The CyberWire Daily Podcast 12.21.17
Ep 500 | 12.21.17

More data found exposed in an AWS S3 bucket. EtherDelta's DNS impersonation issue. DPRK says it doesn't hack. FISA Section 702 nears sunset. Wassenaar updated. Kaspersky says its due process rights have been violated.


Dave Bittner: [00:00:01:04] Just the other day my eleven year old son came to me and said "Daddy, winter is here and it sure is cold in the morning waiting at the bus stop before school, do you suppose I could get a warm winter coat for Christmas this year?" and I said "Son, if enough people sign up to support the CyberWire at maybe we'll be able to get you that warm winter coat. I'm kidding of course, he doesn't wait in the cold at the bus stop, I make him walk to school.

Dave Bittner: [00:00:39:03] Here's a new year's resolution all organizations should make: resolve to configure your cloud services for privacy and security. Another cryptocurrency exchange gets hacked, this one by DNS hijacking. North Korea finally says it had nothing to do with WannaCry, but few are convinced. The Lazarus Group continues to be a prime suspect in cryptocurrency theft. Section 702 nears sunset. Wassenaar seems to have become friendlier to researchers. And Kaspersky Lab wants redress in court.

Dave Bittner: [00:01:14:13] And now a holiday message from our sponsor Nehemiah Security. Twas the night before the board meeting when all through HQ not a sea level was stirring, even finance was a snooze. Reports were all stacked in the boardroom with care in hopes that the members would not pull out their hair. The Cisco however was pacing the ground, mostly because he had no real matrix to sound and the head of IT in front of long log reviews had just settled his brain after full backup number two. When out of the seam alarms started to fly, they looked at each other and did not know why. Away to the reports they flew like a flash to see which malware showed up as a hash. If only they knew where exploitables lay and could sort them and treat them in an intelligent way. Showing true business impact and real dollars lost, could cyber finally be a justifiable cost? With Nehemiah Security so ready to assist, converting cyber into dollars is impossible to resist. More rapid than eagles the RQ dashboard it came instantly upping their cyber risk game. Now dollars now cent, now recommendations on threats, on exploits, financial justifications. To the top of the budget the Cisco's report flew, smart cyber investments, now everyone knew. To hear the rest of the story visit

Dave Bittner: [00:02:48:05] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Thursday December 21st 2017.

Dave Bittner: [00:02:58:10] Another big Amazon Web Services S3 bucket misconfiguration has exposed tens of millions of individuals' sensitive personal information. It's worth stressing, again, that configuring an AWS S3 database is the database owner's responsibility, not Amazon's, although Amazon has been trying to nudge customers in the direction of better, more privacy and security conserving, configurations.

Dave Bittner: [00:03:22:22] This case involves data maintained by Alteryx, a US analytics firm. The bucket holds information on some 123 million US households, which is as close to all of them as to make no difference. This information comes from the credit bureau Experian, the US Census Bureau, and Alteryx itself. The exposed database was noticed by UpGuard, the security firm that, along with Kromtech, continues to dine out on its discovery of publicly accessible AWS S3 buckets.

Dave Bittner: [00:03:54:16] Some of the data like those from the US Census of 2010 are already publicly available, but the Experian files of course were never meant to be public, although they would have been commercially available from the credit bureau.

Dave Bittner: [00:04:08:00] Alteryx has said, in a statement posted to its corporate blog, that they secured the databases as soon as they were made aware of the exposure, and that the Experian information that was exposed "is commercially available from Experian and provides some location information, contact information and other estimated information that is used for marketing purposes. It does not include names, credit card numbers, social security numbers, bank account information or passwords."

Dave Bittner: [00:04:36:04] Some are also drawing comfort from the age of the information—the Experian data is from 2013—but the exposure remains unsettling, and should prompt some attention not only to cloud configuration, but to organizations' data supply chains as well.

