The CyberWire Daily Podcast 12.4.17
Ep 487 | 12.4.17

Nghia Hoang Pho charged with mishandling classified NSA material. A review of other recent leaks. Kaspersky under fire in the UK. More Uber executives depart.


Dave Bittner: [00:00:01:04] Thanks again to all of our listeners who have also become supporters. You can find out how at

Dave Bittner: [00:00:11:23] An NSA employee is charged with "willful retention of national defense information." A look back at the other three alleged NSA leakers: Snowden, Martin, and Winner. The UK expresses official misgivings about Kaspersky products, and more Uber executives depart the company.

Dave Bittner: [00:00:35:09] Now I'd like to tell you about a White Paper from our sponsor, Delta Risk. More than 90% of companies are using the cloud, although the benefits are clear, moving to the cloud comes with new and unique security challenges. In the White Paper, Understanding the Challenges of Cloud Monitoring and Security, Delta Risk cloud security experts outline the key methods organizations can adapt to gain clearer visibility into their network and critical assets. You can get your copy of the white paper by visiting Delta Risk LLC, a ChertOff Group company, is a global provider of cybersecurity services to commercial and government clients. Learn more about Delta Risk by visiting And we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:01:33:22] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Monday, December 4th, 2017.

Dave Bittner: [00:01:44:03] Last Friday it was announced that Nghia Hoang Pho entered a guilty plea in the US District Court for the District of Maryland to charges of willful retention of national defense information: between 2010 and May 2015, he took quantities of classified information home, both in hard-copy and on his laptop. According to charging documents unsealed Friday, Pho was formerly a developer with the National Security Agency's Tailored Access Operations Unit (the TAO). He faces up to ten years in prison. Pho is free until his sentencing, which is scheduled for April 6, 2018.

Dave Bittner: [00:02:21:21] The laptop Pho used to take classified information home to Ellicott City, Maryland, is the one that's long been discussed in connection with the US Government's ban on Kaspersky software. He is said to have had a Kaspersky security product installed, which detected some of the sensitive files he'd placed on his machine, which would appear to make him the long discussed but not until Friday publicly identified third man. Kaspersky acknowledges that it did detect the files, but denies having read them or done anything with them. Reports aren't calling Pho the source of the leaks that went to the Shadow Brokers, so that particular mole-hunt seems to remain an ongoing one.

Dave Bittner: [00:03:02:05] Nor do any of the other notorious NSA leakers appear to be the Shadow Brokers' source. It's worth reviewing their stories. The first and most famous is Edward Snowden, about whom this audience will already know a great deal. Mr. Snowden, now a resident in Moscow, was a systems administrator employed by an NSA contractor who, on May 20, 2013, fled Hawaii for Hong Kong with extensive information about US electronic surveillance operations. He had contacted journalist, Glenn Greenwald, then writing for the Guardian, on December 1st, 2012, so his leaks were some months at least in preparation. The material he took was subsequently published in the Guardian and elsewhere. On June 21st, 2013, the US Department of Justice charged Snowden with two counts of violating the Espionage Act of 1917. Two days later, Snowden arrived in Moscow, where he has enjoyed asylum since. He represents his motivation for leaking as arising from a concern for civil liberties and the threat mass surveillance could pose to them.

Dave Bittner: [00:04:06:09] The second leaker, Harold T. "Hal" Martin III, was also a contractor working for NSA. The FBI arrested him during a raid on Mr. Martin's Glen Burnie, Maryland, home, on August 21st, 2016. A search of the premises revealed a large quantity of highly classified material, some of it in electronic form, some of it in hard copy. On August 27th, 2016, Martin was charged with theft of Government property and unauthorized removal or retention of classified documents or materials by Government employee or contractor. He entered a plea of not guilty in October of 2016, and remains in custody awaiting trial. Martin's motives in taking the material remain obscure. His ex-wife, who generally spoke well of him, characterized Martin as a patriot, a workaholic, and a bit of a pack rat. He is said to have taken the material from his NSA workplace by simply walking out with it.

Dave Bittner: [00:05:02:14] The third leaker, Reality Winner, was also a contractor working for NSA. Ms. Winner was arrested on June 3rd, 2017, after a relatively quick investigation prompted by a publication's attempt to authenticate what appeared to be a classified NSA document a source had passed them. The publication was the Intercept, and the source, identified by telltale marks on the document that established where it had been printed, was, allegedly, Ms. Winner. She's been charged with violating the Espionage Act of 1917—she's pled not guilty—and she remains in jail awaiting her trial. Her motives appear to be political disaffection, evidenced in some fairly noisy social media posts associating herself with the "Resistance" to the current US administration, and to offering the Iranian people solidarity in the face of US "aggression." She's said to have told investigating FBI agents that she folded the stolen document and concealed it in her clothing.

Dave Bittner: [00:06:01:14] The ease with which the alleged leakers and mishandlers of classified information walked out with sensitive material is striking. The only one who seems to have used much thought in how one steals secrets is Edward Snowden. If it's true that Mr. Pho really did take stuff home to help him polish up his resume, this perhaps argues a certain culture of casual disregard for security measures, as if familiarity with the secret world breeds contempt for it. We hope not. They all certainly knew better than to squirrel classified material away in their homes and personal devices. Mr. Pho's case strikes observers as particularly baffling and egregious, since, as Federal charging documents state, Pho works for NSA Tailored Access Operations, regarded as an especially sensitive and important part of the Agency, and not a place accustomed to employing callow or clueless rookies.

