The CyberWire Daily Podcast 3.7.18
Ep 550 | 3.7.18

Patchable vulnerabilities in Apache Struts and Exim. CombJack malware. DPRK vs. UN Panel of Experts. Cyberwar and legal limits. Espionage Act prosecution. Infowars turn grimly kinetic.


Dave Bittner: [00:00:03:17] Spies like Apache Struts exploits. We've got some server vulnerabilities described. A new cryptojacker steals at least four varieties of cryptocurrency. North Korea may have hacked UN sanctions enforcers. Dutch Intelligence and Microsoft warn of cyberwar, but it's not a declared war, which makes response harder. We've got an update to the pack rat defense, with considerations of mens rea. ISIS terror inspiration and a possible assassination attempt.

Dave Bittner: [00:00:37:06] Now a moment to tell you about our sponsor ObserveIT. It's 2018, traditional data loss prevention tools aren't cutting it anymore, they're too difficult to deploy too time consuming to maintain and too heavy on the endpoint. They are high maintenance and require endless fine tuning. It's time to take a modern approach. With ObserveIT you can detect insider threats, investigate incidents quickly and prevent data loss. With it's lightweight agent and out of the box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization that's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at, that's And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:01:46:08] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Wednesday, March 7th, 2018.

Dave Bittner: [00:01:55:22] Security firm Quick Heal reports Chinese and Russian operators are showing a continued interest in Apache Struts exploits. Patching is strongly advised, and patches are available.

Dave Bittner: [00:02:07:14] Another vulnerability affects servers, the Exim message transfer agent is susceptible to buffer overflow bugs. Security consultants at Devcore, which described the issue, recommends Exim users upgrade to version 4.90.1.

Dave Bittner: [00:02:24:05] Palo Alto Networks reports finding a new, multi-functional cryptojacker in the wild. "ComboJack" steals Bitcoin, Litecoin, Monero and Ethereum by replacing a wallet's legitimate address with the attackers.

Dave Bittner: [00:02:39:06] North Korea's on-line operations are famous for having proceeded from vandalism to lucrative cybercrime but their role in espionage shouldn't be discounted. Pyongyang cyber operators are said to have hacked the UN panel responsible for administering economic sanctions leveled against the DPRK. The UN "Panel of Experts," which routinely reviews attempts to bypass international sanctions through smuggling and other means, says it was subjected to a "state-sponsored" attack from an unspecified state. That unspecified state, widely and obviously suspected on a priori grounds to be North Korea, was apparently interested in measures being undertaken to facilitate clandestine trade with the DPRK. Much more than that, the heavily redacted report doesn't say, but it does indicate that the attack vector was spearphishing by email.

Dave Bittner: [00:03:31:09] When looking for cybersecurity tools, it's natural to consider the technology under the hood but it's also important to take into account how the people using that technology interact with it. A well designed user interface can be the difference between an efficient tool and a frustrating one.

Dave Bittner: [00:03:47:15] Sylvain Gil is co-founder at Exabeam, a provider of security intelligence and management tools and I recently spoke with him about the relationship between design and security.

Sylvain Gil: [00:03:58:11] Yes, I'm constantly trying to understand what our users are dealing with on a daily basis, kind of the problems they're facing and before we think of a technology we put out on the market, we really just, you know, go through a fairly rigorous design process to try to, you know, empathize with these users and their problems and when we come up with solutions I think often these solutions decide what features we're going to be adding to the product and also sometimes with products we're going to be releasing or not releasing based on, you know, the, the, the outcomes of the design process.

Dave Bittner: [00:04:32:24] Yeah you know you make the point that there's not, there could be a generational thing at play here, that millennials they're looking to interact with the machines perhaps in a different way than some of us old timers are.

Sylvain Gil: [00:04:45:05] You know, I don't think it's a generational thing necessarily, but I think it's very important to, to, I think recognize the fact that everybody has technology in their hands nowadays and, and, you know, I've been in the information security industry now for a couple decades and I, I feel like we have a big, you know, talent problem where there's just not enough time practitioners our there and if we're trying to be inclusive, it can bring people in their, you know, inner wall. We have to make the learning curve a little bit easier for these folks that are coming in from the outside and in general even if you're a security expert Ninja, it shouldn't be too complicated to use your security tools.

Sylvain Gil: [00:05:22:12] So what we're trying to do, I think after, is just to attach to a pattern and in terms of interaction and user experience that people are familiar with, probably the best example of that in, in one of Exabeam's products, is how we show user activities in a timeline that's very similar to the, the timeline you would see in Facebook for example and those, you know, there's really something we did on purpose.

Dave Bittner: [00:05:45:14] Tried to give them something that perhaps they're familiar with from a different context.

Sylvain Gil: [00:05:49:10] Yeah, every time you, every, every time you're able to mimic an interaction, interaction of a consumer type of software and, and even better if it's like a mobile experience that people get to use everyday that means that we do not need to train our end users on how to use that specific feature in our products.

