The CyberWire Daily Podcast 3.16.18
Ep 557 | 3.16.18
NATO-Russian cyber tensions high. They're also high between Saudi Arabia and Iran. Updates on AMD vulnerability report. Another exposed AWS S3 bucket?

Dave Bittner: [00:00:00:24] Thanks to everyone who's shown their support for the CyberWire by being a Patreon supporter. You can check it out at

Dave Bittner: [00:00:12:13] NATO condemns Russia for the chemical attack in England. The US sanctions Russia for NotPetya and election meddling and warns of Russian preparations for an attack against US infrastructure.

Dave Bittner: [00:00:23:15] Chinese cyber operations support that country's claims to the South China Sea. Iran shows increased cyber espionage activity. Observers fear a return of the Triton/Trisis ICS malware. Another unsecured AWS bucket may have been found, and my conversation with Rico Chandra from Arktis Radiation Detectors on protecting our nation from nuclear attacks.

Dave Bittner: [00:00:52:12] Time to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eye-balling the Internet yourself, no matter how many analysts you might have on staff. And we're betting that how ever many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top-trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. Subscribe today and stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:02:17] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Friday, March 16th, 2018.

Dave Bittner: [00:02:12:10] NATO has placed itself firmly behind the UK in its nerve agent dispute with Russia, which ought to give nuclear-armed Russia some Article 5 pause. TASS is authorized to state that sources have told it that NATO won't invoke its Article 5 collective defense clause, presumably because the chemical attack in Salisbury was too small, and too ambiguous. The official Russian line has been that the attack wasn't its doing in any case, and besides, traitors deserve to get what's coming to them anyway.

Dave Bittner: [00:02:43:07] The US Administration also issued sanctions yesterday in reprisal for both NotPetya and the 2016 election meddling.

Dave Bittner: [00:02:51:11] Sanctions or not, Russia is unlikely to knuckle under quietly, and US authorities expect attacks in cyberspace. Yesterday the FBI and Department of Homeland Security contributed analysis that resulted in US-CERT issuing a Joint Technical Alert, warning of Russian government intrusion into US government and energy sector networks. The prospecting of the energy sector is particularly disturbing, as it includes apparent preparations for industrial control system attacks.

Dave Bittner: [00:03:21:03] The alert warns, "DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems." It goes back at least to 2016, US-CERT says, and it's an ongoing campaign.

Dave Bittner: [00:03:57:00] So what would happen in the event of a full-blown cyber conflict between the US and Russia? If you ask FireEye CEO Kevin Mandia, he would tell you, Russia would win. That's what he said yesterday in an interview on CNBC's Closing Bell. He said, "the reality is if all of Russia's cyber weapons went against us and all of our cyber weapons went against Russia, they would win." Part of his reason for saying this is heavy American dependence on the Internet. The US has a big attack surface.

Dave Bittner: [00:04:27:23] Mandia's company is calling out the Chinese threat as well this week. US engineering, defense, and maritime companies tied to US operations in the disputed waters of the South China Sea are being hit by Chinese hackers. FireEye thinks the attackers are controlled and directed by the Chinese government.

Dave Bittner: [00:04:46:11] The Financial Times has a long piece on the way in which a number of other nation states are looking to Russian cyber operations as a model to be emulated. Citing research by security firms FireEye, CrowdStrike, Glasswall Solutions and Kroll, the report indicates that countries like North Korea, India, and Pakistan are noting the success Russia's had and are considering following the same path. In North Korea's case, of course, that country is well down that path.

Dave Bittner: [00:05:15:01] Iran shows continued activity in spearphishing targets in Asia and the Middle East. The threat group Temp.Zagros, more often known as MuddyWater, no connection to the similarly named hedge investment firm, has stepped up its distribution of malicious Word documents. Palo Alto Networks, FireEye, and Trend Micro are all tracking the group.

Dave Bittner: [00:05:37:15] Observers are warning the industrial control system malware Triton or Trisis may be ready for a comeback. It was used last August against petrochemical targets in Saudi Arabia. The campaign, which was extensively analyzed by ICS security firm Dragos and others, was disturbing in the way it went after safety systems. People fear that, were it to be used again in an improved form, it might succeed in having deadly effect. Saudi Arabia is currently in a heightened state of tension with regional and religious rival Iran. Saudi's Crown Prince Mohammad bin Salman, this week compared Iran's supreme leader, Ayatollah Ali Khamenei, to Adolf Hitler, and he meant that as the strongest possible condemnation. He also said that Saudi Arabia would swiftly acquire its own nuclear weapons should Iran do so.

