra. Credit services think through the implications of GDPR. And snack foods, a guilty mind, Faraday cages and employment law.

Dave Bittner: [00:00:47:08] A quick note about our sponsors at E8 Security. They understand the difference between a buzz word and a real solution. And they can help you disentangle them too, especially when it comes to machine learning and artificial intelligence. You can get a free white paper that explains these new, but proven technologies at We all know that human talent is as necessary to good security as it is scarce and expensive, but machine learning and artificial intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that while we might assume supervised machine learning, where a human teaches the machine, might seem the best approach? In fact, unsupervised machine learning can show the human something unexpected. Cut through the glare of information overload and move from data to understanding. Check out and find out more. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:54:10] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Thursday, November 30th, 2017.

Dave Bittner: [00:02:04:05] Clarksons, the UK-based global shipping company, said its network had been compromised by criminals who accessed proprietary information and demanded ransom in exchange for keeping the information unannounced. Clarksons declined to pay and turned the matter over to the police. The criminals appear to have achieved access through a single compromised legitimate user's account, which has since been disabled, not by exploiting a software vulnerability.

Dave Bittner: [00:02:30:20] US Representative Adam Schiff, a Democrat from California, ranking member of the House Intelligence Committee, says the committee is close to consensus on how to reform and reauthorize Section 702 foreign electronic surveillance authorities. Section 702 sunsets at the end of this month, so the deadline is approaching.

Dave Bittner: [00:02:51:03] HP denies media reports that its PCs came preloaded with spyware that surreptitiously reported usage data back to HP without users permission. The accusations surrounded the company's Touch Point Analytics, which do report performance data, HP says, but only with users permission. HP's VP of Customer Experience for Personal Systems, Mike Nash, told CRN that, "You have to click yes or no. If you click nothing, we take that as a no."

Dave Bittner: [00:03:20:22] Apple has patched the root vulnerability in MacOS High Sierra. The upgrade appears to be quick and painless to install, all Mac users are advised to do so.

Dave Bittner: [00:03:31:15] Callcredit, Equifax and Experian are said to be preparing for GDPR implementation by working on a Credit Reference Agency Information Notice or CRAIN. The document is intended to bring credit bureau use of personal information into line with the EU's pending requirements.

Dave Bittner: [00:03:49:15] Cylance recently released a report based on a survey of over 650 industry professionals, titled "Artificial Intelligence in the Enterprise." Shaun Walsh is Senior Vice President of Marketing at Cylance and he shares what they learned.

Shaun Walsh: [00:04:03:13] If you look at the RSA conference last year, I don't think you could walk by a booth that didn't say they were using either AI or machine learning. The question became, if it's become an overused, over-hyped term, what is really being done with it by IT people who do this for a living? Are they taking the risk or are they sitting back and watching? As you could imagine, AI can sometimes be a polarizing topic. You know, we have people like Elon Musk and others out there that are concerned about certain capabilities of AI. But when you look at it from an IT perspective, you know, are people sharing those concerns? Or are they looking at this as a better mousetrap to solve the existing business problems they have today? And I think what the survey bore out is that they do see it as a better mousetrap. Some day in the future it might be a different tool, but today we think this is the state of the art in terms of looking at how to prevent and predict attacks.

Dave Bittner: [00:04:54:17] Take us through some of the key findings from the survey.

Shaun Walsh: [00:04:57:14] Yeah, so I think the biggest thing that surprised me when I looked at it was they said that 60% of IT decision makers say they're already using AI powered technology in their data center. That was a number that I expected to be much lower. Now, when you talk about across a data center there's probably dozens and dozens of applications that they're including in the generic AI area, not just specifically security related items. And then the next big thing that really surprised me is that they said 93% said AI will create new jobs. That's one of the knocks that people have against any major generational turn of technology, is will it take jobs away? And the part that happens in every major generational turn of technology, from the industrial revolution through the computer age, through all these different changes, is that ultimately more jobs are created. They're different jobs than we had before, but there is no shortage of new jobs that are created.

Dave Bittner: [00:05:53:01] So, I guess one of the things that this survey bears out is that people are looking to AI to help fill that gap?

