The CyberWire Daily Podcast 4.13.18
Ep 577 | 4.13.18

Operation Parliament seems to have got what it came for. EITest finally sinkholed. Facebook testimony on Capitol Hill. Estonia reports. Swatting case teaches nothing?


Dave Bittner: [00:00:00:12] A quick reminder that if you're attending the RSA conference this year, be sure to stop by in the North Hall to the Akamai booth, that's N3625, where I will be appearing daily, doing meet and greets and some interviews as well. And of course we thanks Akamai for making these appearances possible. That's Akamai, harnessing the cloud without losing control. Hope to see you there.

Dave Bittner: [00:00:23:17] Operation Parliament pretends to be nothing but a bunch of skids, but they're anything but. EITest gets taken down. Facebook this week faced questions about privacy and ideological bias. Most observers think these questions were largely ducked. Estonia's Annual Report on security is worth reading no matter where you live. And an accused swatter seems to have learned nothing from his experience.

Dave Bittner: [00:00:52:23] Time to share some words from our sponsor Cylance. Are you headed to RSA? Don't forget to look up Cylance while you're there. Drop by Booth 3911 in the North Hall and meet up with their expert professional services staff. Or attend one of their featured conference sessions. If you're in a festive mood, you can connect with them at the Digital Shadows Security Leaders Party. Wherever you make your connection, they look forward to talking with you. You can ask them about AI and machine learning, or ask about their industry leading research into threat actors who threaten our power grid. You can learn more about their presence at RSA by searching "join Cylance at RSA conference 2018". And we thank Cylance for sponsoring The CyberWire. That's "join Cylance at RSA conference 2018" and be sure to connect with the company that's making a difference in security. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:51:07] Major funding for The CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, lucky April 13th, 2018.

Dave Bittner: [00:02:04:19] Kaspersky describes "Operation Parliament," a wide-ranging cyberespionage campaign that, since early 2017, has cloaked its activities by pretending to be the Gaza Cybergang, a well-known and not well-respected group of skids. The actor behind Operation Parliament appears anything but unsophisticated. The malware it used is still under study, but it does not appear to have any obvious relationship with previously seen attack code. Targets were carefully verified before infection, and Kaspersky says the unidentified operators did "just enough to achieve their goals." Most of the organizations targeted were in the Middle East and North Africa, but infections extended to Europe, South Korea, and North America as well. The campaign has slowed since the beginning of 2018, suggesting the spies got what they came for.

Dave Bittner: [00:02:57:20] Proofpoint has successfully sinkholed what they call the oldest running infection chain: EITest. They say the campaign, active since 2011, seems to have been "purely criminal" as opposed to state directed. The large network of compromised servers it used, about 51,000, and its concealment of its command-and-control infrastructure behind a domain generation algorithm, made it unusually resistant to takedown. Proofpoint says that EITest passed "filtered, high-quality traffic to threat actors operating exploit kits and web-based social engineering schemes."

Dave Bittner: [00:03:35:12] Facebook's sessions before Congress are over, with House inquisitors getting higher marks from the media than did their Senate counterparts. Observers think that many of the Upper House members exhibited basic misconceptions about Facebook, social media, and, indeed, the Internet to question Facebook CEO Mark Zuckerberg closely.

Dave Bittner: [00:03:55:09] In the House things were different. He was asked tougher questions about ideological bias in content filtering, and he was also asked, by Representative Bobby Rush, a Democrat of Illinois, what the difference was between the way Facebook collects data and the way J. Edgar Hoover used to do it back when he was running the FBI. The difference, Mr. Zuckerberg explained, is that with Facebook you control the information. He said, "You put it there, you can take it down anytime. I know of no surveillance organization that gives people that option." A partisan of the late Mr. Hoover might have answered, no one told you to pick up that phone, or attend that church, or go to that rally. So there. It was, in fairness to Facebook, probably harder to get the FBI circa 1950 to destroy a dossier than it might be to get Facebook to delete your data. It should become easier to get those data deleted as Facebook brings itself into compliance with European data handling regulations, particularly the poignantly named "right to be forgotten."

