The CyberWire Daily Podcast 3.15.18
Ep 556 | 3.15.18

Chip vulnerability disclosure controversial. Black market and point-of-sale malware. SEC charges ex-Equifax exec with breach-related insider trading. Tensions over Salisbury nerve agent attack.


Dave Bittner: [00:00:00:00] Thanks to our many Patreon supporters. You too can help support the CyberWire. Go to and find out how.

Dave Bittner: [00:00:11:22] AMD continues its investigation of the backdoors and other vulnerabilities that CTS Labs publicly disclosed. That disclosure remains controversial. BlackTDS offers malware distribution as a service on the black market. PinkKite is a small but persistent point-of-sale threat. The SEC charges a former Equifax exec with trading on non-public information of the credit bureau's data breach. Germany, France, and the United States join the United Kingdom in denouncing Russia for the Salisbury nerve agent attack.

Dave Bittner: [00:00:48:13] It's time for a message from our sponsor, Recorded Future. You've heard of Recorded Future, they're the real time threat intelligence company. Their patented technology continuously analyzes the entire web, to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best, informed decisions possible for your organization.

Dave Bittner: [00:01:13:17] Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. Subscribe today and stay ahead of the cyber attacks. Go to and subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. It's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:55:06] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Thursday, March 15th, 2018.

Dave Bittner: [00:02:05:03] AMD continues investigation of the backdoors, CTS Labs says it found in the manufacturer's chips. CTS claims that chipsets are shipping with exploitable manufacturer's backdoors, installed by Taiwan-based manufacturer ASMedia, a subsidiary of ASUSTeK. The backdoors would thus seem to be a supply chain issue.

Dave Bittner: [00:02:27:06] Motherboard observes that ASUSTeK settled a US Federal Trade Commission case in February when the FTC complained that ASUSTeK hadn't been properly attentive to hardware security flaws in its routers. CTS Labs apparently gave AMD just a day before going public with its disclosure; they've been criticized sharply for the short deadline. They've also been criticized for what some observers have seen as a disclosure that's longer on marketing than it is on technical detail. In fairness to CTS Labs, other researchers have since independently validated that the flaws they identified in the chipsets are indeed real.

Dave Bittner: [00:03:05:16] There is disagreement about how serious a risk they represent. Some agree with CTS Labs very dark and alarming assessment. Others think that assessment is overblown. The vulnerabilities are second-stage vulnerabilities, that is exploitable only by an attacker who had already obtained administrative access by some other means - phishing, perhaps.

Dave Bittner: [00:03:27:21] The European Union's GDPR regulations kick in this coming May and among the many groups it's sure to impact are online marketers. Ted Bardusch is CISO at, a company that helps provide business process automation. He joins us to help explain how data rich marketing will intersect with GDPR.

Ted Bardusch: [00:03:48:14] Data rich marketing is getting beyond just the old focus groups that people used to do and is taking advantage of the fact that with electronic and digital media, we have a far better idea of who and what people are, what they do, what their interests are, what their activities are. There's tension here, of course, is some people don't want us to know as much about them as we do, some people are very concerned about that. And Europe has led the way in addressing that with the General Data Protection Regulation that is providing a lot of guideposts on what we can legitimately keep track of and what we can't, and how we have to treat people's data, and what we have to do to assure the individual that we are handling things correctly.

Dave Bittner: [00:04:41:00] So, walk us through that. How do you strike that balance?

Ted Bardusch: [00:04:44:08] It's got to be something that's done with respect for an individual's data. I think if you approach it with the attitude that this data isn't your data, it's the person's data, then you're going to have a lot easier time figuring out what is the right or wrong thing to do. For example, don't keep track of someone's data from ten years ago if you haven't been in touch with them since. There's a pretty good chance they don't remember you, and they don't consider that they have a relationship with you, so keeping their data is a way of forcing a relationship they're not aware of. There's a pub in England that decided their approach to being GDPR compliant was they deleted their entire email list and tell everybody to just come look at their website, because they didn't want to get it wrong.

Dave Bittner: [00:05:29:15] I have to say, I suspect people are cynical when it comes to this sort of thing, because we're in an environment where I think we feel like so much data is being collected, and it often surfaces in what people describe as kind of creepy ways. You go shopping for something and then ads for that thing shows up later when you're browsing on the Internet. As someone who works in this space, what do you recommend for people to do this in a way that's going to earn back consumer's trust?

Ted Bardusch: [00:05:58:12] That's a very good question. I agree, and I get creeped out sometimes too, and I'm really careful. Where marketing is heading is to be able to do things that people who don't think about it are going to suddenly get hit with, wait a minute, how did you know I was looking for a car? Well, it could be that in your Google maps you went to a car dealer and then you were on the Internet and Google served you an ad that talked about that car brand. That's a legally legitimate thing to do, but it may creep somebody out. What we need to realize as people that are using a lot of this data is where people are going to think that's creepy, and where they're not. There are all sorts of theories being bandied that, oh, it's a generational gap or something else. But I think people are just creeped out by what's creepy.

