The CyberWire Daily Podcast 1.8.18
Ep 510 | 1.8.18

Korean-language phishing targets interest in the Winter Olympics. Unrest continues in Iran. Meltdown and Spectre updates. Aadhaar security. Admiral Rogers will retire this spring from NSA.


Dave Bittner: [00:00:00:19] A quick reminder that you can get links to all of the stories we talk about on the CyberWire Podcast by subscribing to our Daily News Brief, and you can find out to do that on our website,

Dave Bittner: [00:00:15:04] Phishing for hockey enthusiasts during the run-up to the Winter Olympics. Continued unrest in Iran, with more arrests. More on Meltdown and Spectre, as most experts agree you should apply the mitigations being offered. Intel receives much hostile scrutiny over the chip bugs, but other vendor's processes are affected too. India says Aadhaar is secure, but many aren't so sure. Admiral Rogers will retire as NSA Director this spring, and Marcus Hutchins' attorneys want his confession to involvement with Kronos thrown out.

Dave Bittner: [00:00:51:22] Now I'd like to share some words about our sponsors, Cylance. You know, you've got to keep your systems patched, right? Patching is vital, and WannaCry, which hit systems that hadn't been patched against a known vulnerability, well, that's exhibit A. But you also know that patching is always easier said than done. Cylance has some thoughts about how you can buy yourself time and breathing room if you went for modern endpoint protection. Think about protecting the endpoints from the threats you never see coming. Cylance Endpoint Security Solutions will do exactly that, fend the bad stuff off and do your patching quickly but systematically. It's artificial intelligence, and it's a natural for security. Check out the Cylance blog, Another Day Another Patch at, and we thank Cylance for sponsoring The CyberWire, that's for cyber security that predicts, prevents and protects.

Dave Bittner: [00:01:52:04] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Monday, January 8th, 2018.

Dave Bittner: [00:02:01:15] In the run-up to next month's Winter Olympics, to be held in Pyeongchang, South Korea, the first significant hacking campaign directed at those interested in the games has surfaced. Researchers at McAfee discovered the campaign, which uses phishing emails to spread malicious code in the form of an attached Korean-language text document. McAfee doesn't offer any attribution of the attack, but they do think the operation looks like the work of a nation state. In response to a question we sent them, they said, "Attribution is difficult, and technical analysis alone does not provide enough data to definitively say what group is behind this attack. What we can determine, from looking at past attacks, is that this campaign has all the hallmarks of a nation state attacker, given their ability to adopt a technique that was released into the security community, weaponizing and using it to carry out an attack."

Dave Bittner: [00:02:55:07] Other Olympics have experienced associated cyber attacks, notably the 2016 Rio games. Most were criminal in motivation, although there were Fancy Bear sightings during the online retaliation against anti-doping groups and other countries' athletes when exposure of Russian drug cheating induced the games' officials to kick Russian competitors out of the Olympics. That retaliation took the form of doxing. The criminal hacking was more along the lines of what's being seen in Korea now, phishing and waterholing attacks against people interested in the games. More attacks can be expected as the Pyeongchang Olympics approach.

Dave Bittner: [00:03:32:21] Unrest continues in Iran, as do government attempts to control information. Former president Mahmoud Ahmadinejad, no Westernizing reformer, by any account, is said to have been arrested for fomenting dissent. It was Ahmadinejad's election in 2009 that sparked the last significant public unrest in Iran. At that time, the protesters claimed Ahmadinejad stole the election. This time around, dissent is aimed at alleged corruption the protesters see as stunting the economy and stifling civil society.

Dave Bittner: [00:04:05:22] Admiral Michael Rogers Friday announced his intention to retire from his post as NSA Director this spring. He presided over an extensive reorganization of the agency, not the least of which was the splitting of Cyber Command into a distinct organization. A successor has not yet been named.

Dave Bittner: [00:04:25:03] Remediation of Meltdown and Spectre which, if you care to follow MIT's Technology Review you can call collectively "Chipmageddon", continues. Spectre is now clearly known to affect essentially all chips, not just Intel's, but Intel continues to bear the brunt of hostile scrutiny, including class action lawsuits the plaintiff's bar quickly and predictably initiated at the end of last week. CRN reports that one of those suits argues as follows: "Intel has been aware of a material defect in its microchips that leaves its customers susceptible to unauthorized access by hackers. Intel knew of the material defect in its microchips and intentionally chose not to disclose the defect to its customers. Intel's material defect can be patched, but patched computers, smartphones and devices suffer reduced performance."