Dave Bittner: [00:04:59:24] One of the tougher questions from the House concerned shadow profiles, information Facebook maintains on people who aren't Facebook users. Such profiles include information gleaned on them from third-parties who are Facebook users, and they can include, according to an account in Popular Mechanics, "all sorts of information that could be used to identify a given person, their name and phone number, email addresses, physical addresses, and so on." Mr. Zuckerberg dodged the question, professing no familiarity with shadow profiles, but the issue remains an open one.

Dave Bittner: [00:05:34:22] Mr. Zuckerberg answered questions about ideological bias with assurances that the 20,000 content moderators Facebook is hiring, working in partnership with the advanced artificial intelligence it's bringing on board, would restrict things like hate speech and terrorist messaging being in his words, things we would all agree on. In general the House members, particularly Republicans, notably Representatives Fred Upton of Michigan, Joe Barton of Texas, and Marsha Blackburn of Tennessee, were unconvinced, trotting out examples of people who were kicked off Facebook for, apparently, simply holding conservative views. These Mr. Zuckerberg explained as mistakes that Facebook either had corrected or would correct soon

Dave Bittner: [00:06:18:16] In general during the hearings Facebook was determined to represent itself as a technology firm and not a media company. A media company would be expected to be held accountable for its content, whereas a technology company would generally be thought of as a content-neutral conduit for users' communications. Mr. Zuckerberg did indicate that Facebook remained committed to its advertising-based revenue model, and that he expected to come under more regulation in the future. For a foreshadowing of what such regulation might look like, see GDPR.

Dave Bittner: [00:06:50:20] There will be a European court test for the social media giant soon. The Irish High Court has referred a case brought by an Austrian lawyer and privacy activist to the European Court of Justice. Max Schrems brought his case to the Irish Data Commissioner in 2013 because Facebook's European operations are headquartered in Dublin. He alleged that his data were being transferred to US authorities without his permission. It's expected that the European Court of Justice will rule on the matter in about 18 months.

Dave Bittner: [00:07:26:09] We are pleased to announce the fifth annual Women in Cybersecurity reception, which this year will be held at the new Spy Museum in Washington DC. The event is October 18, 2018, and once again will help leaders from the private sector, academia, and government from across the region and at varying points on the career spectrum connect with one another to strengthen relationships and build new ones. We've got sponsorships available, so to find out more about the event head to the We hope to see you there.

Dave Bittner: [00:08:02:05] Those interested in seeing how a small country punches far, far, above its weight in cyberspace will find the Estonian Internal Security Service's newly released Annual Report for 2017 good reading. The chapter "Defending the Constitutional Order" is particularly worth attention. It consists largely of a well-informed consideration of Russian influence operations, placing them in historical context and showing the disparate forms they've taken over the past year. If you thought Kremlin trolling was confined to what the Internet Research Agency did to Facebook from under its bridge on the Neva, think again.

Dave Bittner: [00:08:39:19] And finally, in an update to an unusually repellent and tragic criminal case, we see how online disinhibition isn't really even much affected by jail time. Tyler Barriss, 25, the Los Angeles man alleged to have made a bogus 911 "swatting" call that resulted in Wichita, Kansas, police shooting a man, has apparently tweeted boasts of his being an "eGod," and threats to swat social media interlocutors. He's done so from a misconfigured kiosk in the Kansas jail where he's being held pending trial. The kiosk is intended to let inmates make such minor purchases from the jail's commissary as they may need, but not to give them Internet access. The sheriff is on it, now, and so the world will no longer receive Mr. Barriss' philosophical musings. But that he thought those tweets worth sharing argues for a sad disconnection. The swatting incident Mr. Barriss is accused of involved a dispute among Call of Duty players. The man who was killed, Andrew Finch, age 28 and father of a small child, was completely uninvolved, innocent, and unarmed. It would seem that some people learn nothing, and that their ability to discern the difference between cyberspace, where one respawns after being killed, and reality, where one doesn't, is to say the least impaired. Mr. Barriss, of course, is entitled to the legal presumption of innocence. Mr. Finch, alas, can only be mourned.