Dave Bittner: [00:06:51:21] As we approach GDPR, do you suspect we're going to see a lot of people coming up short in being prepared for it?

Ted Bardusch: [00:06:59:24] Oh yeah, absolutely. [LAUGHS] I was just talking to a gentleman who is working out of England, and he said he just saw a statistic that 25 percent of small and medium sized businesses do not know what GDPR is in England. So yes, there will definitely be a large gap when we get to May 25th. I think a big thing that people are not keeping in their mind is that GDPR is more than just this. It's also the right to be forgotten, the right to inspect data, to correct data and export data, and those are things that previous privacy regulations and frameworks have not really addressed. I think a lot of companies are just not taking that into account when they think about how to be compliant. Those are things that we all have to respond to pretty quickly.

Dave Bittner: [00:07:56:23] That's Ted Bardusch from

Dave Bittner: [00:08:02:04] Security firm Proofpoint says BlackTDS, a traffic distribution system, is gaining significant black-market share. It's being sold in dark web markets for $6 per day. Longer subscriptions bring a discount: $45 for ten days, $90 per a month. Criminal clients post their malware and BlackTDS handles distribution. This is another instance in which a black market functions like a legitimate market.

Dave Bittner: [00:08:29:09] There's some new point-of-sale malware in circulation. Kroll Cyber Security describes PinkKite, a small, unusually persistent bit of point-of-sale malware. It's small size - less than 6K - is comparable to other point-of-sale malware like AbaddonPOS and Tiny POS. The small footprint helps it fly under the detection radar, yet it's big enough to have memory-scraping and data-validation tools.

Interviewer: [00:08:56:06] Kroll told the Kaspersky security conference this week that PinkKite differs from its competition in three main ways: built-in persistence mechanisms, hard-coded double XOR encryption, and a back-end infrastructure that uses clearing houses to handle exfiltrated paycard data. PinkKite's clearing houses were in Canada, the Netherlands, and South Korea. This had some efficiencies from a criminal point of view, as opposed to the more customary practice of reporting directly to a command-and-control server. But on the other hand it was a relatively noisy technique the researchers found helpful in their investigation.

Dave Bittner: [00:09:33:10] Many wondered whether the US Securities and Exchange Commission's recently clarified cybersecurity guidance actually had teeth. Apparently it does. Yesterday the SEC has brought insider trading charges against a former Equifax executive who dumped his company's stock after learning of its 2017 breach, but before that breach was publicly disclosed.

Dave Bittner: [00:09:55:10] The SEC alleges that Jun Ying, formerly CIO of one of Equifax's business units and in line to become the company's global CIO, concluded on the basis of confidential, non-public information - insider information - that Equifax had sustained a serious data breach. Indeed it had. Knowing about a breach isn't, of course, criminal, but exercising your vested Equifax stock options and selling the shares for nearly $1 million before public disclosure of the breach might well be. The SEC says that the alleged insider selling enable Ying to avoid more than $117,000 in losses.

Dave Bittner: [00:10:34:02] The US Attorney’s Office for the Northern District of Georgia yesterday announced parallel criminal charges against Ying.

Dave Bittner: [00:10:41:19] Turning to international tensions that will have significant cybersecurity implications, Moscow has taken a very hard line against British charges that Russia tried to assassinate a spy in the UK with nerve agent. Russian official representatives have demanded to see the evidence. They have called the attempted murder a provocation that is actually committed by British intelligence services or their allies, warned against any of the cyber retaliation the UK is said to be considering. And, chillingly, cautioned Britain against threatening a nuclear power. Britain's allies have generally been strongly supportive of Her Majesty's government's case against Russia.

Dave Bittner: [00:11:19:23] Many of those allies are particularly condemning the weapon used to put Sergei Skripal and his daughter Yulia into critical condition.

Dave Bittner: [00:11:27:07] NATO Secretary, General Jens Stoltenberg today called the attack unacceptable, saying nerve agents have no place in the civilized world. He also connected the attempted assassination to Russian policy. "The attack in Salisbury has taken place against the backdrop of a reckless pattern of Russian behavior over many years."

Dave Bittner: [00:11:48:06] The UK has requested an emergency meeting of the United Nations Security Council.

Dave Bittner: [00:11:53:16] US Ambassador to the UN, Nikki Haley, denounced Russia for the attack in the strongest possible terms, indicating that the UK can count upon US support in the Security Council and probably beyond.

Dave Bittner: [00:12:05:16] Some form of heightened cyber conflict can be expected, as both sides to the dispute possess considerable operational capabilities in cyberspace.

Dave Bittner: [00:12:16:01] And finally, this morning the US Treasury Department announced a new round of sanctions against Russia as reprisal for both election influence operations and cyber attacks, specifically the NotPetya campaign that spread from targets in Ukraine to a large number of victims elsewhere, especially in Western Europe, but also in North America. Particularly targeted are individuals and institutions named in the Justice Department indictments, like the notorious Internet Research Agency, the St Petersburg troll farm. But also affected are some of the wealthy oligarchs who constitute mainstays of President Putin's rule.

