The CyberWire Daily Podcast 3.5.18
Ep 548 | 3.5.18

Humanitarian organizations targeted. Memcrash extortion. Spring Break bug. Equifax breach update. Russian influence operations (and American "yelling and hollering").


Dave Bittner: [00:00:00:12] A special thanks to all of our Patreon supporters. You can find out how you can support our show by visiting

Dave Bittner: [00:00:11:21] A new campaign targets human organizations with North Korean phishbait. Memcrash is now being exploited by criminal extortionists. It's time for Spring break, but not the fun kind. Equifax losses from last year's breach are set to mount. Germany says it detected the compromise of a secure government network before too much damage. They don't offer official attribution, but everyone else says it was the Russians. The Russians say they didn't do it. And President Putin deplores yelling and hollering in the US Congress.

Dave Bittner: [00:00:48:11] Now a moment to tell you about our sponsor, ObserveIT. It's 2018. Traditional data loss prevention tools are not cutting it anymore. They are too difficult to deploy, too time-consuming to maintain and too heavy on the endpoint. They are high maintenance and require endless fine tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out of the box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization, because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats, and it is extremely difficult, even for the most technical users, to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at

Dave Bittner: [00:01:57:20] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Monday, March 5th, 2018.

Dave Bittner: [00:02:07:21] McAfee researchers report finding a new campaign that targets international humanitarian aid organizations. The actor behind the operation is not specified, although McAfee believes it to be a Korean speaker. The malicious document are baited with news about North Korean relief organizations. McAfee ties one persona, to the operation.

Dave Bittner: [00:02:33:00] Memcrash distributed denial-of-service attacks have apparently been criminalized. DDoS attackers seek to extort cryptocurrency from victims. Akamai, who follow the DDoS campaigns closely and played a principal role in GitHub's swift recovery from what's dubbed the largest DDoS attack on record, has spotted extortion notes buried in the attack traffic. The hoods are asking for Monero, which appears attractive to them because of its greater relative anonymity than competing cryptocurrencies like Bitcoin.

Dave Bittner: [00:03:05:00] Researches at LGTM have discovered a vulnerability in the widely used Pivotal Spring web development framework. The issue, which they are calling Spring Break, is said to be an easily exploitable, arbitrary command execution bug. The vulnerability is similar to problems with Apache Struts which, unpatched, were exploited in the Equifax breach of 2017.

Dave Bittner: [00:03:28:10] Regarding Equifax, its breach may prove to become the most expensive hack yet recorded. CRN reports that the company's breach related costs, disclosed in an earnings conference call, could rise to $435 million by the end of 2018. This estimate follows last week's news that almost 2.5 million more consumers than previously known had been affected by the breach.

Dave Bittner: [00:03:53:12] More affected individuals may come to light as the long process of investigation continues.

Dave Bittner: [00:04:00:11] Germany's interior ministry says that relatively early detection of intrusion into a sensitive network averted considerably more extensive damage to government. The spokesman declined to offer attribution, but unofficial consensus is that the hack was a Russian operation. Russia's foreign ministry denies any involvement and cites the incident as another case of western governments reflexively, and in bad faith, blaming Moscow for anything that goes wrong in cyberspace.

Dave Bittner: [00:04:30:09] Russia's President Putin offered a similar response to US concerns about election hacking and wants to see the evidence. It's a lot of "yelling and hollering in the United States Congress", says Mr Putin. There is indeed a lot of yelling and hollering on Capitol Hill, but there's more to Russian election interference than that.

Dave Bittner: [00:04:49:17] Mr Putin would like to see the accusations sent to Russian authorities through official channels, because he's solidly committed to the rule of law, or something. Mr Putin said in an interview on NBC on Friday, "with all due respect for Congress, you must have people with legal degrees."

Dave Bittner: [00:05:08:18] Russian influence operations are not seriously in doubt, but observers lament that investigations into them have become increasingly partisan, with yelling and hollering across the aisle.

Dave Bittner: [00:05:19:23] Leaked documents are thought to provide some insight into the operations of Russian troll farms and their objectives, which always appear to include the overarching goal of fermenting mistrust. Some think they see more specific economic objectives also.

Dave Bittner: [00:05:37:01] The US House of Representatives committee on Science, Space and Technology released a majority report last Thursday in which they alleged that Russian social media exploitation was engaged in attempts to suppress US fossil fuel production. The report itself notes that the Russians are "intent on exploiting existing divisions and social movements in the United States."

Dave Bittner: [00:06:00:11] In some respects the social media engagement on energy development does seem in some respects, difficult to distinguish from the general goal of creating chaos. But there appears to have been some interest in inhibiting natural gas pipeline development. Still, in this case though, it's difficult to separate signal from noise.

Dave Bittner: [00:06:21:18] The troll farm was certainly busy on the social media front and it remains unclear just how many followers they attracted.

Dave Bittner: [00:06:28:13] Last Fall, Facebook told California Democrat Senator Feinstein that "approximately 1.8 million people followed at least one Facebook page associated with the Internet Research Agency," that is the big St Petersburg troll farm.

Dave Bittner: [00:06:44:16] But Wired reports that a researcher at Columbia Tow Center for Digital Journalism, Jonathan Albright, thinks that Facebook has considerably underestimated those numbers and that it really has no idea how many humans follow the trolls because it never really looked into the trolls' Instagram accounts. Albright has done so and estimates the answer is in the millions.

Dave Bittner: [00:07:08:09] And what about those trolls from the Internet Research Agency who were indicted as a result of Special Counsel Robert Mueller's investigation?