Dave Bittner: [00:10:13:08] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on a comprehensive approach to security across the digital workspace will take you through the details and more. You'll find it at See what Workspace ONE can do for your enterprise security. And we thank VMware for sponsoring The CyberWire.

Dave Bittner: [00:11:12:07] And joining me once again is Dr Charles Clancy, he's the director of the Hulme Center for National Security and Technology at Virginia Tech. Dr Clancy, welcome back, you wanted to discuss today some vulnerabilities when it comes to LTE technology, what can you share today?

Dr Charles Clancy: [00:11:28:03] I wanted to share some recent research coming out of Purdue where they demonstrated a whole series of new attacks against LTE. Now, the majority of them are fairly minor, they aren't going to cause major new capabilities for an adversary that they don't already have, but one of the interesting things that the paper pointed out was that the paging channel used in LTE is not authenticated. Which has some interesting potential ramifications. So if you recall a few months ago there was the, the big emergency alert that went out in Hawaii, that threatened an incoming missile attack, which clearly got a lot of people concerned about, how our emergency alert systems work. In that case, it was human and policy error that caused that incorrect alert to be released. However, there are vulnerabilities in the telecommunication system that could lead to someone being able to maliciously spoof such a message.

Dr Charles Clancy: [00:12:24:12] An in particular the researchers from Purdue pointed out that the unauthenticated paging channel would allow a bad actor to locally cause cell phones in a particular region to potentially receive a malicious or faulty emergency alert that obviously could cause, cause disruption and confusion.

Dave Bittner: [00:12:43:12] Unpack this for us, so explain to me what is the paging channel? Is that separate from, is that a dedicated channel separate from other communications methods to your mobile device?

Dr Charles Clancy: [00:12:54:00] Exactly, so within the LTE protocol standard, there's a variety of different ways that your phone can talk to the tower. These are different channels that exist within the link between your phone and the eNodeB where the base station is, it's called. There are the standard channels that you would use for voice and data, as part of just using the cell phone network, but then there's also a variety of control channels that are used by the network to know where your phone is, be able to find your phone if someone calls you, things of that nature. So the paging channel is one of those control channels that's really used to try and just make sure, let's say for example, there's an incoming phone call and the network needs to know precisely which tower you're connected to, it can send out a paging message to try and find you. That same channel is also used to deliver things like Amber alerts and other sort of broadcast emergency alerts. And like I said that channel doesn't have any cryptographic protection which means that anyone can spoof a message in that band.

Dave Bittner: [00:13:53:10] So has there been any examples of that out in the wild or is this speculative so far?

Dr Charles Clancy: [00:14:00:03] Well, the researchers at Purdue demonstrated in a laboratory that it was possible. And as far as I know there hasn't been any actual over the air demonstrations of this as part of any kind of active hacker campaign. However, there's a lot of concern I think that that may happen. So obviously we're seeing hackers get more sophisticated when it comes to telephony orientated attacks, for example with the telephony denial of service attacks that will clog up 911 centers' inbound phone lines to prevent them to be able to respond to an emergency. You can imagine similar sorts of disruptions being possible through this, through this channel. So one of the things we're doing right now is pushing the 3GPP, which is the standards body for the cell phone ecosystem, to add authentication to that channel to prevent attacks like that from being effective in the future.

Dave Bittner: [00:14:52:08] Alright, interesting stuff, Dr Charles Clancy, thanks for joining us.

Dr Charles Clancy: [00:14:55:23] Thanks a lot.