Dave Bittner: [00:04:52:02] Researchers at Google recently announced that they'd found huge numbers of user account information available on dark web markets. Joseph Carson is Chief Security Scientist at Thycotic and he joins us with his thoughts on the findings.

Joseph Carson: [00:05:06:12] What Google has reported is that they're actually identifying that in the black market and places like deep web and dark net that they find 1.9 billion stolen passwords and usernames. The more concerning part of it is that they're still indicating that 25% of them still work on an active account.

Dave Bittner: [00:05:24:17] Yeah do the math there that's half a billion still active. Those are the numbers, what's your analysis of the reality of those numbers?

Joseph Carson: [00:05:33:06] I mean I still think the number is quite low [LAUGHS] in my honest opinion and the reason why I say it's low is that it's not surprising either that we're finding this type of data in those locations. You know for many years, you know, as data breaches have been disclosed and, you know, those data dumps have been made available hackers have been correlating them anyway. They've been putting them together in order to do large password cracking.

Dave Bittner: [00:06:01:04] So I mean looking forward what do you think is a solution to this sort of thing? Are we heading into a time where we need to look at passwords differently?

Joseph Carson: [00:06:09:15] I think that there has to be a concept is that yes we need to get into not one is how we create and use passwords, that's for sure is contributing to the major problem. If we look at all the years about password and passphrase and other types of best practices, when those best practices were introduced we were only using, you know between one to five maybe accounts. So you know reuse of password is quite limited. Now move forward to today that everything we use, everything on social media and any type of service that we get, they all come with different accounts and the average person today has more than 30 different accounts and passwords that they need to protect. And we've got into really severe cyber fatigue which has caused many people to reuse passwords. When an account is compromised, like we've seen over the years and it's very common that almost every person that's using the Internet today has been a victim of cyber crime. That it only takes one of those accounts to be compromised in order to then make the rest of the accounts that they have exposed and compromised. Not just on their own personal Internet accounts, but those accounts and passwords are the same passwords that they're using for their own internal business work and work life. So we're finding that, you know, how we create and use passwords is, and also the evolution of the number of accounts that we have is definitely contributing and escalating the problem greater and we really need to get into better capacity and better understanding about what is the right best practice to deal with many accounts ad to also reduce the cyber fatigue.

Dave Bittner: [00:07:49:24] And so what do you imagine being a solution that could be simple?

Joseph Carson: [00:07:53:14] A solution to be simple is definitely something that means that humans are not creating passwords. Passwords are a combination of multiple things that they have or who they are. So definitely there has to be some type of good mechanism of actually creating a password that is tied a humans, you know whether there's some evidence of biometrics, some things that they have and those combinations. But security itself needs to be definitely multi-factor and multi attributes that applies to it. Anything else so that means at least access to their visual identity and access to the accounts that then provide for example password management functionality, that means that this is the access to the vault that actually then manages your digital footprint for you and that would be something like managing your passwords on rotations and complexity and additional factors. You don't need to know what's happening in the background, you just need to know how they interact and how to gain access. So definitely password vaults, digital identities and multi-factor authentications all have a part to play but we need to find definitely a way that makes them simpler to be used by people and therefore it's not something that's complex, it's just as easy as clicking the access and the biometrics or the attributes that you have make up that security control.

Dave Bittner: [00:09:15:21] That's Joseph Carson from Thycotic.

Dave Bittner: [00:09:20:01] Turning to matters of national and international policy, in the US, Section 702 of the Foreign Intelligence Surveillance Act (which authorizes collection of electronic communications by the National Security Agency) will sunset in ten days if it's not renewed. The Intelligence Community generally regards Section 702 as an essential authority for intelligence collection. Congressional efforts underway to reauthorize or at least extend the authority are controversial, facing skepticism from elements on both the left and right.

