The CyberWire Daily Podcast 3.2.18
Ep 547 | 3.2.18

Memcrashing no longer just a theoretical possibility. Fancy Bear's pawprints in German networks and other peoples' embassies. Deterrence in cyberspace. High-profile fraud victims.


Dave Bittner: [00:00:04:02] Memcrash amplification attack took GitHub offline, but only briefly, thanks to Akamai mitigation. Germany continues to fight off ongoing attacks on sensitive government networks. Germany hasn't said so, but everyone else sees Fancy Bears pawprints over this one. Fancy Bear is also said to be snuffling around embassies and other diplomatic targets. Capitol Hill mulls cyber deterrence, the Equifax breach looks worse, and the story of two high-profile fraud victims.

Dave Bittner: [00:00:37:00] And now some notes from our sponsor Cylance. You've heard of Emotet, the banking Trojan that re-emerged at the end of 2017 to trouble online banking customers. For now it's hitting financial institutions mostly in Austria and Germany, but even if you speak English, French, Hindi, Russian, Arabic, Chinese or Hebrew, well don't get cocky kid. Your language community could well be in the on deck circle. The new Emotet has a bad new dropper. It knows when you're sandboxing it and it evades attempts to analyze it. Fortunately, you're in luck no matter where you are, Cylance can protect you. Check out Cylance's blog post about Emotet at That's Cylance, and we not only thank them for sponsoring the CyberWire, but we suggest you head on over to for the skinny on Emotet.

Dave Bittner: [00:01:33:12] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Friday, March 2nd, 2018.

Dave Bittner: [00:01:41:24] The amplification attacks against which security experts warned early this week turned up in the wild Wednesday. GitHub was briefly taken down, estimates range from five to 20 minutes. Security experts call it the biggest distributed-denial-of-service campaign on record: 1.3 Terabits per second.

Dave Bittner: [00:02:00:24] The attack used the amplification potential of memcached servers. Akamai, whose Prolexic service GitHub used to mitigate DDoS attacks, was able to stop the attack by routing traffic coming to and from GitHub through Akamai's scrubbing centers to screen malicious packets.

Dave Bittner: [00:02:18:03] Fortunately Akamai had recently put measures in place that enabled it to handle memcached amplification attacks, a problem that has only come to light in recent weeks. This form of attack differs from ones using the more familiar attack tools like Mirai in that they don't depend upon a botnet established by malware infestations. Just spoof the target's IP address and send a few queries to memcached servers and Bob's your uncle.

Dave Bittner: [00:02:44:04] Too many memcached servers sit out there, facing the Internet and open to exploitation. Some 100,000, by estimates reported in WIRED magazine. Until these are closed other enterprises face the risk of cripplingly large DDoS attacks.

Dave Bittner: [00:03:00:16] Germany, which continues to work on remediation of what's being called an "ongoing" attack on a government dedicated secure network, officially declines to attribute the attack. Their Economy Minister yesterday said that, while there were no indications Russia was behind the hack, it would be "problematic" if this would turn out to have been the case.

Dave Bittner: [00:03:20:03] Few others are so reticent. The industry consensus is that the attack is the work of Fancy Bear, Russia's GRU. Some members of the Bundestag who've been briefed on the incident are calling it "a form of warfare."

Dave Bittner: [00:03:33:11] Fancy Bear has been busy elsewhere, too. Palo Alto Networks reports that it's observing a campaign mounted against diplomatic targets elsewhere in the world.

Dave Bittner: [00:03:42:19] As disturbing as Russian cyber operations have been, CrowdStrike says that, in its view, North Korea remains the greater threat. Dragos agrees that North Korea needs to be taken seriously. The company believes Pyongyang has been working hard on tools to be used against industrial control systems. It also believes the DPRK is sizing up the US power grid as a promising high-payoff target.

Dave Bittner: [00:04:08:07] General Paul Nakasone, nominated to succeed Admiral Rogers as head of NSA and US Cyber Command, thinks deterrence is cyberspace difficult but essential. He told Congress the opposition must face costs. What costs to impose, and how to impose them, remain difficult questions to answer. For deterrence to work, you need to have identified something the opposition values and shown that you can hold that value at risk.