Dave Bittner: [00:15:00:10] And now some notes from our sponsor, Cylance. You've heard a lot of warnings about Russian cyberoperators and their threat to the power grid in the UK, North America and elsewhere. Ever wonder how they get in? Sure there's phishing and spear phishing, those can never be discounted, but here's a twist. Cylance has determined that one of their ways into the grid is through routers. They've found that the Bears are using compromised core routers to hit government agencies and organizations in the energy, nuclear and commercial facilities, water, aviation and manufacturing sectors. That's a bigger haul than a fishnet could catch, don't you think? Go to and check out their report on Energetic Dragonfly and DYMALLOY Bear 2.0. You'll find it interesting and edifying. That's And we thank Cylance for sponsoring our show.

Dave Bittner: [00:16:05:12] And joining me once again is Dinah Davis, she heads up, she's also the director of R&D at Arctic Wolf Networks. Dinah, welcome back.

Dinah Davis: [00:16:15:22] Thank you, happy to be here.

Dave Bittner: [00:16:16:05] So, recently you attended InfoSec World and we just wanted to touch base about that, what your experience was like, what can you share with us?

Dinah Davis: [00:16:24:10] Yeah, it was really awesome. We were fortune enough to sponsor it from Code Like A Girl's perspective. We did that because they had a very low number of CFP applications to do their speaker series from women. And we wanted to encourage more women to attend the event so that maybe they would consider you know, applying to speak at it next year so they could up the ratio of session speakers. The other awesome part was that they had a 50-50 ratio of keynote speakers based on gender. And one of the most interesting talks actually was done by a dog, not literally a dog, but it was all about this dog that helped expose Jared the subway guy. So they have tried dogs to smell electronics. There's a compound in the chips that the dogs can smell, and what they do is they go in, after search warrants, and search the house again. And then the dogs are often able to find you know, tiny things like thumb drives and stuff that often have nefarious stuff on them or child pornography and things like that. And this dog had gone and helped find key evidence for the jury at the Subway case.

Dave Bittner: [00:17:07:17] [LAUGHS]

Dave Bittner: [00:17:48:23] Wow.

Dinah Davis: [00:17:49:23] Yeah, so that was really cool. And then they showed how the dog did their work and the dog was a female dog, so that was interesting too, that was, you know, more great.

Dave Bittner: [00:17:59:01] Did they count that as one of the women speakers in their stats? [LAUGHS]

Dinah Davis: [00:18:03:23] No.

Dave Bittner: [00:18:04:19] OK, good, good.

Dinah Davis: [00:18:06:20] It was actually her handler that was a speaker and he was a guy.

Dave Bittner: [00:18:10:05] Oh well.

Dinah Davis: [00:18:11:10] But that's OK, that's OK.

Dave Bittner: [00:18:12:23] Right, right. With a lot of the women that I speak with, they say that while things are getting better in the workplace that a lot of times these conferences are lagging behind in taking good care of women or being respectful and getting, you know, speakers lined up and things like that. What was your sense from InfoSec World? It sounds to me like they're making an effort. Having been there, do you feel like they're doing a good job?

Dinah Davis: [00:18:38:02] I do think that that conference is, is trying to do the best they possibly can. There was a good number of women attendees. I tweeted a lot, I live tweeted the event, and my favorite post was a picture of like, a table full of women in security watching the keynote speech, the opening keynote speech and it actually got the, was like the top trending tweet with the hashtag InfoSec World 2018 for most of the week. So that was a great top tweet. The other top tweet that I had that week was terrible. Basically, there's another video podcaster and their marketing material has pictures, silhouettes of pin up women on them. And there's a lot of people that defend it, well it kind of came out in the 80, 90s, it's like their signature and my opinion on that is you know like, I walk around and I see that t shirt and I see tons and tons and tons of people trying to get that t shirt and it's degrading and it doesn't make me feel comfortable as a professional. So that's not, InfoSec World is a conference really, I mean, that's one of their vendors that came, they don't have all that much control over that. They're trying to do the best they can, right?