Dave Bittner: [00:06:29:02] CTS Labs, who discovered vulnerabilities in AMD chipsets that may or may not be serious, has issued a clarification to answer growing objections to their hair-trigger disclosure. That's the disclosure that got to AMD the day before it went out to the general public. CTS defends its different flavor of responsible disclosure as better for everyone: disclose the vulnerability to vendors and everyone else at the same time, but also impede criminal reverse engineering by redacting technical details. The downside to this, of course, is that it also impedes legitimate researchers from assessing whether the vulnerability disclosed is real, let alone serious. CTS admits it erred in not lining up some independent verification in advance, but hopes to do better in the future.

Dave Bittner: [00:07:16:22] The other issue involves the appearance that the disclosure was connected with short-selling AMD stock. In its white paper describing its findings, CTS offered a disclaimer many observers have read with raised eyebrows. They said they may have, “either directly or indirectly, an economic interest in the performance of the securities" mentioned in the report. That is, in AMD.

Dave Bittner: [00:07:42:14] Coincidentally or not, a short-selling investment firm, Viceroy Research Group, essentially simultaneously released an analysis of AMD's value explicitly based on CTS Labs' report. It reckoned the value of AMD at zero, and predicted the company's quick shipwreck in Chapter 11. This suggests that Linus Torvalds may have been on to something when he dismissed CTS Labs' report as short-selling, not research. The incident recalls to several observers the 2016 incident in which security researchers at MedSec coordinated disclosure of vulnerabilities in St Jude Medical devices with MuddyWater's short-sellers.

Dave Bittner: [00:08:22:14] Gamers take note. Hackers are getting into Fortnite registered accounts and using them to make fraudulent purchases. Fortnite, which now rivals Minecraft in popularity for online gamers, of course offers in-game purchases. Credential-stuffing attackers are gaining access to gamers' registered accounts and making fraudulent purchases.

Dave Bittner: [00:08:43:19] Kromtech, one of the security companies that looks for unsecured Amazon S3 buckets, says it's found another one. 1.3 million customers of Walmart partner Limogés Jewelry may have had their personal information exposed in an openly accessible database.

Dave Bittner: [00:09:01:12] Finally, to return to the concerns about Russian cyber attacks, it's not just NATO that's on the qui vive against Russian cyber operations. Relatively neutral Sweden is devoting serious thought and resources to defending itself against Russian ambitions, both kinetic and cyber. They are, after all, just a short hop across the Baltic, and, as Abba has known since 1982, something's going on.

Dave Bittner: [00:09:41:16] And now a message from our sponsors at E8 Security. We've all heard a great deal about artificial intelligence and machine learning in the security sector, and you might be forgiven if you've decided that maybe they're just the latest buzzwords. Well no thinking person believes in panaceas, but AI and machine learning are a lot more than just empty talk. Machine learning, for one thing, is crucial to behavioral analytics. You can't recognize the anomalous until you know what the normal is, and machines are great at that kind of baselining. For a guide to the reality and some insights into how these technologies can help you, go to and download E8's free white paper on the topic. It's a nuanced look at technologies that have both future promise and present pay-off in terms of security.

Dave Bittner: [00:10:26:20] When you need to scale scarce human talent, AI and machine learning are your go-to technologies. Find out more at E8 Security, follow the behavior, find the threat. And we thank E8 for sponsoring our show.

Dave Bittner: [00:10:49:15] And joining me once again is Johannes Ullrich, he's from the SANS Technology Institute, he's also host of the ISC's Stormcast podcast. Johannes welcome back. We wanted to talk today about credential stuffing, particularly how to prevent it. What do you have to share with us?

