The CyberWire Daily Podcast 3.20.18
Ep 559 | 3.20.18

Power grid threats coming through the router. Cambridge Analytica and Facebook face tough questions.


Dave Bittner: [00:00:00:15] If your thumbs have blisters from hitting the fast forward button when you come to the ads in our show, you should really check out our Patreon page where for ten dollars a month you can get a version of the CyberWire, it's ad free.

Dave Bittner: [00:00:17:18] ICS experts continue to warn of grid vulnerability to hacking. AMD chip flaws are called real but not very serious.

Dave Bittner: [00:00:25:18] Cambridge Analytica's under investigation in the UK. Facebook tries without much success so far to disentangle itself from Cambridge Analytica's use of Facebook data.

Dave Bittner: [00:00:35:18] President Putin wins re-election amid accusations of voting fraud. Former French president Sarkozy is in police custody over Libyan campaign contributions. And the Libyans want their money back too.

Dave Bittner: [00:00:53:24] Now I'd like to share some words about our sponsor Cylance. You know you've got to keep your systems patched right? Patching is vital and WannaCry which hit systems that hadn't been patched against a known vulnerability, well that's exhibit A. But you also know that patching is always easier said than done. Cylance has some thoughts about how you can buy yourself time and breathing room, if you went for modern endpoint protection. Think about protecting the endpoints from the threats you never see coming. Cylance endpoint security solutions will do exactly that. Bend the bad stuff off and do your patching quickly, but systematically. It's artificial intelligence, and it's a natural for security. Checkout the Cylance blog, Another Day, Another Patch, at And we thank Cylance for sponsoring the CyberWire, that's For cyber security that predicts, prevents and protects.

Dave Bittner: [00:01:54:02] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Tuesday, March 20th, 2018.

Dave Bittner: [00:02:03:15] ICS security experts take the occasion of US government warnings that Russian cyber operators are working against the US power grid, to reiterate their own warnings. Electrical generation and distribution systems remain dangerously vulnerable to attacks that could in the worst case, induce catastrophic failure.

Dave Bittner: [00:02:22:15] Cylance has determined that one of the ways attackers are getting access to utilities' networks, is through compromised Cisco routers. They call out the DragonFly Group as one of the threat actors involved with this particular attack vector. DragonFly is widely believed to be a Russian government group.

Dave Bittner: [00:02:41:18] There is an emerging consensus on the AMD chip vulnerabilities that CTS Labs reported last week. Other researchers have looked at them and concluded that while real, they don't really represent the sort of serious threats CTS said they did. Security firm Check Point among the third-parties who verified the vulnerabilities, is also among those who disagree with CTS Lab's hair-triggered, detailed redacted disclosure which Check Point calls "very irresponsible".

Dave Bittner: [00:03:11:11] Those who thought Fusion GPS might represent the nadir of political consulting, will be interested to see the further depths Cambridge Analytica is alleged by many media outlets to have plumbed. The London based firm is reported to have at least discussed using sparrows, honey-traps, to compromise political targets. It also obtained data on some 50 million Facebook users.

Dave Bittner: [00:03:35:23] Cambridge Analytica categorically denies accusations of blackmail, and improper use of data. Although the company does at the very least seem to have engaged in some really indiscreet woofing. Ukrainian women are the best at entrapping men, things like that. Cambridge Analytica also says it questioned its clients closely about the ethical and legal dimensions of the work that Cambridge Analytica was asked to undertake. To borrow from the exchange between Hotspur and Owen Glendower in Henry IV, Part 1, why sure you can question them, so can I. So can anyone. But when they answer, what will you do with their replies?

Dave Bittner: [00:04:15:10] Anyhow, give them the benefit of the doubt at least for the few remaining hours until the information commissioner's office gets a warrant to toss their place of business. But between the Steele dossier served up piping hot by Fusion GPS, and the amazingly sleazy operational notions reported in the Cambridge Analytica affair, there seem to be some remarkably creepy imaginations sloshing round in greater London. And those imaginations appear to have found an eager American market, because hey, if that don't fetch them, then I don't know Arkansas.

Dave Bittner: [00:04:48:17] Cambridge Analytica's connection with Facebook has been very bad for Facebook. Whose stock price was hammered in the market yesterday. The social media giant has booted the London Analytics firm from its services. Facebook has insisted correctly, that the problem isn't a data breach. It's an issue they became aware of at least in part, as far back as 2015, and took some steps to distance themselves from. This isn't a trivial, verbal distinction. Were the incident a data breach, Facebook would have found itself subject to various disclosure rules.

Dave Bittner: [00:05:21:21] Observers agree that it wasn't a data breach, Facebook wasn't hacked. Nor were the data it held stolen or exposed in any of the usual ways. But most observers seem to think that what happened was worse than a simple breach, the data wasn't as Motherboard puts it, a bug but a feature. In its own defense, Facebook essentially said that Cambridge Analytica used data in ways it shouldn't. TechCrunch offered a useful gloss of the defense in the form of what it called a simplified timeline. First, Facebook deliberately allows developers to collect a bunch of data from users who authorize it plus a bunch of their friends. But developers have to promise they won't use it in certain ways. Second, shady people take advantage of this choice and collect as much data as possible for use off the Facebook network in ways Facebook can't predict or control.