Dave Bittner: [00:04:34:18] Classical nuclear deterrence held human beings, whole cities of them, at risk. No one has yet come up with a clear analogue in cyberspace. Few advocate lethal attacks on critical infrastructure as part of a new mutually assured destruction regime. So far deterrence seems to have come down to economic sanctions and naming-and-shaming. These aren't crazy or weak approaches, but they do appear to have proven insufficient. As recent inquisitions on Capitol Hill suggest, the US Congress is in a pretty sharkish mood. It will be up to General Nakasone to come up with something that will satisfy their appetite for credible retaliation.

Dave Bittner: [00:05:13:08] The Equifax breach, first publicly disclosed last September, has just been discovered to be worse than originally thought. As investigation continued, Equifax determined that nearly two-and-a-half million US customers not notified during the initial round of disclosures turn out to have been affected. Equifax, which posted an update to the investigation on its site yesterday, is notifying the affected parties by US Mail.

Dave Bittner: [00:05:38:22] Finally, don't think it's just the naïve and unsophisticated newbies who swallow phishing and other online scams hook, line, and sinker. FS-ISAC, the financial services intelligence-sharing group, is widely regarded as one of the more capable organizations of its kind. Yet even so one of its employees was successfully phished by crooks who induced the hapless fellow to pony up his email credentials, which they then proceeded to use in phishing other FS-ISAC personnel. Happily the imposture was quickly recognized and contained before it spread very far, the ISAC people who received the spoofed round of phishing emails were quick to be suspicious and report the problem.

Dave Bittner: [00:06:18:13] And you of course have heard of Steve Wozniak, one of Apple's co-founders. The Woz himself says he was hoodwinked by someone who bought Bitcoins from him a while back. The scammer paid for the cryptocurrency with a credit card and then, once the seven Bitcoins were transferred to his wallet, just went ahead and charged back his credit card. You can reverse a credit card transaction, but not so a Bitcoin transfer. Those are irreversible. So Mr. Wozniak was left with nada, zippo, zilch. Seven Bitcoins would be worth, today, around $70,000. Be sorry for the Woz, but don't worry, we hear he'll still be financially okay. And good on the Woz for sharing with the rest of us. If you're selling Bitcoins, don't take plastic.

Dave Bittner: [00:07:08:21] Now a moment to tell you about our sponsor, ObserveIt. It's 2018, traditional data loss prevention tools aren't cutting it any more. They're too difficult to deploy, too time consuming to maintain and too heavy on the end point. They are high maintenance and require endless fine tuning. It's time to take a more modern approach. With ObserveIT you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out of the box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization.

Dave Bittner: [00:07:43:01] That's because ObserveIT focuses on user behavior. It's built to detect and respond so insider threats and it's extremely difficult even for the most technical users, to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at That's And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:08:14:24] And I'm pleased to be joined once again by Robert M. Lee. He's the CEO at Dragos. Robert welcome back. We have been working our way through some of the various ICS environments and today I wanted to talk about advanced manufacturing. What can you tell us about that?

Robert M Lee: [00:08:31:00] Yes, the thing about the manufacturing industry in general is good to be able to separate it out in different classifications like you did in the introduction. When you think about manufacturing in North America, I think there's something like 7,300 or so manufacturing shops. That's not all what we're talking about though, because many of those are not interconnected systems or using industrial control systems in the way that we are talking about when we think about advanced manufacturing.

Robert M Lee: [00:08:54:01] So when I think of advanced manufacturing, it is those environments where they have industrial control and they have interconnected systems and they're taking advantage of technology to help the process in a significant way. Think of Tesla and SpaceX and Pepsi and Kellog. These big manufacturing companies. For them, what's interesting about their challenges as well as opportunities for business, is unlike any other industry, they're really going towards the internet of things, but it's not the traditional internet of things. It's an extension of industrial controls so we generally call it the industrial internet of things.