Dave Bittner: [00:06:55:02] To return to Kaspersky, the security company continues to say it did nothing improper, and that it would decline any request to participate in espionage it might receive from the Russian government. Cooperation with the Russian government in criminal investigations, Kaspersky says, is of course a different matter.

Dave Bittner: [00:07:12:23] But skepticism about Kaspersky products has spread from the US Government to at least one of the other Five Eyes. On Friday, Ciaran Martin, director of the UK's National Cyber Security Center, advised permanent departmental secretaries that Kaspersky software should not be used in systems holding information that would damage British national security if it were accessed by the Russian government. Following GCHQ's lead, Barclays bank Saturday stopped its practice of offering free Kaspersky security products to customers as a perk, so there are signs the private sector is following the public sector's lead.

Dave Bittner: [00:07:49:21] Finally, developments in the Uber breach investigation, as well as in litigation involving Alphabet and Waymo, coincide with three more departures by Uber executives. The company hasn't said the departures were prompted by documents that surfaced appearing to describe discreditable competitive and data security practices, but of course there's widespread speculation that this was indeed the case. The executives worked in international, business operations, and physical security divisions of the ride-sharing company.

Dave Bittner: [00:08:20:12] There's rising sentiment to do something about the companies knowingly concealing data breaches. One example: A bill introduced into the US Senate last week that would provide jail time for executives found to have concealed data breaches.

Dave Bittner: [00:08:39:00] Now I'd like to share a message from our sponsor, Nehemiah Security. Fellow cybersecurity leaders, when your CEO asks department heads for a status update, do you envy your colleagues like the VP of sales or CFO, who only have to pull a report from a single system, instead of deploying a team of people to check multiple systems and then waiting for them to report back? You wish you had a single place to get the information you need to communicate with the CEO? Nehemiah Security is here to put that power in the hands of the cybersecurity leader. It's time for a quick solution that allows you to go to one place to get the security information you need, quickly and in business terms your CEO can understand. Nehemiah Security gives cybersecurity leaders the ability to report cyber risk in terms of dollars and cents. Visit to learn more and get a free customized demo just for CyberWire listeners. Visit today. And we thank Nehemiah Security for sponsoring our show.

Dave Bittner: [00:09:49:02] And joining me once again is Johannes Ullrich. He's from the SANS Technology Institute and he's also the host of the ISC Stormcast podcast. Johannes, welcome back. These recent stories about Kaspersky brought to a lot of people's attention the fact that there's a lot of data that these antivirus companies can pull from your systems.

Johannes Ullrich: [00:10:09:05] Yes. It really brought to the forefront of the public's attention that, if you are running anti-malware on your system, there is a chance that, if the anti-malware software finds some interesting binary on your system, it will exfiltrate that to the anti-virus company for further analysis. For the most part, that's something we want to have happened. There is a suspicious binary the antivirus software can't really put its finger on whether it's malicious or not, so in some ways a great service for antivirus companies to actually look at this closer, perhaps run it through some more sophisticated checks, or even do a manual analysis on it. However, on the other hand, you don't know what is really being exfiltrated here and a lot of confidential data may actually be exfiltrated that way as well.

Dave Bittner: [00:11:02:09] You're really giving them broad permission to pull just about anything they want off of your system.

Johannes Ullrich: [00:11:08:17] Correct. It's not just the antivirus companies. One service where I see this happen often is VirusTotal where companies upload documents, because VirusTotal has this great service where it runs it through 40/50 different anti-virus tools. However, at the same time, you are uploading this document to a third party, VirusTotal, and researchers have full access to all files being uploaded. It is very easy to get that access so in some ways you're are leaking data here. If you're not sure that the document you're uploading is actually malicious and free of proprietary content.

Johannes Ullrich: [00:11:51:03] The other issue that you have sometimes is that the document may be malicious but it is malicious because an attacker attached, for example, malicious content to an otherwise benign and confidential document. Therefore, by exfiltrating as you intend to, this malicious content to VirusTotal to your antivirus vendor, you are also sending that proprietary content which, of course, can be a big problem.

Dave Bittner: [00:12:19:04] Right. You can have the company's financials, which happen to be infected by someone else, and it is being sent up to the anti-virus vendor who may be Virus Total.

Johannes Ullrich: [00:12:28:02] Correct, they're similar but ultimately crypto ransomware. There are some sites where, for example, you can upload an encrypted document to identify what variety of crypto ransomware you were infected with, or whether there is a way to decrypt it. Of course, if there is a way to decrypt it, then the recipient of that document may as well do it and it's now in the hand of the proprietary conduit.

Dave Bittner: [00:12:51:08] All right. Well it's a cautionary tale for sure. Johannes Ullrich, thank you for joining us.

Dave Bittner: [00:12:58:01] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, check out

Dave Bittner: [00:13:10:07] The CyberWire podcast is proudly produced in Maryland, out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:13:20:14] Don't forget that I'm part of a security segment on the "Grumpy Old Geeks" podcast. You can find that wherever all the fine podcasts are hosted. And also don't forget to check out the Recorded Future podcast, that's another one that I host. The topic over there is threat intelligence. We think it's worth your time so check that one out as well.

Dave Bittner: [00:13:37:08] Our show is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thank you for listening.