Dave Bittner: [00:05:15:12] One widely noted fact that has poor optics for Intel is the CEO's sale of a large quantity of stock, just shy of half of his unrestricted holdings, which reduced those holdings to the 250,000 share minimum prescribed in Intel's executive stock ownership guidelines, as described in recent proxy statements. The Wall Street Journal has noted that the sale represents a deviation from the CEO's previous patterns of incremental sales.

Dave Bittner: [00:05:42:19] Intel has said that the sales were executed in a prearranged trading program established in October, and that they were unrelated to knowledge of the then undisclosed Meltdown and Spectre vulnerabilities. Such prearranged programs are, indeed, proper and consistent with SEC rules, but of course, they themselves cannot be established on the basis of material non-public information. Thus, it seems that CEO Brian Krzanich, to have traded innocently, was either unaware of the chip flaws or unaware that their disclosure would have a material effect on Intel's stock prices.

Dave Bittner: [00:06:17:12] Despite concerns over incompatibilities between a patched Microsoft Windows 10 and a number of anti-virus products, and despite widespread fear of slower performance, most experts are advising enterprises and individuals to apply the fixes. Intel discounts the effect of mitigations on speed, and Motherboard assures gamers that they'll still be fast enough to "crush noobs".

Dave Bittner: [00:06:41:04] Windows Security Center now controls the way users manage security on their Windows devices. The problems that have cropped up integrating anti-virus software into the patched version of Windows 10 appear to come down to this. Anti-virus software producers have to prevalidate any Microsoft patch and set a flag that they are compatible, otherwise Windows Security Center will block the update, because it cannot verify the currently installed anti-virus product's compatibility. People using the latest versions of products from major antivirus vendors are, for the most part, fine, since those vendors and versions should be compatible and up-to-date with the latest changes in Windows Security Center. Older versions of common security software and some products from off the beaten track, however, may pose problems of the kind the security community is a-Twitter and a-Tweeting about.

Dave Bittner: [00:07:32:07] Here are some other bad optics. India's government, while continuing to maintain that its Aadhaar national identification database remains secure, is said to be working on the prosecution of the reporter whose investigative work broke the story last week that the database had been pwned, and could be bought on the Dark Web at fire-sale, bargain basement prices.

Dave Bittner: [00:07:53:17] In other news from the world of crime and punishment, Equifax has said it will comply with New York State's request for information on the breach the credit bureau sustained last year. New York wants to know what Equifax intends to do to "make New Yorkers whole", after around 8.4 million of them had credit information exposed in the breach.

Dave Bittner: [00:08:14:03] And Marcus Hutchins says he didn't do it. At first, Mr. Hutchins was the inadvertent hero who accidentally found and tripped WannaCry's kill switch, and later the guy arrested by the FBI on charged of being behind the Kronos banking Trojan. But his lawyers say he didn't do it, didn't do Kronos, that is. Presumably, he still did the WannaCry stop. In an argument that anyone who has seen TV will recognize, Mr. Hutchins' lawyers say that his confession was coerced. The FBI picked Mr. Hutchins up at McCarran Airport on his way out of Black Hat and DefCon, and they knew, the defense says, that Mr. Hutchins was both "sleep deprived and intoxicated," as so many flying out of McCarran are wont to be. As Computing quotes in their statement, "The defense intends to argue that the government coerced Mr. Hutchins, who was sleep-deprived and intoxicated, to talk." And besides, counsel for Mr. Hutchins says, the G-Men also failed to properly Mirandize him. The hope is that the judge will say, as the judges on Law and Order so often do, "Sorry, Counselor, but the confession is out."