Dave Bittner: [00:09:51:24] Recent alterations to the Wassenaar cyber arms control agreement continue to receive generally positive reviews, as protections for security researchers are incorporated into the framework. A major challenge in cyber arms control is the dual-use problem: many tools have both perfectly legitimate, indeed, essential, uses and illegitimate, dangerous application as attack tools. Earlier iterations of the Wassenaar agreement had tended to err on the side of prohibition, much to the discomfiture of the security community.

Dave Bittner: [00:10:24:20] The dual-use problem isn't of course unique to cyber. Switches used in photocopiers can be used in nuclear weapons' trigger mechanisms, fermenters can be used to brew beer but also bacteria for biowar applications, and ballpoint pen ink and mustard gas share some common precursor chemicals. Expect more work on Wassenaar.

Dave Bittner: [00:10:45:23] North Korea has gotten around to denying involvement in WannaCry, calling the attribution "absurd". Pyongyang's statement is more measured than normal. As reported by the DPRK's official news agency, KCNA, the Foreign Ministry today said: "As we have clearly stated on several occasions, we have nothing to do with cyber attack and we do not feel a need to respond, on a case-by-case basis, to such absurd allegations of the U.S."

Dave Bittner: [00:11:17:19] Absurd or not, the allegations are widely credited. North Korea is also drawing suspicion in a number of other cases, especially those involving theft by the country's Lazarus Group. Facebook and Microsoft have been cooperating in take-downs of various Lazarus Group accounts and infrastructure. The Group is believed to be concentrating on theft of Bitcoin and other cryptocurrencies in an attempt to redress the chronic financial pinch an underdeveloped economy and wide-ranging sanctions have imposed upon North Korea. Pyongyang's operatives are suspected in the alt-coin theft that bankrupted the South Korean based Youbit exchange earlier this week.

Dave Bittner: [00:11:56:20] Attacks on cryptocurrencies continue, and another operation, crypto-to-crypto exchange EtherDelta, was taken offline yesterday after being hacked. Specifically, attackers seized control of EtherDelta's DNS server and redirected traffic to the site—including traffic by customers wishing to trade—to their own, malicious server that hosted a bogus copy of EtherDelta's website. Bleeping Computer thinks that EtherDelta appears to have regained control of its DNS server—in any case the telltale signs of the bogus site, a missing chat button and a missing Twitter feed, seem to have been restored, but so far EtherDelta hasn't given an all-clear, and it's possible the hoods may simply have upgraded their impersonation.

Dave Bittner: [00:12:41:22] Sector information source CoinMarketCap ranks EtherDelta as the world's eighty-fifth largest alt-coin exchange. It's an interesting one in that it handles a wide variety of cryptocurrencies, and in that it's a coin-to-coin site only. You can't trade fiat money, that is, conventional, state-backed currency, on it, but you can go from Bitcoin to Ether to Monero.

Dave Bittner: [00:13:05:06] There's no firm attribution yet, and investigation is in its early stages, but there's plenty of eye-rolling in the general direction of Pyongyang.

Dave Bittner: [00:13:13:19] There are also continuing efforts by criminals to install cryptocurrency miners on non-cooperating machines. The latest wave, and it's a fairly big one, has been rolling since Monday, as WordPress sites are subjected to brute-force attacks aimed at installing Monero miners on users. Security company Wordfence, which specializes in WordPress security, says the attackers are using "a combination of common password lists and heuristics based on the domain name and contents of the site that it attacks." The hackers appear to have netted, so far, more than $100,000, although the precise amount they've mined is unclear.

Dave Bittner: [00:13:53:10] Some observers complain that the US has provided no real evidence of North Korean involvement in cyberattacks, and that US attributions shouldn't be accepted at face value. But the other four Five Eyes appear to agree, and Facebook and Microsoft seem to be taking down DPRK operators in the Lazarus Group. There are concerns surfacing now that Pyongyang will seek to disrupt the upcoming Winter Olympics, scheduled to be held in South Korea this coming February. Those worries involve more betting on form than on any solid trackside tips, but we'll surely hear more of them as we get closer to the games.

