The CyberWire Daily Podcast 12.22.17
Ep 501 | 12.22.17

More speculation about Triton malware. North Korea amplifies its denials of responsibility for WannaCry. Cryptocurrency markets undergo a strong correction. "Blockchain" remains a word to conjure with. Citing a potential risk to national security, Lithuania's government bans Kaspersky software. ESET thinks Fancy Bear is growing more cunning and evasive. And how does Siri handle various linguistic challenges?


Boys Voice: [00:00:01:05] Dad I have a winter coat and you're gonna get lots of coal in your stocking because you keep telling all these lies about things, about me 'cause, you know, that whole thing with the bicycle and that no. no no no no I have all those things so you're gonna need lots of coal and you should go to thecyberwire patreon dot com.

Dave Bittner: [00:00:23:09]

Boys Voice: [00:00:24:09]

Dave Bittner: [00:00:25:16] Slash

Boys Voice: [00:00:26:11] Slash the CyberWire.

Dave Bittner: [00:00:28:10] There you go. All right, you'll get toys this year.

Dave Bittner: [00:00:34:17] More speculation about Triton malware. North Korea amplifies its denials of responsibility for WannaCry. Cryptocurrency markets undergo a strong correction. "Blockchain" remains a word to conjure with. Citing a potential risk to national security, Lithuania's government bans Kaspersky software. ESET thinks Fancy Bear is growing more cunning and evasive. And how does Siri handle various linguistic challenges?

Dave Bittner: [00:01:07:00] And now a holiday message from our sponsor Nehemiah Security. ‘Twas the night before the board meeting when all through HQ not a sea level was stirring, even finance was a snooze. Reports were all stacked in the boardroom with care in hopes that the members would not pull out their hair. The CISO however was pacing the ground, mostly because he had no real metrics to sound and the head of IT in front of long log reviews had just settled his brain after full backup number two. When out of the seam alarms started to fly, they looked at each other and did not know why. A way to the reports they flew like a flash to see which malware showed up as a hash. If only they knew where exploitables lay and could sort them and treat them in an intelligent way. Showing true business impact and real dollars lost, could cyber finally be a justifiable cost? With Nehemiah Security so ready to assist converting cyber into dollars is impossible to resist. More rapid than eagles the RQ dashboard it came, instantly upping their cyber risk game. Now dollars, now cents, now recommendations on threat on exploits, financial justifications. To the top of the budget the cisco's report flew. Smart cyber investments, now everyone knew. To hear the rest of the story visit

Dave Bittner: [00:02:40:19] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner wit your CyberWire summary for Friday December 22nd 2017.

Dave Bittner: [00:02:50:22] The company affected by the attack on industrial control systems, the attack has been called Triton or Trisis, is said to have been in the Middle East, but hasn't generally been named. But it's now said, according to Foreign Policy, to be Saudi Aramco. Foreign Policy sources their story to a report they say they've obtained that was prepared by Area 1 Security. Circumstantial and preliminary attribution continues to point toward Iran.

Dave Bittner: [00:03:18:01] Both the attribution and the name of the target remain speculative. Aramco has denied it was the target of an attack of this kind. The company said, "Saudi Aramco corporate and plants networks were not part of any cyber security attack or breach." The Shamoon attack of 2012, generally attributed to Iran, did strike Aramco networks. Triton, of course, is a different matter altogether, and affected an industrial control system's safety features, which is why Dragos and other security firms have called Triton a "game-changer."

Dave Bittner: [00:03:51:06] North Korean denials of responsibility for WannaCry have moved away from the lofty, statesmanlike form quoted yesterday and into more familiar rhetorical terrain. The North Korean Foreign Ministry said "The U.S., a source of all social evils and a state of global cyber-crimes, is unreasonably accusing the DPRK without any forensic evidence, this cannot be construed otherwise than an expression of its inveterate repugnance towards the DPRK." While they can't be troubled to reply to every American "grave political provocation," this one can't be tolerated, because it's aimed at "tarnishing the image of a dignified country." in their words.

Dave Bittner: [00:04:35:23] An article in online magazine Salon more-or-less agrees with the Supreme Leader's representatives, seeing the Five Eyes' attribution of WannaCry to Pyongyang as resembling other bogus war-scare "ruses" grounded on thin and ambiguous evidence. But most observers think the attribution, while inevitably circumstantial to some degree, will probably hold up. It's been a long time coming, some six months after officials in the United Kingdom reached the same conclusion. It's worth noting that the UK had a particular interest in WannaCry, since its National Health Service was caught off guard and heavily affected by the malware.

Dave Bittner: [00:05:13:01] It's also worth noting that this is of more than historical interest. WannaCry remains in circulation, still hitting the unprepared and unpatched.