Dave Bittner: [00:06:07:01] Do you find you, you get any resistance to this sort of thing? I'm thinking specifically that, I think for some people in cybersecurity stepping up in front of a command line is almost a point of pride.

Sylvain Gil: [00:06:19:13] That, that's right. I think what we've, what we've had to deal with early on at Exabeam is the fact that even though we had a very, you know, you could say clean UI, clean design, very simple, you know, usability of the product, its simplicity actually at some point came to hurt us where people thought they the technology was too simple - that, you know, there was just, you know, not enough under the hood in the machine learning engine and the analytics capabilities because, you know, the, the outside actually almost looked too good. So that's something that we had to deal with, you know, more in terms of messaging, positioning and we had to educate a little bit about the events aspects of what we do because, well, in some way, the clean design that looks like a consumer tool may not reveal all these sophistication that we've put on the back end.

Dave Bittner: [00:07:08:18] So it sounds like you're really making the case that paying attention to these details, sweating the details when it comes to design can lead to safer outcomes.

Sylvain Gil: [00:07:18:01] It does. I think it, it's safer for our comms, it's easier adoption, you know. A lot of times when you deal with at, at least, you know, a facet of what we do at Exabeam is around detection. People have a lot of, I think, you know, concerns with machinery and, and I think one of those is actually a trust concern and something that's very normal human feeling, you know, you have a computer telling you, I think this is good or bad. And it's really for design process that you can kind of break down that problem into little tidbits where you can start to fight the feeling where if you're not trusting what we are gonna output, we're going to give you ways to get to that trust level. You're going to be able to have checks and balances so you're not, you know, left with a black box that tells you you're an A.

Dave Bittner: [00:07:59:22] That's Sylvain Gil from Exabeam.

Dave Bittner: [00:08:04:03] Dutch intelligence services report that state-directed cyberespionage has risen significantly. Microsoft's president says we're witnessing a level of activity in cyberspace consistent with active warfare.

Dave Bittner: [00:08:16:13] But one problem, of course, for any concerned with legality and authority, is that the US and Russia, to take the two biggest antagonists, aren't at war.

Dave Bittner: [00:08:26:03] President Trump and Director of National Intelligence, Coates, say the US is fully determined to stop Russia (or anyone else) from interfering with midterm elections. But DNI Coates points out that, absent a state of war, and absent other new authority from Congress to act, the Intelligence Community is constrained in its responses in ways that Russian security and intelligence services are not.

Dave Bittner: [00:08:50:09] The Government's Espionage Act prosecution of former NSA contractor Hal Martin continues to face difficulties, Politico reports. The defense argues that Mr. Martin was unlikely to have known about the specific twenty documents specified in the indictment. After all, he is said to have been a packrat and the charges under the Espionage Act would seem to require that he knew what he had. Federal District Court Judge Marvin Garbis, who's hearing the case, is skeptical.

Dave Bittner: [00:09:18:01] The prosecution argues that as long as Martin knew he was doing something wrong, he had the necessary mens rea for a conviction. Martin's Defense attorney Debbie Boardman argued that the Government theory would raise mere petty theft to the level of espionage. She posed a hypothetical: suppose she were at a meeting at Fort Meade and pilfered a stack of notepads with the NSA's eagle-and-key logo on them. Then suppose one of the pages of one of the pads in the stack had something classified written on it and she didn't know that. "I’d be guilty under the Espionage Act," she said.

Dave Bittner: [00:09:51:01] Well. We don't know about you, but we'll be mighty careful at RSA about taking home any swag being offered at the NSA booth. Who knows what might be in it?

Dave Bittner: [00:10:01:18] The packrat defense being mounted in a Baltimore courtroom has an almost operatic quality to it. But other cases of espionage and terrorism are decidedly serious. Two sad incidents serve as reminders that more than ever there's a lethal intersection of the informational and the kinetic.

Dave Bittner: [00:10:18:23] In the first, ISIS is using a video that purports to show the deaths of US special operations personnel during an ambush in Niger. The Caliphate has entered its terrorist diaspora phase. No longer able to maintain pretenses to governing, ISIS returns to its familiar online playbook of depraved inspiration. The US Department of Defense, which continues its investigation of the ambush, is said to see any viewing or mention of the video as objectively providing support to ISIS, but it would seem important for people to understand what the terrorist organization sees as its core message. It's an ugly one.

Dave Bittner: [00:10:56:13] And in the UK, police and intelligence organizations are treating the poisoning of a former Russian intelligence officer and his daughter as attempted assassinations. Sergei Skripal, aged 66, and his daughter Yulia, aged 33, collapsed at a shopping center in Salisbury after having been exposed to an unknown substance, the Times of London reports. Both are in critical condition, undergoing treatment in a hospital. Ten other people, bystanders and first responders, were also affected, and one of them remains hospitalized. The agent involved in the apparent poisoning is unknown.