Johannes Ullrich: [00:11:06:02] Credential stuffing really sort has become a big topic in the last year or so. The problem that really sort of emerged is that so many credentials were stolen. It's pretty easy for an attacker to find a username/password combination that a user used across different sites and then these credentials are used sort of in these automated scripts, just like the good, old password brute forcing. And even if it's not a credential, it's often just things that you're using for password resets and even to set up an account. So a lot of organizations for example have problems if users already have an account set up with you, now they're trying to establish online access. What questions are you going to ask them to sort authenticate them? And that's where credential stuffing comes into play quite often.

Dave Bittner: [00:12:00:21] So take us through that I mean what, what questions should they be asking?

Johannes Ullrich: [00:12:05:00] Well, now, first of all, they should be asking questions that are typically not known to other sites, something that's very specific to your site. In addition to this, there is really no good way around some kind of offline confirmation. So, if let's say someone has an account with your company and is all of a sudden setting up online access, it's not really too much to ask to then send them a good old mail postal mail with like an activation code, that they can then use to activate that online account. Given all the information that's out there right now, there is no real good way to prevent this.

Johannes Ullrich: [00:12:47:19] Now, as far as just the passwords go, Troy Hunt he sort of collected a lot of passwords that were leaked over the last few years and he made that list public. So what you probably should do is download that list and he sort of published it as SHA-1 hashes and try to check if users are using these passwords, that are using onto your site. Now, if you did the right thing and you hashed your passwords with something other than SHA-1, then this may not be so straightforward, but the next time the user logs in, or the user changes or sets up a new password, then you can check. Is that password on that list of leaked passwords? And warn the user, and suggest that the user uses a different password.

Dave Bittner: [00:13:35:16] Alright, as always good advice. Johannes Ullrich, thanks for joining us.

Dave Bittner: [00:13:43:00] Time to take a moment to tell you about our sponsor, Comodo. Here's the bad news. There is no way you will ever be able to stop malware from entering your network. The good news is Comodo renders malware useless. That's why Comodo customers can click on anything. Over 120 million new pieces of malware were created in 2017. So even at 99 per cent, you're still a target for 1.2 million pieces of malware. If you do the math, that's still over 3,000 problems per day that current solutions cannot solve.

Dave Bittner: [00:14:14:10] Comodo doesn't settle for 99 per cent, and neither should you. They put those 3,000 daily problems into a lightweight, kernel level container where the malware's rendered useless. With Comodo's patented auto-containment technology, they bulletproof you down to hour zero every time, solving the malware problem. So with Comodo you can say with confidence, I got 99 problems, but malware ain't one. Go to to learn more and get a free demo of their platform. That's And we thank Comodo for sponsoring our show.

Dave Bittner: [00:15:02:09] My guest today is Rico Chandra. He's the CEO of Arktis Radiation Detectors, a company that specializes in nuclear detection. He joins us to describe the types of nuclear threats the world faces and the intersection of cyber security, the industrial IoT and physical security.

Rico Chandra: [00:15:20:17] To make it clear, the US is currently one of the best protected countries in the world and most of the western world is fairly well protected against radiological and nuclear threats. A large effort was put in shortly after 9/11 to equip our borders of, you know, the land borders, Canada and Mexico, and the sea ports where the container ships arrive. All of those ports of entries are equipped with so-called radiation portal monitors that detect if there is a, a radiological threat in any of the cargo coming in, and most, most of the cargo that, that arrives in the US actually does pass through one of these radiation portal monitors. That said, you know there's no such thing as 100 percent security and our adversaries are getting better connected, having, you know, access to all sorts of new technologies and means, and so we need to improve our security to keep our borders safe.

Dave Bittner: [00:16:23:06] And so in the process of doing that, to connecting those systems together, you have to be careful about some of the cyber security vulnerabilities that may be the result of that?

Rico Chandra: [00:16:33:06] Exactly, and, and that's really where I believe the world has evolved since 9/11. If there were ever to be another attack on the scale of 9/11, be it against, you know, the US or an European country, it's not inconceivable that it would be a, a physical attack combined with a cyber attack. Whereas ten, twenty years ago, that was not really a concern that you'd have this pairing of, of a cyber attack together with say a radiological attack or, or with conventional explosives attack or, you know, the sort of acts of terrorism that, that we hear about in the news and are concerned about.

Dave Bittner: [00:17:15:10] So can you take us through what are some of the challenges and some of the techniques that you all use to protect these systems? Which I suppose you could, you could say these are mission critical devices.