Shaun Walsh: [00:05:59:19] Yeah, and that's really what it is. It's about scaling the workforce today, and in the future, so that you can reapply those resources to better tools. One of the papers we have published on our website is a survey that Forrester did on total economic impact study. And what they said was, look, this is really, really simple for us, with your AI based solutions. We used to have six people managing desktop solutions across our 3500 personnel organization, I was able to make that two people. And I took those other four individuals and I put them on a next generation project that took them out of maintenance mode and put them into proactive improvement mode. And that's what people like about AI is it lets them scale, it lets them have better visibility into what the problems are they face, and that they can get more scale out of the human beings that are involved. It is an augmentation, it is not a replacement.

Dave Bittner: [00:06:54:11] That's Shaun Walsh from Cylance.

Dave Bittner: [00:06:57:22] A note about our interview with Cylance's Shaun Walsh. Cylance is our sustaining sponsor and has a long and, on our part, much valued relation with the CyberWire. But, we interviewed Shaun not for this reason, but because we think he has something interesting to say about artificial intelligence. We appreciate Cylance's sponsorship, but, with interviews like this they go through the same process as everyone else. It's not pay for play, and neither we nor they would have it any other way.

Dave Bittner: [00:07:26:17] And finally, for your consideration, here's some creative slacking, not that we recommend this pro-tip from Down Under. A gentleman in Western Australia was dismissed from his position at water management joint venture Aroona Alliance when it was determined that he not in fact out on the job troubleshooting water distribution issues, but instead out on the links, shooting a few rounds of golf. Well, actually, it wasn't a few, but more like a 140, give or take a few bogies and birdies, and nineteenth holes. Mr. Tom Colella, aged 60, and an electrician, was disappointed in his efforts to get the Australia Fair Work Commission to overturn his dismissal. The gentleman had evidently been in the habit of placing his GPS-enabled personal digital assistant inside a snack bag, thereby shielding it from monitoring by his employer. Managers at Aroona Alliance apparently knew he liked to keep his PDA and crisps together, but evidently mentally wrote this off as a charming eccentricity until, hey, well, wait a minute, where is this guy, anyway?

Dave Bittner: [00:08:29:15] The judgment of Fair Work Commissioner Bernie Riordan is worth quoting in full, especially since it offers some perspective on professional knowledge and professional responsibility. "I have taken into account that Mr. Colella openly stored his PDA device in an empty foil Twisties bag. As an experienced electrician, Mr. Colella knew that this bag would work as a Faraday cage, thereby preventing the PDA from working properly, especially the provision of regular GPS coordinate updates. Mr. Colella went out of his way to hide his whereabouts. He was concerned about Aroona tracking him when the Company introduced the PDA into the workplace. He protested about Aroona having this information at that time. Mr. Colella then went out of his way to inhibit the functionality of the PDA by placing it in a foil bag to create a Faraday cage."

Dave Bittner: [00:09:21:06] The snack brand preferred by Mr. Colella was Twisties, a corn-based cheese curl which comes in a variety of appealing flavors, including original Cheese, Chicken, Hawaiian Pizza, Sweet Butter Toffee, Spiced Burger, and, our favorite, the now sadly discontinued Bag of Ghosts, always a crowd-pleaser around Halloween. It's unclear whether the flavor affected the electromagnetic performance of the bag, but it seems a safe bet that the aluminized Mylar bags would all exhibit some degree of Faraday shielding.

Dave Bittner: [00:09:48:14] So, don't try this around your workplace, friends. No matter how hard you're working on your handicap, you're not going to turn into Greg "the Shark" Norman in any case, and you're not going to be able to claim lack of mens rea if you have any electrical knowledge at all. But a question: would this kind of hack work equally well with Utz potato chips, much favored along the Baltimore-Harrisburg-Pittsburgh line? And would, maybe, the bags for the Old Bay Crab Chip flavored items be a good choice for a Faraday cage? You know, if you like sealed the bag and grounded it? Just asking for a friend.