Dave Bittner: [00:06:13:18] Third, Facebook fails to predict or control use of the data it released, and fails to protect users who never even knew their data had been released. As TechCrunch sums up at the end, Facebook monetized data customers gave it, and released that data on the honor system. Facebook has retained Stroz Friedberg auditors to help mop up issues surrounding data use. Facebook's CISO, Alex Stamos, rumored to be at loggerheads with colleagues over his push to investigate Russian trolling, will apparently not leave the company as many outlets had reported, but he has said that his role will change. He Tweeted, "I am currently spending more time exploring emerging security risks and working on election security." Stamos has been through an incident or two, he joined Facebook from Yahoo! in 2015. He departed Yahoo! over a proposed program to scan incoming email on behalf of government agencies.

Dave Bittner: [00:07:10:23] In addition to commercial government and educational institutions, cyber security supports a thriving non-profit sector. The Center for Cyber Safety and Education is one of those nonprofits, and Patrick Craven directs that organization.

Patrick Craven: [00:07:26:04] We're a non-profit that tries to work globally to teach people about how to be safe on the Internet. We do research on cyber security, the industry, as well as scholarships that we provide financial aid to young people who are trying to advance or enter into the career of information and cyber security. Those are our three big areas that we focus on.

Dave Bittner: [00:07:54:13] Let's talk some about the scholarships there. We have a lot of students who listen to our show. What sorts of opportunities do you have?

Patrick Craven: [00:08:01:02] We provide scholarships for information, cyber security. In a broad sense of those who are studying that we offer scholarships specifically for women, we offer them for undergrad, for graduates, for veterans. And we have a variety of different ways that we try to break it out and in just our seven years that we've been in existence we've, we've awarded over a million dollars in financial aid. We did nearly 200,000 last year. We're accepting applications right now for the 2018 one and that will be closing up over, in the next few weeks.

Dave Bittner: [00:08:38:00] You know we certainly hear about this, this skills gap and, and the number of open positions that are available. What part do you see your organization playing in, in helping to try to close that gap?

Patrick Craven: [00:08:50:13] Well it's interesting when you, when you bring up the gap, that is actually as I said, research is one of the things that we do. That was our research. We conduct the global information security workforce study every couple of years and we surveyed nearly 20,000 cyber security professionals in 170 countries. Far as we know it's the biggest study ever done on it and we look into those kinds of things. Salaries and trends. And those are one of the things that we've indicated and we did in the research was finding out what are hiring trends, where are people seeing their companies that they need to do? And that's where we are able to, to calculate out that over the next five years, there's going to be a shortage of about 1.8 million, is the number we came up with, of those in information and cyber security.

Patrick Craven: [00:09:41:01] So for, for, for the college audience, for the young people who have listened, even high school kids, here's a career that you definitely want you take a look at. You are talking 100 per cent employment, with really good salaries, it's, it's definitely something to consider. And so, we've got this gap and one of the things that we're trying to do is just encourage people, encourage young people, even, even us old people, you know, maybe a career change opportunity. To look into cyber security as a, as a field of study. And so we're, we're promoting it, but then we also do the scholarships as a way to help. We all know college is getting so expensive, coming out with, you know, hundreds of thousands of dollars in debt is not what we want to be doing. And so we are trying to do our part to, to help encourage people to study it and, and to be able to afford to enter the field.

Dave Bittner: [00:10:37:19] That's Patrick Craven from the Center for Cyber Safety and Education. One thing that caught our eye on their website is they have the rights to use Garfield the Cat in some of their educational programs. Check it out. You can learn more about their scholarship opportunities on their website.

Dave Bittner: [00:10:53:09] Presidents, ex-presidents and aspiring prime ministers have had a mixed week. President Putin is having a good week, winning a real squeaker of an election in which he brought home only about three quarters of the vote. Former French president Nicholas Sarkozy is in police custody. He is being questioned on suspicion of having accepted foreign money specifically around 50 million euros from late Libyan ruler Muammar Gaddafi in support of Sarkozy's 2007 campaign. This would violate at least two provisions of French election law. Accepting foreign support and exceeding spending limits. Fifty million in Libyan euros would have been more than twice the 2007 limit of 21 million euros. Gaddafi's son, and heir, has been demanding his money back, since 2011.

Dave Bittner: [00:11:42:20] In the UK, Labour leader Jeremy Corbyn is rumored to be in trouble with his own party. Labour's front bench is said to be fed up with their leader. Particularly over his tepid response to the nerve agent attacks in Salisbury that many feel made him look both reflexively anti-western and a reliable Russian stooge. His 'Lenin' cap has also aroused controversy, with Labour insisting it's not really a Lenin cap, and shouldn't be made to look more like a Lenin cap in news photos than it already does. But the need to offer even this defense has been accepted with ill grace. Besides, Russia's not really communist anymore. Let's get up to speed Mr Corbyn. If you'd like a change of headgear, this Baltimore company will happily send you a Red Sox cap.