Rico Chandra: [00:17:24:24] These are mission critical devices. And one of the things that's been changing over the, the last couple of years is the customer, in our case customers, or typically governments. It's not like they didn't want to have cyber security on their devices in the past. Cyber security has always been, you know, something that, that's been considered. But the difference is today procurements are set up that way that, you know, the, the systems are from the base up, their design needs to incorporate cyber security measures. Whereas in the past that was more of an after-thought, oh yeah, and then try to cyber harden what you have. Whereas now it's part of the original specifications, it's part of the original design and it's designed to be cyber secure.

Dave Bittner: [00:18:18:22] I, I guess one of the things that I'm not clear about is what the odds are of, of these sorts of things actually making it through And, and does it matter? Is it one of those things where you, you know, it's such a big threat if something did come through. But even though it's unlikely, you still need to protect against it.

Rico Chandra: [00:18:34:11] Essentially there's three categories of threats. The first is materials that could be used to manufacture a nuclear weapon or a nuclear weapon itself. So we're talking the so called special nuclear materials, highly enriched uranium, plutonium, stuff where you can build a nuclear bomb, or an actual nuclear bomb. So that's the first threat. The second threat is strong radioactive sources that could be used to construct what's called a radiological dispersal device, or, you know, a dirty bomb for example. And that's very different from a nuclear weapon. It doesn't cause a huge bang. It, you know, it, it typically it's, you know, used with conventional explosives and it doesn't lead to many more casualties than a conventional explosive, but it does contaminate the area where it's detonated and, and that causes a lot of disruption to society and the economy because you need to evacuate. And there's distrust of the public and authorities and all that. So that's a second category of threats, very different.

Rico Chandra: [00:19:45:00] And then a third thing that is increasingly becoming relevant is there's just a whole bunch of consumer goods and industry goods that are contaminated for one reason or another by radioactive materials. And we just don't want them in our supply chain. We don't want steel coming in that's radioactive. We don't want food coming in that's radioactive. So that's more of a public safety than a security concern. So you ask how relevant are these threats? And how likely are they to get through? So the first one, the one of, of nuclear weapons, if you look at geopolitics today it's very, it's very, very relevant. We're discussing, you know, some, some of our adversaries have intra-continental ballistic missiles, but what's the point of having missile defense if you can just, in principle, put a nuclear weapon into a freight container and ship it directly to the address where you want to. So, that's highly relevant.

Rico Chandra: [00:20:47:00] On the radiological, dirty bomb scenario, we as a society and especially the agencies concerned with protecting against these threats, have quite a reason to be proud of the fact that no attacks have taken place using dirty bombs. Because many terrorist organizations would have the capability and the intention to carry out such attacks. The fact that they haven't is a very good sign. And then the, you know, the public safety aspect, where just, you know, when we buy braces for your daughter, we automatically assume that the steel that goes in there is not radioactive, and we want it to stay that way.

Rico Chandra: [00:21:26:16] In general, we're getting better and better at detecting stuff. It's not always possible to detect everything. You know, you can shorten configurations of nuclear materials if shielded the right way, become very difficult to detect. But the fact that we're constantly increasing detection performance of the hardware and the software to detect these threats, that has quite a bit of deterrence value. Because if, you know, say you're a nefarious actor and you want to smuggle something into the United States, now you need to organize yourself, you need to figure out which border crossings you have the best chances of getting in to, to research. How do you shield whatever material you have to prevent detection or to try to minimize the risk of detection? This creates a lot of chatter, you know, these organizations need to, need to coordinate and need to inform themselves.

Rico Chandra: [00:22:22:18] Nuclear detection isn't isolated. It's like in a whole context of security. So if you have these many layers of security, not just at the US border, but also internationally, you're really increasing the likelihood that our intelligence organizations will pick up on these groups as they try to organize and inform themselves and as they try to inform themselves about to how to best slip through. So, more of a holistic approach where different measures fit together to provide protection.

Dave Bittner: [00:22:54:04] That's Rico Chandra from Arktis Radiation Detectors.

Dave Bittner: [00:23:00:14] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:23:22:16] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media. With editor John Petrik. Social media editor Jennifer Eiben. Technical editor Chris Russell. Executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.