Dave Bittner: [00:07:16:19] They're an interesting mixed bag, according to an account in Fifth Domain. They're described as nine-to-fivers who are interested in building their careers and not terribly concerned about the nature of their work. A former employee of the Internet Research Agency, one who wasn't indicted told the AP that her colleagues "came to the factory and thanks to their personal qualities and knowledge of English, they were rapidly promoted."

Dave Bittner: [00:07:41:09] Among them were a student in psychology with an interest in loneliness, a journalist who did stand-up comedy, and a wildlife management graduate from a little town near Irkutsk who apparently thought of himself as a Siberian Jay-Z. What are they teaching them at the Russian State Hydrometeorological University these days?

Dave Bittner: [00:08:06:14] Our sponsor, the Johns Hopkins University Information Security Institute, provides the technical foundations and knowledge needed to meet our nation's growing demand for highly skilled professionals in the fields of information security, assurance and privacy. We value their expertise and insights as one of the CyberWire's academic partners and, of course, they're one of the world's great research universities. The Institute is also an NSA and DHS designated center of academic excellence in information assurance and cyber defense and research. Visit to learn more. Scholarships are available.

Dave Bittner: [00:09:01:01] Joining me is Ben Yelin, a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.

Dave Bittner: [00:09:07:14] We saw a recent blog posting from Bruce Schneier, about the section 702 reauthorization, which has now taken place. Could you comment on some of Bruce Schneider's observations and also give us your thoughts on this?

Ben Yelin: [00:09:27:11] Schneier is saying that this represents somewhat of a loss for civil libertarians relating to electronic surveillance for national security purposes. The FISA amendment was originally enacted in 2008 with the support of the then Senator Obama. Through the Stone disclosures in 2013 we found out that it was being used to justify unwarranted data collection through our internet service providers in a program called Prism, and also from our internet infrastructure, through what we call upstream collection.

Ben Yelin: [00:10:02:14] And one of the reasons it became controversial is that even though the program is intended to collect the communications of US persons who are located abroad, sometimes the communications of US persons or even wholly between US persons can get enraptured as part of this collection. There's no judicial authorization to collect the communication data, and the information, goes into a giant government database, that is available to almost all of our intelligence agencies, meaning, it's searchable. So if I were to talk to a potential terrorist target overseas, even if that conversation was something that I wanted to keep private, the government could collect that, without any sort of judicial authorization, without a warrant, it would be searchable and if they found evidence of a crime, in searching for that information, they could use it to prosecute me.

Ben Yelin: [00:10:55:14] This blog post refers to the thinking after the Stone disclosures, when it appeared there was a political will to curb the excesses of electronic surveillance and restore our civil liberties. The program, set to expire at the end of 2017, was extended for a couple of weeks into January 2018 and in January they passed a reauthorization bill that only made very minor changes to the law. One of the changes is that a warrant is now required to search the database of collected communications solely for the purposes of a criminal prosecution. Obviously that's a giant loophole. Some intelligence agencies could certainly assert that they are only searching the database for foreign intelligence information, but if they do happen to come across evidence of a crime, there's nothing stopping them from prosecuting. It didn't turn out to provide the robust civil liberties protection that those in favor of reforming section 702 really desire, which is to have all searches of 702 data be subject to a warrant requirement.

Ben Yelin: [00:12:06:09] Schneier's blog poses a very important question which is what do we do now? We've tried the judicial route with some of the foremost protectors of civil liberties in our country, the ACLU and the Electronic Frontier Foundation, filing lawsuits against this program for years. They have never been able to have a case heard on the merits because it's very difficult to establish for a person to establish that he or she has been subject to government surveillance because the information is classified. And now this program has been reauthorized for six years, our political conscience has moved on and I can understand why this blogger feels a little hopeless. Frankly I think it was a big setback for those who wanted wide-ranging and sweeping reforms to the surveillance program.

Dave Bittner: [00:13:03:18] And from a law enforcement side, they make the case that requiring judicial oversight slows them down and impedes their ability to do their work in a timely manner.

Ben Yelin: [00:13:17:04] They do and his is backed up by our fourth amendment jurisprudence. There's been this long-running doctrine that if law enforcement or intelligence agencies have some sort of special need beyond the norm of catching and convicting criminals, then generally they do not need a warrant to conduct that surveillance, as long as the search is reasonable. Determining what's reasonable requires balancing the government's security interests in collecting that information against the potential invasion of privacy. Trying to look at that objectively, some of our top intelligence professionals believe that section 702 has proven to be quite effective in thwarting terrorist attacks and identifying targets, but you balance that against what I think is a major inhibition on privacy and civil liberties. The fact that there's this so called back door search, the government can incidentally collect the communication of a US person without any prior judicial authorization uh and if there's some sort of evidence of a crime contained in that information, they can make an arrest on what would otherwise be an unconstitutional, illegal search. So we balance those security interests against those privacy interests. I think there are arguments to be made

Ben Yelin: [00:14:13:04] The fact is that with this so called back door search, the government can incidentally collect the communication of a US person without any prior judicial authorization, and then use evidence of a crime contained in that information, to make an arrest on what would otherwise be an unconstitutional, illegal search. So we balance those security interests against those privacy interests, and I think there are arguments to be made on both sides. I would like to see this really adjudicated in a federal court or played out in the public sphere, and I think Schneier and a lot of others thought that debate would happen in Congress when section 702 was up for reauthorization at the end of 2017. However, there was such a log-jam of legislation that needed to be passed that I don't think section 702 was afforded the time for the sort of protracted, wide-ranging debate about electronic surveillance that I think many of us wanted us to see on the House and Senate floor.

Dave Bittner: [00:15:22:16] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit

Dave Bittner: [00:15:35:17] And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:15:44:03] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.