Dinah Davis: [00:19:54:13] That was an interesting perspective to me just because we've always had that logo doesn't mean that it's still appropriate today. And they countered with, "Oh, yes, but we have one with men and women on it." But the woman was like a Playboy pin up and the guy was like a larger coder with a backwards cap on. And I'm like, that's not, that's not the same, people, that's not the same.

Dave Bittner: [00:20:14:08] [LAUGHS] Right, right.

Dinah Davis: [00:20:16:04] [LAUGHS] You're objectifying the woman and you're not objectifying the guy, that does not count.

Dave Bittner: [00:20:23:08] And there was a bit of a social media dust up about that, people coming at you from both sides, both supporting and challenging you.

Dinah Davis: [00:20:30:08] Yes for sure. So there was kind of these two tweets from the week, and one was like really awesome and there was still even people, one guy who responded to the table full of women, "Why is the top tweet at InfoSec World? Should it be about the technology?" And I'm like, well, yeah, I actually would like it to be about the technology too but this is so rare that apparently it's getting a top tweet to have a table full of women.

Dave Bittner: [00:20:52:09] The very fact that it stands out.

Dinah Davis: [00:20:54:05] Right, exactly. As soon as it doesn't stand out, it won't be the top tweet, it won't be the thing we're talking about. It's a lot of these small things, it's these you know, tiny little, thousand little cuts that the women at conferences see all the time and that's the stuff we have to start changing. We are looking at the speakers and how many speakers you have that like, what the gender ratio is there and conferences are getting better. It's not just up to conferences to make it welcoming for the women, it's also up to all the vendors that are there.

Dave Bittner: [00:21:24:09] Now did you have any dialog with those folks? I imagine you're standing there at their booth and you're looking at their materials and it raises your hackles, did you confront them there? How did you handle it?

Dinah Davis: [00:21:36:21] I didn't and I'll tell you why I didn't. Because they were just marketing people from that company. And, there was a lot of people at that booth and I didn't see how my conversation with them would get me anywhere at that particular booth. Right? This is their company's like, logo. The marketing people that are there aren't gonna be the ones that can make any kind of change and it just didn't seem like the right time. Now maybe I should have gone back later when it wasn't so busy and had a conversation, I can accept that, maybe that would have been a good thing to do. But I didn't think it would really influence any change.

Dave Bittner: [00:22:16:14] So looking back at the conference, what are your recommendations for women who might want to attend a conference like this, other conferences like RSA do you have any words of wisdom?

Dinah Davis: [00:22:26:21] I think InfoSec World is fantastic, I highly recommend going as a women in the field. I found that the ratio of women at the conference was quite high in comparison to other conferences I've been to, and a lot of their keynotes and panelists were women. So I found it to be a very inclusive conference. RSA, I am heading there next week. We all know they had a big gap at the beginning in early March where they had only one keynote speaker who was a woman and it was Monica Lewinsky, and while Monica Lewinsky is an expert in her field of cyber bullying, one speaker in their keynote series being a woman of like, you know, 10 or 12 keynotes is not appropriate. Now since then, they have actually done quite a good job at rectifying that. They have a few really amazing women speaking. One is a Homeland Security lady, one is the founder of Women Who Code, I am looking forward to that and I have signed up to go to all of those talks to see what they're like. They shouldn't have had to have you know, a big media backlash to include those women in their conference in the first place.

Dave Bittner: [00:23:43:10] Alright, Dinah Davis from Code Like A Girl and Arctic Wolf Networks. Thanks for joining us. Hopefully we'll cross paths next week at RSA.

Dinah Davis: [00:23:51:15] Yeah, that's exciting.

Dave Bittner: [00:23:54:21] And that's The CyberWire. Thanks to all of our sponsors for making The CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit And thanks to our supporting sponsor, VMware, creators of Workspace ONE intelligence. Learn more at

Dave Bittner: [00:24:16:24] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.