Dave Bittner: [00:10:26:24] Time to share some news from our sponsor, Cylance. Cylance has integrated its artificially intelligent Cylance Protect Engine into VirusTotal. You'll know VirusTotal is the free online service that analyzes files and URLs to identify viruses, worms, Trojans and the other kinds of badness antivirus engines and website scanners pick up. Well, Cylance has pledged to help VirusTotal in its mission of making the security industry more perceptive and the Internet a safer place. It's like public health for cyberspace. Free tools and services help keep everyone's risk down. Cylance sees their predictive approach to security as a contribution to the fight against cyberattacks. And they're now fully integrated as one of the analysis engines available in VirusTotal. Visit and look at their blog for more on their contribution to our online immune system. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:11:26:15] And joining me once again is Robert M. Lee, he's the CEO at Dragos. Robert, welcome back. You know, I thought we could run through some of the ICS environments that you all deal with. Why don't we start with natural gas? Give us an idea, here in the United States, what is the lay of the land with our natural gas system? How's it controlled? And what are the threats?

Robert M. Lee: [00:11:47:16] Yeah, absolutely. So when it comes to natural gas, it's an interesting, changing point for the industry. For years, although it was still critical and important, there wasn't as much national attention on it, because it wasn't as critical to the [UNSURE OF WORD] electric system. As we have moved away from coal and moved more towards renewable sources, we still need a quick way to be able to generate power, which is natural gas. And so natural gas is starting to feed the electric grid much more so. Even a lot of larger energy companies are buying up natural gas companies, which means that that national focus has definitely increased. There are threats that have targeted natural gas already, and we've heard about these over the years, we've never seen destruction or disruption as a result of an intentional attack, but, of course, it's still something that weighs very heavily on folks's minds, especially when we start seeing the criticality of the industry increase.

Robert M. Lee: [00:12:39:02] What they're sort of up against today is a variety of risk that they're trying to mitigate. One of the factors for them is they do have that traditional SCADA approach, meaning they have very long distances, a lot of pipelines, very large landscape that they have to cover, as well as very boutique kind of systems. You know, gas compressor station along the side of a pipeline is not really normal knowledge for a lot of those, even in the industrial control, security community. So, for them, they're trying to reduce that risk, not only to physical threats and things they have to deal with like crazies along the pipelines, but also in the fact that their threats can get out to those locations, and it's not some easily tapped infrastructure. It's not like they could drive to ever single gas compressor station and every single aspect of the pipeline and storage wells, and all that, and throw a managed switch on there and start tapping that traffic, it's not really achievable in that way. So they're much more around ingress and egress filtering and understanding if they can identify threats from the control center down or back up again from those sites. And at the same time, they're just dealing with the nature of the policies.

Robert M. Lee: [00:13:44:10] So you've got some good organizations, like the Downstream Natural Gas, ISAC, who's trying to do a lot of advocacy and outreach in that sector. But I expect this will be a very turbulent next couple of years for them as they try to figure out how to articulate what the real risk is, while minimizing it without letting, as you noted, the hysteria get taken away as commercial members and others start asking questions on, "Oh no, what is the threat to this new industry," well, it's not really new, "but this industry that's new in its criticality to the electric grid?" So, fantastic opportunity for them, definite challenges, but, as always, we've got some fantastic people taking on that challenge.

Dave Bittner: [00:14:18:21] And what would be the impact of an interruption of a natural gas service?

Robert M. Lee: [00:14:24:04] It could be significant, it depends on a lot of factors, but, one of the factors to consider is other generation sources of power in that region, as well as time of the year. So, as an example of a particularly bad scenario, if we're talking about the dark months of the year where we're not getting as much in terms of solar and move towards solar more in the grid, and we also combine that with it being winter in places like the northeast or the northwest, you know, a significant outage could actually have loss of life impact when it comes to people in that region. Now, we're not talking about everybody in the region dying, but, nobody should take any loss of life lightly. So we're talking a number that is uncomfortable mostly just because we're talking about people's lives there. So I think there's a realistic scenario where an attacker can make planned and coordinated strikes against pipelines that have real repercussions, but it still is much more difficult and nuanced than people make it out to be. But the complexity of a natural gas pipeline is not the same as the complexity of the overall grid, which means, to take down a giant portion of the grid for any significant portion of time is a very complex problem. It's not as complex in gas pipe lines, but it is still not trivial by any stretch of the imagination.

Dave Bittner: [00:15:39:19] Robert M. Lee, thanks for joining us.

Dave Bittner: [00:15:44:04] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit

Dave Bittner: [00:15:57:17] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:16:07:15] Our show is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, the executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.