The CyberWire Daily Podcast 12.1.17
Ep 486 | 12.1.17

Flynn pleads guilty in Mueller probe. Misconfigured AWS S3 buckets, again. Election trolling and spy versus oligarch. Black Friday fraud down. Crime and punishment.


Dave Bittner: [00:00:01:12] The CyberWire podcast is made possible in part by listeners like you who contribute to our Patreon page. You can learn more at

Dave Bittner: [00:00:13:22] Former National Security Advisor Flynn pleads guilty to lying to the FBI. Another misconfigured AWS account is found. Cobalt is either careless or engaged in misdirection. Election trolling and mutual suspicion between Russia and the US. Kaspersky says his company didn't, doesn't, and won't spy for the Russian government as US agencies begin to purge their systems of his security software. Black Friday fraud seems to be down this year. South Korea's investigation of domestic election meddling by its cyber command sharpens. And Roman Seleznev gets another fourteen years on carding charges.

Dave Bittner: [00:00:55:10] Here's a quick note about our sponsor E8 Security. We've all heard a lot about artificial intelligence and machine learning. Hey, who of a certain age doesn't know that Skynet achieved self-awareness and sent The Terminator back to take care of business. But that's science fiction and not even very plausible science fiction. But the artificial intelligence and machine learning that E8 is talking about isn't science fiction at all. They're here today. E8's white paper, available at, can guide you through the big picture of these still emerging but already proven technologies. We all need to turn data into understanding and information into meaning. AI and machine learning can help you do that. See what they can do for you at We thank E8 for sponsoring our show.

Dave Bittner: [00:01:50:06] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Friday, December 1st, 2017.

Dave Bittner: [00:01:59:21] In some breaking news out of Special Counsel Robert Mueller's investigation of Russian influence operations, former National Security Advisor Michael Flynn has entered a plea of guilty to charges of lying to the FBI. The retired Lieutenant General appeared this morning in a Washington Federal court where he acknowledged that he was cooperating with Mueller's investigation. Flynn said he made false statements to FBI investigators about conversations he held with the Russian ambassador to the United States, Sergei Kislyak.

Dave Bittner: [00:02:29:13] Beyond this development, the week ends as it began, with news of a misconfigured cloud account.

Dave Bittner: [00:02:35:02] In what's become a dog-bites-man story, or maybe even an evergreen one, another unsecured Amazon Web Services S3 bucket has been found, open online and misconfigured for public access. This one held data belonging to the National Credit Federation (NCF), and contained some 111GB of data, much of it in the form of sensitive credit records. The Tampa-based NCF is a membership-based organization whose mission is in their own words, "To help people who are currently in or have successfully come through a financial crisis, take back control of their finances and credit, allowing them to achieve their financial dreams." Up to forty-thousand individuals may have been affected, their data exposed, but UpGuard, which found the misconfigured bucket, says it saw no evidence anyone had actually stolen the information. The database has since been secured.

Dave Bittner: [00:03:27:16] The Cobalt hackers, criminals who target financial institutions with phish-baited malware, may have committed a misstep, Bleeping Computer reports. Some of their spam appears to reveal their intended targets in the most obvious place, the email's "To" field as opposed to the customary "BCC" field you'd use if you didn't want all the addressees to see one another. But there's speculation this may be misdirection intended to send security researchers on a wild goose chase while Cobalt unobtrusively pursues its real targets.

Dave Bittner: [00:03:59:20] As more reports emerge of the scurrilous content of Russian election trolling in the US, extending to violent fantasy, Satanism, racism, and so on, it seems Russia also feels itself under threat. The Kremlin thinks it sees a coordinated US campaign to turn Russia's oligarchs against their government. This is believed in Moscow to be the real goal of US sanctions imposed after Russia's green men began their slow-motion re-engorgement of Ukraine. The Tweets reporters found that could be attributed to the Internet Research Agency, a Saint Petersburg troll farm, were aimed at creating mistrust, cross-currents of inter-group hatred, chaos, and an atmosphere in which US institutions would be discredited in the eyes of much of the public.

Dave Bittner: [00:04:44:18] Eugene Kaspersky has continued to vociferously object to charges that his company, Kaspersky Lab, was engaged in spying on behalf of the FSB or any other Russian intelligence service. He said this week that if he were told to do so by any of those services, he and his company would quit Moscow. The widely credited charge that Kaspersky has cooperated with the FSB has, he says, this much foundation in truth: the FSB in Russia is responsible for investigating cybercrime. So in addition to its role in developing foreign intelligence, the FSB plays a law enforcement role in Russia similar to the role the FBI and the Secret Service have in the United States.