Dave Bittner: [00:14:32:15] Some of the same observers see the same issue in the US Government's ban on Kaspersky security products. The Department of Homeland Security may well have to show some of the evidence that moved it to issue the ban: Kaspersky Lab is suing the Department in US Federal court alleging that Kaspersky's been deprived of due process. The proceedings will be followed with much interest.

Dave Bittner: [00:15:04:17] A quick word from our sponsor Cylance and their project to educate over the holiday season because threats never take a day off even a federal holiday. They're running down the 12 days of hacksmas on their blog and here's the fourth. On the fourth day of hacksmas my black hat said to me four vones with names, three RoP chains, two factor auth and a zero day in SMB. We like vones with names. Threat actors and operations too like Cleaver, a serious one Cylance discovered a few years back. If you visit you can see what their artificial intelligence can do for your security. That's Cylance and we thank the for sponsoring the CyberWire.

Dave Bittner: [00:15:50:02] And joining me once again is David Dufour, he's the Senior Director of Engineering and Cyber Security at Webroot. David welcome back, you know we've been seeing in the news a lot lately stories about quantum computing and today you wanted to address quantum computing particularly when it comes to artificial intelligence. What do we need to know about this?

David Dufour: [00:16:06:16] Well you know David again thanks for having me, quantum computing is fascinating I think anyone who is reading about it, you know it's coming, everyday we see new advances that are gonna make it more available 'cause it's very expensive right now in terms of trying to build and generate a quantum computer, you're not gonna have it under your desk any time soon. But with the processing speed that becomes available it's somewhat mind blowing what we're gonna be able to see in terms of advancements around analyzing large amounts of data which would help improve, you know, things like AI and specifically in the field of AI machine modeling. You and I have talked ad nauseam about the difference between AI and machine learning and so I think the AI component as we simplify the ability to build quantum computers you'll see vast improvements in the way AI performs in terms of interactions with people. I think more importantly at first what you would see is vast improvements in the ability for machine models to be able to do work for us in that machine learning field.

Dave Bittner: [00:17:10:10] Do you suspect with these quantum computers coming on line that will lead to a lower cost in processing power?

David Dufour: [00:17:18:05] I think initially, no but over time yes. Obviously when new things come out they cost a lot of money and you see large universities or groups of universities building them or you know large nation organizations funding those types of machines. So I think initially it will be very expensive but as with all technology over time it will come down market.

Dave Bittner: [00:17:40:20] And then so eventually I guess part of the point you're making is that this technology will be available to the bad guys as well?

David Dufour: [00:17:47:09] It will and I'm willing to bet that what we're gonna see initially will be some use for good but I bet a lot of use for breaking older encryption techniques and just things that could take raw computing power to use in terms of attack. I think you'll see some of that in the initial versions of quantum computing. Unlike the Internet when it first came out and computers when they first came out, there were a lot of applications available, you know that we hadn't really explored and we were using them for more science research. But I think a lot of times now we think how do we weaponize computer processing power and I think that you're gonna see a lot of that initially with quantum computing.

Dave Bittner: [00:18:25:14] David Dufour, thanks for joining us.

David Dufour: [00:18:27:13] Thank you David.

Dave Bittner: [00:18:31:00] And that's the CyberWire. It's a special day for us here, by our count today show marks the 500th episode of the CyberWire podcast. Thanks to all of you for making it possible and to our many guests and partners helping us make the cyber security world better informed and hopefully a little safer too. We're still a scrappy little startup and we're proud of the team we've assembled to bring you the news and information you depend on everyday.

Dave Bittner: [00:18:55:16] And of course thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence visit

Dave Bittner: [00:19:09:01] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cyber security teams and technology.

Dave Bittner: [00:19:18:19] Our show is produced by Pratt Street Media, our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.