Dave Bittner: [00:12:57:08] As our sponsors at E8 Security can tell you, there's no topic more talked about in the security space than artificial intelligence. Unless, maybe, it's machine learning. But it's not always easy to know what these could mean for you. So go to and see what AI and machine learning can do for your organization's security. In brief, it's not a panacea, not a cure-all, but rather an indispensable approach to getting the most out of your scarce, valuable and expensive human security analysts. Let the machines handle the vast amounts of data. If you need to scale your security capability, AI and machine learning are the technologies that can help you do that. So, visit and see how they can help you address your security challenges today. Follow the behavior, find the threat. And we thank E8 for sponsoring our show.

Dave Bittner: [00:13:57:11] And joining me once again is Rick Howard. He's the Chief Security Officer at Palo Alto Networks, and he also runs Unit 42, which is their threat intelligence group.

Dave Bittner: [00:14:06:08] Rick, welcome back. We have spoken a few times about the Cybersecurity Canon Project, which we agree with you all is an important way to help keep everybody safe out there. You all are coming up on a milestone here, what's going on?

Rick Howard: [00:14:18:14] Yes it's hard to believe, but we are coming up on five years of running this thing. I'm thrilled and excited, and can't believe it's taken that long. As you know, one of the reasons we started it was the fact that we are all busy people. And if you were to decide this year that you're going to read a book or two to get smart on some new cybersecurity thing, you might go over to Amazon and take a look at cybersecurity books. Well, Amazon will return some 1,500 tomes to choose from, so how do you choose which one's you're going to spend time with?

Rick Howard: [00:14:50:17] The Canon Project consists of 15 committee members. They're network defenders, they're CISOs, CIOs, CTOs, journalists, consultants, lawyers and general practitioners. They read the books, they write book reviews and they make the case that a particular book falls into one of three buckets: This is a must-read for all of us, not a must-read, but will have some interest for some of us, and do not bother, which I think is the most important category [LAUGHS] we have there, right? So, this is kind of a security service for the network defender community. So, let me ask you, are you a sports fan or a music fan? Or are you both?

Dave Bittner: [00:15:28:07] I would say, of the two, definitely more on the music side of things.

Rick Howard: [00:15:32:05] Alright, so what we've done is set up a project similar to the Rock and Roll Hall of Fame to cater to my host here. [LAUGHS] The committee members read the books and make their recommendations. If the book is a must-read, it goes on the candidate list. Every year the committee selects a handful from the candidate list to be placed into the hall of fame. Very similar to the Rock and Roll Hall of Fame. As of today, we have 76 books on the candidate list, and we've put about 19 into the hall of fame. Which gets me to the gala, there's a reason having this conversation.

Dave Bittner: [00:16:04:06] Right. Not just an announcement about the Cybersecurity Canon, but an invitation as well?

Rick Howard: [00:16:10:10] Exactly. So, on May 3rd, we are hosting the 5th Annual Gala Dinner Award Ceremony at the stunning Mandarin Oriental Hotel in Washington, DC. [LAUGHS] That was too much?

Dave Bittner: [00:16:23:11] You're quite the salesman, Rick. Go on, keep going.

Rick Howard: [00:16:27:18] We are inducting five new books from the candidate list into the hall of fame this year, and all the authors will be present to receive their award, so that's kind of cool. They come in, we get to meet them and things, right. Now, we modeled the gala after the Academy Awards, so I dress up in black tie, I just made my appointment to go down to the Men's Warehouse to get my tux, right. I hand out these very heavy statues to all the authors. So, local cyber luminaries and students from the tri-state area come to meet the authors. We have a great dinner, and they all come to support the Cybersecurity Canon Project. If anybody who's listening wants to come, they can find me on LinkedIn, and I will send them the invitation.

Dave Bittner: [00:17:07:14] Well, do you have a favorite this year? One of the books on the hall of fame list that really struck you as being important?

Rick Howard: [00:17:13:06] My favorite book on the hall of fame list is the book that got me into cybersecurity in the first place, way back in the late 1980s, and it's Cuckoo's Egg by Clifford Stoll. It's the first time we all realized that there was actually cyber espionage going on. And in that particular book, Mr Stoll tracks down Russian cyber spies that used East German hacker mercenaries to break into university systems, to break into government systems. Because, back then, there was no security, it was just strings and cans. That book reads like a novel and it's just fantastic, and it turned the corner for me and made me want to be a cyber security person.

Dave Bittner: [00:17:51:01] One of your recipients is Steven Levy, one of his books was on there. And from way back, one of my favorite books is Hackers: Heroes of the Computer Revolution. I devoured that book when I was, I guess in high school age. That really set my imagination going. So, yeah, these books, they can make a difference.

Rick Howard: [00:18:11:13] Hackers, that book is right now on my bed-stand in the queue next to read. That's a good choice.

Interviewer: [00:18:17:19] All right, Rick. Good talking to you, as always. Good luck with the event.

Rick Howard: [00:18:20:20] Thank you, sir.

Dave Bittner: [00:18:23:21] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit

Dave Bittner: [00:18:36:23] And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:18:45:15] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:18:55:16] Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.