Dave Bittner: [00:09:28:15] Now, a moment to tell you about our sponsor, ThreatConnect. On Tuesday, January 23rd at 10am Pacific and 1pm Eastern Time, they're teaming up with Domain Tools for a webinar on mapping connected infrastructure. As you know, the more information you have about a potential threat, the better you can defend against it and, in order to stay ahead of malicious actors, it is crucial that security teams add context and enrichment to their threat data. The combination of the ThreatConnect threat intelligence platform and Domain Tools Iris investigative platform empowers security professionals to hunt ABTs efficiently and effectively. Join Director of Product Integrations at Domain Tools, Mark Kendrick, and threat intelligence researcher at ThreatConnect, Kyle Ehmke, to learn how the same techniques can help network defenders and incident responders efficiently protect their own organizations. In addition, get an inside view into how ThreatConnect and Domain Tools work together to enable thorough domain actor and IP investigations. Sign up today at That's, and we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:10:47:12] And I'm pleased to be joined once again by Ben Yelin. He's a Senior Law and Policy Analyst at the University of Maryland's Center for Health and Homeland Security. Ben, welcome back. We saw recently that some representatives, bipartisan representation, has introduced what is a Bill about hacking back, and this is not without a little bit of controversy.

Ben Yelin: [00:11:08:23] So, this is an idea that's been around quite a while. The Bill, which was introduced by Tom Graves, a Republican from Georgia and Kyrsten Sinema, a Democrat from Arizona who's actually running for the Senate, so she's going to try to put her name on a piece of legislation. It's called the Active Cyber Defense Certainty Act, whose acronym is ACDC, one of the silliest acronyms I've seen on legislation in a long time. Putting that aside, the Bill provides an exception to the Computer Fraud and Abuse Act. Under that Act, generally it is a crime to access a foreign network for any reason so get material. This would provide an exception that you can access another network if it is part of what is called an "active defense".

Ben Yelin: [00:11:56:12] So, basically, the real world equivalent is if somebody were to come into your house, rob you, take some of your materials, some of your papers, some of your valuables, what this legislation would do in the physical realm, if it existed, would be to grant you an exception to burglary and robbery laws and allow you to go to that person's house who stole your stuff and to take it. Obviously, it seems kind of more radical when you make an analogy in the physical realm. It's basically allowing you to commit a crime, as long as you're doing so for what we call "defensive purposes", because somebody has attacked you first.

Ben Yelin: [00:12:34:11] I think what critics would say is this opens up a Pandora's box. We could have incidents where companies plant evidence that information from their own servers has been stolen, so that they can have recourse, some sort of excuse to hack into somebody else's network and take information that ostensibly was stolen from them, and I think that's a very bad incentive structure. Really, I think, this article noted, there aren't many advocates of this approach. They mentioned a former lawyer with the Bush administration named Studebaker, Assistant Security Secretary under President Bush, has been an advocate for this. But it's an idea that kind of keeps popping back up and it's certainly not without controversy.

Dave Bittner: [00:13:19:17] Yes, it's odd because, like you say, nobody's really asking for this, and even the provisions within the Bill are quite vague in terms of what you can and cannot do. It just seems like asking for trouble.

Ben Yelin: [00:13:33:12] Yeah, I mean, they try and put all sorts of provisions in the Act to limit its most extreme application. For instance, they have language advising defenders to exercise extreme caution, but without specifically defining those words you just open the floodgates for potential abuse, potential fraud, using this defense against charges from the Computer Fraud and Abuse Act as a pretext to commit cyber crimes, and I just think that would be opening some sort of dangerous precedent. Usually we would see the industry groups lining up behind a piece of legislation like this, and that's usually what motivates Members of Congress but, as you said, I mean there just really is no industry support here, which is why it's so vexing that this idea keeps popping up, I think. The author of this article and many of us are stumped as to why it keeps getting reintroduced in Congress.

Dave Bittner: [00:14:25:20] I guess we can agree that, if it does pass, you and I will both be thunderstruck.

Ben Yelin: [00:14:28:24] Absolutely. You know, we can say that for a number of things, but we've both been wrong in the past, so maybe we'll be proven wrong again.

Dave Bittner: [00:14:36:03] All right. Ben Yelin, thanks for joining us.

Ben Yelin: [00:14:38:16] Thanks, Dave.

Dave Bittner: [00:14:41:10] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:15:02:18] Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed, and check out the Recorded Future podcast, which I also host. The subject there is threat intelligence, and every week we talk to interesting people about timely cyber security topics. That's at

Dave Bittner: [00:15:31:24] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of Data Tribe, where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.