Dave Bittner: [00:12:28:00] Finally we are shocked, shocked, to hear that President Putin's reelection may have been aided by ballot stuffing. Especially because ballot stuffing seemed in this case, hardly necessary. Even more unnecessary than Richard Nixon's itch to send burglars into the Watergate, as if he needed that to beat George McGovern. Still, if the Russians voted early and often, give Vladimir Vladimirovich credit for going that extra mile.

Dave Bittner: [00:12:57:09] And now a moment to tell you about our sponsor ThreatConnect. With ThreatConnect's in-platform analytics, and automation, you'll save your team time while making informed decisions for your security operation and strategy. Find threats, evaluate risk, and mitigate harm to your organization. Every day, organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence. Validate it, prioritize it, and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. The pioneer in threat intelligence platforms, ThreatConnect provides organizations a powerful cyber threat defense and the confidence to make strategic business decisions. With ThreatConnect, your team works as a single cohesive unit, reinforced by a global community of peers. To register for a free ThreatConnect account, or learn more, visit That's, to learn more. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:14:12:03] And joining me once again is Chris Poulin, he's the director of Connected Product Security at Booz Allen Hamilton. Chris welcome back. We wanted to touch today on some of the evolution of some of these bits of malware. Things like Mirai that were being used as botnets for things like DDoS but they're evolving now?

Chris Poulin: [00:14:31:22] That's right. In fact one of the variants that presumably uses some of the same source code as Mirai, and takes over control of consumer based IoT devices is now being used to mine crypto-currency. So a little bit of, well my take on it is we're seeing the threat actors actually trying different tactics to use the same tool. And it, it almost feels like way back in the 90's when there were viruses which would do something mischievous like, you know, put up a little message that says, you know, 'I love you' virus or there's one that said 'you're a big, dumb, stupid head' or something like that. It didn't do anything destructive but you could tell they were sort of testing what they could do with viruses but also presumably the infection rate.

Chris Poulin: [00:15:17:22] And so I think we're seeing the same thing with Mirai. Where it's sort of going from something that's a little bit more destructive with DDoS capability to something that's a little bit more lucrative on the financial side which is crypto-currency mining and so, you know, the question is, what's next for these kind of botnets? You know, so what's the end game? And, you know, I, I hate predictions, because they're usually wrong, and everybody feels compelled to give you them. But, you know, I can see that if we look to the past to inform the future, it's quite possible that Mirai or one of its descendants will start to attack more enterprise connected devices, so go for things that have higher power and maybe use those for crypto-mining. In fact there was an interesting article, I don't know if you say it. There were people who own Teslas who are putting crypto-mining rigs in the trunks of their car and then using the power of the supercharger stations to mine it. Because it takes an enormous amount of energy, so.

Dave Bittner: [00:16:17:06] No I hadn't seen the electricity angle on that but that's fascinating and, and sadly unsurprising.

Chris Poulin: [00:16:22:20] [LAUGHS] Yeah. Well you know it, it annoys me because I'm a, I'm a Tesla owner and so that basically erodes my ability to, to use a resource that I've already paid for, so. But I think that, you know, when you start looking at enterprises, they've got access to a lot more electrical power. Presumably a lot of our computer power. So, I wouldn't be surprised if Mirai or something similar was to start to attack enterprises and also cloud computing environments. You know particularly when you combine recent aid of US configuration vulnerabilities that we've seen, where the users have not properly locked down their AWS instances.

Dave Bittner: [00:17:02:00] You know something you and I have touched on before when it comes to these devices and, and the botnets taking advantage of them, is how quite often the operators of the devices, the owners of the devices don't know that the device is doing this duel duty, you know, a camera's still taking pictures while it's doing its DDoSing or its cryptomining. It strikes me as a bit surprising that in the cryptomining case that these folks tend to over stay their welcome. They, they try to use up all of the processing power rather than staying below the radar and, you know, sort of dialing in a lower amount of use, that perhaps wouldn't be noticed.

Chris Poulin: [00:17:41:06] Yes well, I think that works on the consumer side because if you think about it most consumers don't know why things don't work half the time. And, you know, when it all power out and then the systems come back and they, they work again, until they get re-infected. Because a lot of these things are not persistent because they're IoT devices. It depends. And so I think that it would not work in an enterprise environment because there is hopefully, there's more people that are actual security admins who are looking at this stuff through things like SIEMs, et cetera, et cetera. So as long as you've got proper logging and event management and you've got eyeballs on screen or at least some good analytics, that will raise alerts. Presumably using up all the computer power would be pretty obvious and not to the attacker's long term benefit.

Dave Bittner: [00:18:29:06] Chris Poulin as always, thanks for joining us.

Chris Poulin: [00:18:32:08] Thank you.

Dave Bittner: [00:18:35:07] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit And thanks to our supporting sponsor, E8Security. Follow the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:18:57:01] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe. Where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media. With editor John Petrik. Social media editor Jennifer Eiben. Technical editor Chris Russell. Executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.