Dave Bittner: [00:05:21:16] The DPRK is also thought to be taking a particular interest in cryptocurrencies. South Korean police unsurprisingly see North Korea as a prime suspect in the Youbit cryptocurrency exchange hack.

Dave Bittner: [00:05:34:06] Ordinary criminals continue their interest in cryptocurrencies, too. Here there's a lot of installation of miners going on. In several regions of the world Facebook Messenger is reported to be used to phish the miners into victim systems.

Dave Bittner: [00:05:48:12] Bitcoin and other cryptocurrencies crashed hard this morning, losing up to a third of their valuation. It's probably not the end of the speculative bubble, but it's at least a sharp correction. There are more than a hundred cryptocurrencies currently trading, and Gizmodo reports that all but two of the top one hundred were down "significantly" this morning.

Dave Bittner: [00:06:10:02] Coinbase, one of the more important exchanges, showed Bitcoin trading at a bit less than $12,000, down from a high of nearly $20,000. Coinbase itself intermittently suspended trading last night and again today. It appears that high volume trading, more than the exchange could readily handle, was responsible, not hacking or any decision to halt a speculative tumble.

Dave Bittner: [00:06:34:10] To return to North Korea in this context, TechCrunch comments that Pyongyang's alleged raids on financial institutions, the fears it's aroused with missile and nuclear testing, have amounted to a kind of pump-and-dump scheme for cryptocurrency, and that speculators frightened by threats to conventional financial systems have fled to the alt-coin world, where North Korea seems recently to have turned its attention. This is interesting, but reports of such wheels-within-wheels should always be treated with cautious skepticism, pending further confirmation.

Dave Bittner: [00:07:06:13] But blockchain-fueled speculation will continue. The magazine Computing reports that yesterday the Long Island Iced Tea Corporation, which as you'd imagine makes iced tea, announced plans to change its name to "Long Blockchain," and said that while it would continue to sell beverages, it would also be developing other, blockchain-based products and services. Its share priced popped from $2.49 to $9.49, then stabilized to just below $7.00. So hop to it, world, we guess. What are they drinking in Pyongyang these days?

Dave Bittner: [00:07:43:02] There's more bad news for Kaspersky Lab: the Lithuanian government has banned the company's products from Lithuanian infrastructure. A government statement characterized the software as a "potential threat to national security." Reuters says the deputy director of Lithuania's state cybersecurity agency told the news service that "Information from computers using the software can leak into countries where we don’t want it to end up." Kaspersky disputes this assessment, as it has similar assessments by the US Government, and is considering its options.

Dave Bittner: [00:08:16:19] Cybersecurity company ESET has followed up on the threat actor they call Sednit, also known as Strontium, APT28, or Sofacy, and, of course, our favorite, Fancy Bear. Fancy Bear is generally thought to be Russia's military intelligence agency, the GRU. They're still active, and still making heavy use of email phishing, but their attack tools are now more nuanced, less obvious, more selective. Fancy had the reputation of being relatively noisy, at least in comparison with its sibling, the FSB's Cozy Bear. That may be changing.

Dave Bittner: [00:08:49:20] ESET is based in Bratislava, Slovakia, albeit with major offices elsewhere, especially San Diego. We mention this because it turns out that Slovak is not one of the languages Apple's Siri AI can handle, which seems a shame. After all, it's spoken not only in Bratislava, but in many places in North America as well: Pittsburg, Pennsylvania, Clifton, New Jersey, Niagara Falls, Ontario, and so on. So give it a shot, Siri.

Dave Bittner: [00:09:17:21] Here's something to ponder: does, or should, Siri do idiomatic and rhetorical style as well as basic language? Thus, in answering a Californian's question, would Siri begin the answer with the word, "so?" As in, question, "Siri, should I take Sepulveda or Van Nuys Boulevard?" Answer: "So, you should take Sepulveda." Or consider a question one might ask in Pyongyang or Sinanju: "Siri, where can I find radishes?" Answer: "Our glorious self-reliance has answered the radish question, to the discomfiture of the miscreant dotard Trump and his wreakers." And how would Siri communicate with the Shadow Brokers? Question: "Siri, we are asking why the peoples no be buying Equation Group exploits even in big big sale?" Answer: "Wealthy elites is finding their bitcoins not worth squat." which reminds me why haven't we been hearing about the brokers lately? Kind of miss their dialect if not the brokers themselves.

Dave Bittner: [00:10:24:11] And now a quick word from our sponsor Cylance who has been helpfully sharing their 12 days of hacksmas with everyone. Here's todays. On the fifth day of hacksmas my black had sent to me five privilege rings, bum bum bum, four phones with names, three ROP chains two factor off and a zero day in SMB. And the inner most privileged rings are always the most important right, lock them down and you're golden, am I right? So do check out the experts in artificial intelligence as applied to cyber security. Again that's Cylance. Wishing everyone a happy holiday and we thank them for sponsoring the CyberWire.