Robert M Lee: [00:09:35:01] Sometimes people get confused and think that IOT and IIOT are very similar, they're just one letter apart, but they're a world apart. You basically go from IOT to IT to ICS to IIOT, there's kind of a lifecycle there. But the advanced manufacturing folks, instead of just having their traditional skater type environments, they've got their control elements and things on the factory floors but they've also got things like robot arms that are connected and they can swing around and there can be safety issues if it's not protected correctly. Maybe a simple broadcast over the network could cause one of those things to malfunction, and is the human operator outside it like a safety cage? Or that's going to introduce a potentially life issue in terms of safety.

Robert M Lee: [00:10:14:17] So for them, they've got this amazing opportunity to take advantage of industrial internet of things as well as ICS, to be much more effective, efficient and automated in the production processes than ever before. But at the same time they have the risk that there are now issues not only incidental sort of malware and incidental broadcast and that kind of thing, but also targeted nature where things can occur to stall or disrupt the process. The factor line sometimes have a very tight schedule on when they're producing like the Tesla as an example. They're very much pushing full steam ahead.

Robert M Lee: [00:10:48:20] But they also have the consideration that a lot of the intellectual property is not just stored in the IT environment. The actual implementation of how you're making devices and configuring them together and the efficiency to which you're achieving, in and of itself is intellectual property. And a lot of that's contained down the industrial networks. So an adversary getting into those locations, espionage is a significant challenge for them. So when we think of electric and oil and wind and water, and these other places, there's issues and there is espionage, there's a very military focus for a lot of foreign nation states on projecting foreign power.

Robert M Lee: [00:11:22:14] When you think of manufacturing that is also true, but there's also a major component of intellectual property that they're trying to address, so they also have some unique threats in doing so. As well they have a great opportunity in front of them making sure that they can identify and understand and protect all those new tens of thousands of interconnected industrial IOT devices. That is a challenge that they are now trying to adapt and meet.

Dave Bittner: [00:11:50:03] Robert M Lee, thanks for joining us.

Dave Bittner: [00:11:56:11] Time to take a moment to tell you about our sponsor Comodo. Here's the bad news. There is no way you will ever be able to stop malware from entering your network. The good news is Comodo renders malware useless. That's why Comodo customers can click on anything. Over 120 million new pieces of malware were created in 2017, so even at 99%, you're still a target for 1.2 million pieces of malware. If you do the math that's still over 3,000 problems per day that current solutions cannot solve.

Dave Bittner: [00:12:28:01] Comodo doesn't settle for 99%, and neither should you. They put those 3,000 daily problems into a lightweight, kernel level container where the malware's rendered useless. With Comodo's patented auto containment technology, they bullet proof you down to hour zero every time. Solving the malware problem. So with Comodo you can say with confidence, I got 99 problems, but malware ain't one.

Dave Bittner: [00:12:52:12] Go to to learn more and get a free demo of their platform. That's, and we thank Comodo for sponsoring our show.

Dave Bittner: [00:13:12:03] My guest today is Marcus Harris, he's a Chicago based global technology attorney at Saul Ewing Arnstein and Lehr LLP. Our conversation centers on recent news that software companies like SAP and McAfee are allowing Russian government entities to view their source code and why, as a software litigation expert he thinks that is a bad idea.

Marcus Harris: [00:13:33:15] This has been going on for probably I would say at least a couple of years where in order to gain access into the Russian market, which is a multimillion dollar market that's incredibly desirable for companies like SAP, Symantec, McAfee, Oracle to enter, what the Russians are doing as a requirement of entry into their marketplace, they're requiring that software companies provide these Russian entities which are typically agents of the Russian government, either explicitly or implicitly, to have access to the source code of the software with the pretense being that the Russians want to review the software source code in order to make a determination as to whether it has any vulnerabilities in it.

Dave Bittner: [00:14:31:22] Is there a reasonable argument that they can make that this is an anti espionage tactic for example?