Dave Bittner: [00:05:24:12] And Kaspersky does indeed cooperate with the authorities in the investigation of cybercrime. The company's founder says that they've been the victim of an orchestrated campaign by the United States Government to discredit them. That said, the US Government's ban on Kaspersky software continues. Federal agencies are reported to have completed their scans for Kaspersky security software as required by the Department of Homeland Security. About 15% of the Federal agencies found the security software. They have until the 19th of this month to remove it.

Dave Bittner: [00:05:56:00] A quick look back at Black Friday weekend suggests good news. According to Iovation, credit card fraud appears to be down 29% from 2016. The reasons for the drop are complex, but two stand out. Brick-and-mortar retailers are benefiting from widespread adoption of chip-and-PIN technology. And online retailers have taken advantage of new techniques of device intelligence to prevent fraud in transactions where the card is not physically present. The four-day period that showed the drop in fraud ran from Black Friday through Cyber Monday.

Dave Bittner: [00:06:29:11] A team of investigators formed by South Korea's Ministry of Defense is said to have concluded that the Republic of Korea's Cyber Command illegitimately sought to influence 2012's domestic elections.

Dave Bittner: [00:06:41:22] Lyft, Uber's rival in the ride-gig market, has been enjoying a good year, which many attribute in part to Uber's problems with leadership, litigation, and, most recently, a massive data breach. Lyft is said by TechCrunch to have tripled its revenue this year. For its part Uber faces a rising tide of lawsuits. The City of Chicago and Cook County, Illinois, have filed suit asking for fines amounting to $10,000 a day for each violation of a consumer's privacy. Washington State has filed a consumer protection lawsuit against Uber. The state Attorney General has asked for $2000 per violation. These suits could easily amount to millions of dollars in penalties. The company also faces two class-action suits filed in Federal courts last week: one in Los Angeles, the other in San Francisco.

Dave Bittner: [00:07:32:02] Finally, a well-known and well-connected Russian hacker has been convicted of additional charges in a US court. Roman Seleznev, son of a prominent Duma member, was nabbed in 2014 on a US warrant while attempting to return from a vacation in the Maldives. He was convicted in a Seattle Federal court of thirty-eight counts related to carding and fraud, and sentenced to twenty-seven years. This week he received another fourteen years, these from a Federal court in Atlanta, upon conviction of one count of racketeering and one count of conspiracy to commit bank fraud. The Russian government has long denounced Seleznev's arrest as kidnapping; the US calls it extradition. It's also a warning to choose your vacation spots with care.

Dave Bittner: [00:08:20:21] Time to share some news from our sponsor Cylance. Cylance has integrated its artificially intelligent Cylance Protect engine into VirusTotal. You'll know VirusTotal as the free online service that analyzes files and URLs to identify viruses, worms, trojans and the other kinds of badness antivirus engines and website scanners pick up. Cylance has pledged to help Virus Total in its mission of making the security industry more perceptive and the Internet a safer place. It's like public health for cyberspace. Free tools and services help keep everyone's risk down. Cylance sees their predictive approach to security as a contribution to the fight against cyber attacks and they're now fully integrated as one of the analysis engines available in VirusTotal. Visit and look at their blog for more on their contribution to our online immune system. We thank Cylance for sponsoring our show.

Dave Bittner: [00:09:21:14] Joining me once again is Malek Ben Salem. She is a senior manager of security and R&D at Accenture Labs. Malek, welcome back. We wanted to touch on GDPR. It's coming up next year and will be here before we know it. Why don't you run down some of the numbers for us.

Malek Ben Salem: [00:09:37:01] There's been a lot of talk about GDPR. For people who are not familiar with it, it's General Data Protection Regulation, which will come into effect on May 25th, 2018. Gardener released a report predicting that by the end of 2018, more than 50% of companies will not be in full compliance with GDPR, and that number will be 40% in 2020. Forrester predicts that 80% of companies will fail to comply in 2018. I personally think that we're probably closer to the Forrester number, meaning 80% as opposed to the 50% predicted by Gardener. The reason is that many companies still don't know if they need to comply or not. A survey by Watchguard, which was reported on CyberWire before, predicted that 37% of global organizations are still unsure if they need to comply. So if you're unsure then you probably need to comply.

Dave Bittner: [00:10:47:21] There are some hefty fines so it's in your best interest to find out.

Malek Ben Salem: [00:10:52:02] Absolutely. It is important to find out. It's important to make that investment. From a digital trust standpoint, GDPR is really driven by ensuring consumer's privacy. If you invest in it, there is an opportunity to build that trust with your client. You can turn this from a burden into an opportunity. Let's say the burden of identifying new categories of personal data. You can turn that into an opportunity to build more comprehensive customer profiles. You can turn the requirement of privacy by design and minimize data into an opportunity to reduce the cost of retaining all of the data that is not necessary for your operations. You can turn the data breach notification, which we're all familiar with, into an opportunity to build customer trust into your value proposition.