Dave Bittner: [00:11:14:00] And I'm pleased to be joined once again by Chris Poulin, he's a Principal and Director for Booz Allen's dark labs where they focus on IoT security and machine learning. Chris welcome back, I saw an announcement recently that Waymo has started their fully self-driving car program, it's taking place in Arizona, I believe they have a hundred cars and they're Geo fenced within a 100 square mile area and you basically have to sign your life away to use them so there's a lot of, you know, restrictions and caveats and all that sort of thing. But the fact of the matter is those cars are out there and they're on the road.

Chris Poulin: [00:11:47:05] It's true and in fact we're both in the Boston area and the Seaport has actually made it, made the seaport an area where self-driving cars can actually operate within the Boston area. So it's starting to go, we're starting to see it in many different areas and I think it's gonna, there will be a lot of pilot programs. Like you said Geo fenced because I think people are still a little bit wary of autonomous vehicles, that's not surprising. People are resistant to change. I mean quite frankly I have an all electric vehicle and I can't tell you how many people can't wrap their minds around the fact that there is no place to pump gas into it and they don't understand how you can drive it as your primary vehicle because they just don't understand where you get electricity. So you know, part of it is sort of this change thing where I think there's going to be some reluctance for people to embrace autonomy but once they sort of get used to it in a controlled environment and they're able to understand that it's not as dangerous as they think it is, there will probably be some adoption point where it will go from autonomy being, I think there is a garden share where they said 55% of people said they wouldn't even ride in an autonomous vehicle. And to the point where, you know, they embrace it, there you go have a couple of drinks in the Seaport and let an autonomous staple drive you home instead of calling a lift or an Uber or something like that right.

Dave Bittner: [00:13:07:24] Yeah and I've heard historical stories about how people had similar problems with the transition to elevators that had no elevator operators inside. They were afraid of getting in this box by themselves, the doors would close and, you know, they would surely fall to certain death if there weren't a human being operating the elevator and we seem to have gotten over that.

Chris Poulin: [00:13:28:22] Yeah I think that's, so I actually just wrote an article as a matter of fact for - and it's posted on Heinz research and the point of it is we need to stop selling fear and uncertainty. And it's kind of a problem in our industry, in the cyber security industry a little bit because there are people who, it gets attention. But the reality is if we can stop saying, if we can stop putting so much fear uncertainty about you know, how people can hack connected vehicles, autonomous vehicles which it's a concern, don't get me wrong, but that's all we talk about. We don't talk about the benefits and you know, they're, I don't have the statistics right off the top of my head. But if we enter into this in a measured way and access all the risks that we in the cyber security space, look at the risks of autonomous vehicles and connected vehicles and we do the best we can to make them safe for people and give them the comfort level by having these pilot programs in different cities, what ends up happening is that save a ton of money. It's like in hundreds of billions of dollars in fuel costs, in something like 90, I'm not even gonna try to guess I'm gonna get it wrong. But there's a huge benefit in safety in terms of the vehicles are gonna make better decisions than people do anyway even if they do make a mistake once. And there's where the fear, uncertainty and doubt comes in sometimes is that we say look an autonomous vehicle, made a mistake once, oh my god, let's never get in one again, whereas there are hundreds of thousands of accidents every year in the United States alone and people still persist in jumping into their car and in many cases they shouldn't be behind the wheel. So, you know, once we start looking at it rationally and we can start talking about all the savings to, you know, cost of fuel and the cost of time it takes to commute, the safety side of the equation, I'm hoping that everyone will start to understand how much benefit and it can actually be so transitional we could actually get rid of parking garages.

Chris Poulin: [00:15:19:19] So again I think I am really glad to see that there's a lot of pilots being rolls out and I'm looking forward to the day when people do embrace autonomous vehicles.

Dave Bittner: [00:15:27:01] Chris Poulin thanks for joining us.

Chris Poulin: [00:15:30:09] Thank you.

Dave Bittner: [00:15:35:15] And now a few words about our sponsor Ninjio. If 95% of security breaches start with human error why is it that security awareness training seems to be the last item in the budget if it's even there at all. Is it because too many people have wasted too much time in training that doesn't work? Well Ninjio says they've got the solution, training that actually does the trick. Ninjio produces short animated episodes that teach your employees how not to get hacked and they do it with Hollywood style storytelling, not with dull droning lectures. Ninjio releases new episodes every 30 days based on the most current risk inspired by a real organization who suffered a real breach. Ninjio focuses on one attack vector at a time and their explanations are as memorable as they are accessible. To learn more just emails and they'll be in touch within minutes. And go ahead and check 'em out, it's it's definitely worth a look. And we thank Ninjio for sponsoring our show.