Marcus Harris: [00:14:39:15] I think they have made that argument and I think it's certainly a reasonable argument. But where that argument starts to become suspect, I think, is when the software is going to be utilized in a non-governmental application. So if that software is going to be utilized in a business that really has very little dealing with a Russian governmental entity, I don't see what the purpose of any kind of a substantive source code review would be. So I think if they're going to pin their hat on an argument that this is important because we need to make sure that our governmental interests are not going to be compromised, it doesn't make a lot of sense the farther removed you get away from actually utilizing that software in a government entity.

Dave Bittner: [00:15:36:09] So what's the risk here? If this is a consumer software, or something that people are using to run their businesses, it's not a military situation or anything like that. What is the downside for us?

Marcus Harris: [00:15:47:18] Well, I think there are a number of risks and I actually do think that there are really at least two substantive arenas where this becomes risky. The first is certainly from a national security perspective, you've got Bill McDermott, the CEO of SAP which is one of the companies that has provided the Russians with the ability to access and review their source code, in a meeting a couple of weeks ago with President Trump, in the White House, touting that both the army and the navy utilize the SAP software in their operations.

Marcus Harris: [00:16:25:13] So from that perspective, I think certainly, it's a national security issue, but I think from a general business perspective, there's a lot of vulnerability and a lot of risk that any business owner that utilizes enterprise software, needs to be aware of and that's a very large number of businesses. Enterprise software today is very much the backbone of the way modern business is conducted, and I would bet that virtually all companies of any size are going to utilize an enterprise resource software application, whether it's in the cloud or on premise.

Marcus Harris: [00:17:03:24] And to the extent that your vendor has made its code available for review to a hostile government entity like say the Chinese or the Russians, in the case of China in particular that that country doesn't have a good track record of protecting intellectual property and actually has a track record of commercial espionage, trying to obtain proprietary confidential information so that it can utilize it for its own economic interests. I think that's a big deal, because I think then what happens is that you don't know what the substantive risk associated with using that software could potentially be. I think you have to take reasonable steps to safeguard yourself from at least the possibility that your vulnerable information, your trade secrets, your proprietary and confidential information, could be vulnerable to a greater extent than it otherwise would have been had these companies not provided the key to the factory shop to these hostile government entities. So I think it's a huge risk.

Dave Bittner: [00:18:13:23] You know, I remember I think it was back in the 90s when the US government classified certain types of encryption as munitions. So it was illegal to export them. Do you think we need that sort of oversight where the code behind some of these software packages, the distribution of it gets oversight by the Feds?

Marcus Harris: [00:18:34:18] Yes, I think so. I think the example that you raised is a good one, because there's all sorts of regulations associated with encrypted software. Depending on the type of encryption there's regulations as to what countries that particular piece of code or product can be exported to. And I think there needs to be a very deep dive into what kind of government regulations need to be applied to this type of scenario.

Marcus Harris: [00:19:05:13] I think if there are certainly going to be government entities that are utilizing software where that software's source code has been disclosed essentially to the United States' enemies, I think certainly there needs to be regulation of that. And it needs to be prevented or at least managed very carefully. I think it becomes a little bit more difficult to tell these companies what to do with their source code to the extent that it's not something like encryption where it can be readily used against the United States' interests. But I certainly think that this kind of blatant review for the purposes of understanding the software, understanding its vulnerabilities, under the guise of protecting the Russian government for example, but really for the purpose of facilitating hacking and the like.

Marcus Harris: [00:19:56:01] Some of these government entities on the Russian side that actually access the software, or the source code, are some of the same government entities that are allegedly responsible for hacking into the DNC's email system. So there's a substantial risk and I think government regulation needs to come and it needs to come quickly in order to manage this process.

Dave Bittner: [00:20:15:12] That's Marcus Harris, he's an attorney with Chicago law firm Saul Ewing Arnstein and Lehr LLP.

Dave Bittner: [00:20:24:08] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, through the use of artificial intelligence, visit And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:20:45:16] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe. Where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.