Malek Ben Salem: [00:12:00:15] If businesses look at this the right way, they can turn that investment that they put into GDPR compliance into really great opportunities for growing their reputation and for building that trust with their clients.

Dave Bittner: [00:12:16:19] It seems to me that no one's going to say, "Gosh, it's a shame that you've put all these extra privacy implementations in place." It's a good thing.

Malek Ben Salem: [00:12:24:23] Absolutely. It is a good thing.

Dave Bittner: [00:12:26:13] Malek Ben Salem, thank you for joining us.

Dave Bittner: [00:12:33:20] Now I'd like to share an important upcoming opportunity from our sponsor Cybric. On December 12th, experts from global payments solutions provider Visa and Cybric, with the first of its kind continuous application security platform, are teaming up for a webinar to talk enterprise cyber threat survival. How can you protect your organization against the devastating breaches you hear about all the time in The CyberWire. Swapnil Deshmukh, Senior Director of Emerging Technologies Security for Visa, And Mike Kyle, CTO at Cybric, will weigh in. They'll talk about how rapid innovation and continuous delivery via DevOps exposes organizations to a constant evolving cyber threat. They'll also talk about how seamlessly embedding continuous security within existing ecosystems will enforce security across production environments. Join them for this insightful and information packed webinar on December 12th, 2017, at one PM, US Eastern Time. You can learn more and register today at That's We thank Cybric for sponsoring out show.

Dave Bittner: [00:13:50:22] My guest today is Gary Golomb. He's the co-founder of Awake Security, a company that provides advanced security analytics. We began our conversation with a discussion about prioritization and how organizations are challenged with choosing where to allocate their money, talent and time.

Gary Golomb: [00:14:07:01] Prioritization to me is an ongoing challenge. Prioritization was something I saw companies struggling with in the very early 2000s. We still have that exact same issue today and I think a lot of conversations around it are very similar to what they were 15+ years ago. It is true that prioritization is a challenge, however I think a more substantial challenge that has arisen over time is that these things still need to be looked at, regardless of how they are prioritized. These things are the list of things that you ultimately need to look at, for example alerts. In theory, knowing that prioritization is a challenge and it is probably flawed still today. If you could get through more things and be more effective as you go through those things, then it starts to compensate for how you prioritize. I think prioritization will be implicitly flawed because you always have incomplete information. Prioritization can become less of an issue if you can be more effective and more accurate about how you go through those things. There's actually concepts around that that I think can be interesting to look at as well.

Dave Bittner: [00:15:41:02] Take us through that.

Gary Golomb: [00:15:46:06] One concept we've been studying for a little while now is what we call comparability. When you look at the 2010 time-frame, plus or minus a couple of years, that puts us at the heyday of export gifts and mass compromises of end points. When you look at a soc during those time-frames and when you look at a lot of the things that an average analyst was looking at, they had a lot of information available to them that allowed them to make comparisons that ultimately allowed them to make decisions about whether to respond appropriately to something or not. As a concrete example, you could get a new piece of malware that infects some end point and it has a user agent string that looks like a browser but the word Windows or Microsoft or something is misspelled, which was surprisingly common back then.

Gary Golomb: [00:16:46:06] But you had a lot of additional information available to you that allowed you to make comparisons and see that this user agent looks wrong. Even if you plug that user agent into Google and you got no results back, so you didn't get a positive confirmation that it's malware, you had the information available for you to make comparisons and to make a decision on your own, in absence of some other system or some other source telling you it was bad. Because of the way the attack surface has changed dramatically over the past seven years, the information that analysts had available to them to do those comparisons and to make decisions effectively, intrinsically or implicitly with the information they have in front of them, has gone away in a lot of cases. Think about a server application and looking at supporters and mega breaches, each serve can be very different from each other.

Gary Golomb: [00:17:45:14] In fact, a lot of times, the people who tend to know most about the way a server is behaving are the server application developers, unless you start working on whether it's characterizing or bringing information to the analysts. In many cases, they can't look at the information from the server and do a Google search to see if it should be acting that way or not, that is knowledge that is going to be intrinsic to the organization itself. The buck stops with the analyst. You can alert to things all day long but if somebody can't make an effective decision about whether that should be responded to or not, you've lost your chance to respond to the thing. Comparability actually becomes a very important aspect that enables analysts to make decisions, compared to, should this be behaving in this particular way or what is business justified, if you will, in my environment.

Dave Bittner: [00:18:57:24] That's Gary Golomb from Awake Security.

Dave Bittner: [00:19:05:05] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit

Dave Bittner: [00:19:18:18] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cyber security teams and technology.

Dave Bittner: [00:19:27:07] Our show is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.