Dave Bittner: [00:11:34:01] Skripal, who had been an officer in Russia's GRU, was arrested and convicted of passing information to Britain's MI6. He was released to the UK in a 2010 spy-swap arrangement. If Russian security services did indeed, as it seems, try to kill him and his daughter, this would appear to be the first time an exchanged spy had been so targeted. We wish all involved comfort and recovery. Russian officials, of course, deny any involvement.

Dave Bittner: [00:12:07:07] Now a word about our sponsor The Johns Hopkins University Information Security Institute providing the technical foundations and knowledge needed to meet our nation's growing demand for highly skilled professionals in the fields of information security assurance and privacy. We value their expertise and insights as one of the CyberWire's academic partners and of course they're one of the worlds great research universities. The institute is also an NSA and DHS designated center of academic excellence in information assurance and cyber defense and research. Visit to learn more and there are scholarships available. That's And we thank the Johns Hopkins University Information Security Institute for sponsoring our show.

Dave Bittner: [00:13:01:21] And joining me once again is Chris Poulin, he's the Director of Connected Products Security at Booz Allen Hamilton. Chris welcome back! Today you wanted to touch on some issues with things like physical security, some of these next generation systems that take on tasks that were typically human tasks, things like security guards, things like that but what do you have to tell us today?

Chris Poulin: [00:13:23:05] So it's interesting I've been doing, I've been talking to some customers who are asking questions about how, is it, well let me back up. So you think about, think about the IoT as being typical devices that we're used to using and then connecting them to the Internet and so people characterize that as being sort of a physical digital combination, and so if you flip it around on its head to a certain extent, physical securities actually coming up more and more in conversations that I have with clients about how to build out physical security systems. So for example there was a client who is going to be building a parking garage, now they're building a new facility and they're adding a parking garage to it and it's going to be in the middle of the city where their employees have been used to being out on the outskirts where they feel a little bit safer, you know, suburban versus urban settings.

Dave Bittner: [00:14:13:06] Right.

Chris Poulin: [00:14:14:02] Instead what they, they, the employees want to feel secure when they park their car and get out so everything from the entry systems to try to prevent, you know, some sort of attacker, from, physical attacker from being able to get into garage and then hide behind some of the cars and then assault them as they're walking towards the entrance and so, you know, that's their primary concern about the physical being. I mean there's also theft of the cars themselves or the contents of the cars and things like that.

Chris Poulin: [00:14:43:10] So one of the interesting things is how can you outfit physical security with things that are IoT devices? And so one example would be and anybody who has been around smart cities knows that lighting is ubiquitous and so a lot of times centers are placed, multitude of centers are placed with the lighting systems, so the same thing can happen in a garage where there are audio centers that listen for gunshots or even, for example, they can listen for somebody who just sorts of says 'help' at voice level, normal speaking voice and then the different microphones can triangulate exactly where they are and automatically recognize that as a trigger word and the contact security guards who can then respond quickly and directly to where that person is physically, presumably being assaulted or at least feeling threatened.

Chris Poulin: [00:15:30:24] So that might be one instance. A little bit more on the news I suppose is that there are security guards who wander around, right.

Dave Bittner: [00:15:38:15] Right.

Chris Poulin: [00:15:39:00] You can actually supplant that with more security guards, because the opportunity for an attacker is to, you know, profile the path and the timing of the security guards and there's only a certain amount of people that you can put on the job but instead of having those, those security guards that you always read about in the news who look like something out of Robocop and have some sort of a laser weapon attached to their arm.

Dave Bittner: [00:16:02:21] [LAUGHS]

Chris Poulin: [00:16:03:14] You can instead have smaller bots, you know, about two, three feet high that just roll around and they're affordable enough that you can have many of them and you'll reduce that, the opportunity between the time that they're actually wondering around. So even though they might not be able to do anything like attack the attacker, they still, the fact that there's something moving and presumably watching over, it has two, it has a two fold effect. It can deter the attackers and it would also make the employees feel safer in a place like a parking garage.

Dave Bittner: [00:16:34:21] And I suppose part of it is that the bad guys don't necessarily know what the capabilities of that device are. They just see it moving around they don't know if it can chase them down or take a picture of them or what.

Chris Poulin: [00:16:45:17] Exactly, and plus by the way, there's all kinds of interesting things that you could do with it. If it's, if it's short it can see under cars so it actually reduces the hiding spaces for attackers in the first place. So yeah, so to your point they don't know whether or not that thing can actually detect heat which you could probably, which you could probably outfit them infrared sensors, there's the unknown and then there's, I think, just a little bit psychological aspect of it as well.

Dave Bittner: [00:17:07:17] Yeah it's interesting stuff. All right Chris Poulin, thanks for joining us.

Chris Poulin: [00:17:11:11] Thank you.

Dave Bittner: [00:17:14:19] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible especially to our sustaining sponsors Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit And thanks to our supporting sponsor E8 Security. All of the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:17:36:12] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're code building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.