Dave Bittner: [00:16:43:06] We often focus on technology here at the CyberWire but of course you can have the best technical solution in the world but if you don't know how to get the word out through sales and marketing your chances of success are slim. Our guest today is Kim Decarlis, she's the Chief Marketing Officer at Gigamon, a network visibility and traffic monitoring technology vendor headquartered in California.

Kim Decarlis: [00:17:05:20] Messaging in the security space is definitely a challenge. When I moved into the security space about four years ago the first thing I did was go to RSA and I was overwhelmed by the number of messages and the similarity of messages by companies that did very different things. And so as a marketer within the security space I think you really have to be mindful of not the same, you know, buzzword security bingo and tie your security message to business needs and try to rise above the tech terms and really talk about the business need, the outcome that the buyer is trying to avoid in some cases or the outcome that they're trying to have for their enterprise in other cases and really connect more on a human level than on a technology level.

Dave Bittner: [00:18:04:24] Do you think that represents a maturation of the industry? I mean I hear people saying that more than ever companies are talking about these things in terms of risk rather than technology.

Kim Decarlis: [00:18:15:00] I think that's absolutely true and, you know, rule number one in marketing is know your audience. And so if you're speaking to a Ciso know what they care about. If you're speaking to somebody who actually works in the security operations center, the SOC then you're probably going to need to dig down a little bit more deeply into technology speak. But I think it's really incumbent upon us to be mindful of the audience. I think the other thing that we're seeing is security and risk are certainly becoming board level discussions and that requires another level of thinking and messaging so that board members and members of the C suit really understand what the technology is about, what the risk terms are about and what they need to do to put their businesses in the best position to stay away from the constant attacks. Or at the very least to identify and contain attacks as quickly as they possibly can. So it's different language for different buyers and again marketing one on one.

Dave Bittner: [00:19:23:17] Yeah and as you put together your marketing team how do you strike that balance between I guess the necessary technical knowledge but also balancing that with the skills of a marketing professional.

Kim Decarlis: [00:19:37:01] Yeah that's a great question David. As I've worked here with the team at Gigamon its really been on a per position basis. So there are some areas where it's absolutely required that somebody have a background in security. Those positions are product management, product marketing certainly and on the other side of the equation analyst relations, you know I need somebody who is credible speaking to the various influencer's and analysts out there. So those positions require security background. Other positions like somebody managing the website, somebody doing analytics for our marketing spend and our campaigns, those positions don't need to be quite as steeped in the technology. So you really have to look at it, you know, position by position and group by group.

Dave Bittner: [00:20:27:15] You know as you walk around the floor of a trade show and you see other people putting their messages out there, are there things that you see that sort of make you shake your head and you wonder, you know, gosh if only these people did a better job. Are there any common mistakes that you see people making?

Kim Decarlis: [00:20:39:20] As I see, you know messages at trade shows I think there are a couple of mistakes. One of them is jargon, using too many TLA's and using the same, you know, as I said earlier security buzzwords that everybody is using. Um, one of the things I've tried to do is really speak more humanly because in a lot of cases security starts with people doing things right and the number of APT's, and next generation firewalls and IPS's that are wafts and UEBA tools that you have isn't going to really matter if you can't really put your people in a position to be successful. So I've liked some messages that I've seen that talk about keeping people informed and educated and stopping them from doing natural people things like inserting the USB key that they found, you know, on a desk to save a file. Who knows where that could have been? But it's really taking the message up to something much more relate-able that I think can be a difference maker.

Dave Bittner: [00:21:44:06] You're running a team there are a large company, certainly Gigamon, hundreds of employees and a lot of success there. Do you have advice for that person who is just starting off in their basement or their garage who is trying to figure out how they're gonna get the message out?

Kim Decarlis: [00:21:58:20] I think the most important thing that any marketer can do is spend time in a customer facing position. I personally started my career in sales and at the end of the day what you're trying to do with your marketing messages and with great products such as those that we have here at Gigamon is solve a customer problem. So anybody that really is wondering about how to get a message out needs to spend a lot of time out in market and I think a great first job is something where you're in customer support, you're inside sales. I personally started, you know, in an outside sales quota caring role because at the end of the day everything you do is about solving a customer need better than somebody else can and maintaining that foundational focus on the customer is critical.

Dave Bittner: [00:22:48:14] That's Kim Decarlis, she's the Chief Marketing Officer at Gigamon.

Dave Bittner: [00:22:54:15] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence visit

Dave Bittner: [00:23:08:18] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media, our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.