The CyberWire Daily Podcast 4.20.18
Ep 582 | 4.20.18

RSA wraps up. Staging offensive cyber operations. (Information ops, too.) Business email compromise affects maritime shipping sectors. Sanctions bit Chinese device giants.


Dave Bittner: [00:00:01:00] Thanks to everyone who's shown their support for The CyberWire by being a Patreon supporter. You can check it out at

Dave Bittner: [00:00:12:17] A look back at RSA, as the big security conference wraps up. Tension between Russia and the West continues to manifest itself in apparent staging attacks and information operations. ISIS in its diaspora returns to recruiting and inspiration. A business email compromise campaign afflicts the maritime shipping sector. Atlanta still struggles to recover from SamSam ransomware and sanctions drive Huawei from the US market; ZTE may soon follow.

Dave Bittner: [00:00:47:09] Time for a few words from our sponsor, Cylance. You've probably heard of next generation anti-malware protection and we hope you know that Cylance provides it. But what exactly is this next generation and why should you care? If you're perplexed, be perplexed no longer because Cylance has published a guide for the perplexed. They call it Next-Generation Anti-Malware Testing For Dummies, but it's the same principle - clear, useful and adapted to the curious understanding. It covers the limitations of legacy anti-malware techniques and the advantages of artificial intelligence and why you should test for yourself how to do the testing and what to do with whatever you find. That's right up my alley and it should be right up yours too. So check it out at Take a look at Next-Generation Anti-Malware Testing For Dummies. We thank Cylance for sponsoring our show.

Dave Bittner: [00:01:48:00] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Friday, April 20th, 2018.

Dave Bittner: [00:01:57:23] The 2018 RSA Conference wraps up today. We're returning this afternoon to the City by the Bay, the Chesapeake Bay, as we head back to Baltimore, but we have some final notes on the conference before we leave San Francisco. One unpleasant note appeared on the final day. The mobile app offered to attendees has proved to be leaky. RSA tweeted a disclosure early this morning, "Our initial investigation shows that 114 first and last names of RSA Conference Mobile App users were improperly accessed. No other personal information was accessed, and we have every indication that the incident has been contained. We continue to take the matter seriously and monitor the situation."

Dave Bittner: [00:02:40:06] Russian information operations continue as Western nations brace for a round of hacking expected to emerge from Russian battlespace preparation and staging in cyberspace. Russia plans to allege, before the UN, that victims of a sarin nerve agent in Syria were bribed to falsely report the attack. The battlespace preparation consists, at least in part, of exploitation of vulnerabilities in the Smart Install tool found in widely used Cisco routers. The FBI's preliminary assessment of the risk focuses on the likelihood of espionage as the initial stage of any Russian operation, with the possibility of other offensive operations to follow. Cisco's Talos research unit estimates that some 168,000 systems could be affected.

Dave Bittner: [00:03:29:19] ISIS and its splinter groups appear to be resuming activities in cyberspace as the terrorist groups enter their diaspora phase. Their activities appear to be renewed marketing, inspiration and recruitment.

Dave Bittner: [00:03:41:19] Secureworks has described a Nigerian criminal operation, "Gold Galleon" that concentrates on stealing from maritime shipping firms and their customers. Their customary approach is business email compromise, a well-known form of social engineering in which a criminal impersonating an executive sends an email to an employee directing them to transfer funds to the criminal's account.

Dave Bittner: [00:04:06:06] The US city of Atlanta continues its slow recovery from a crippling attack that hit municipal systems with SamSam ransomware on March 22nd. Direct costs of remediation are said to have amounted to $2.7 million so far. Some observers have pointed out that the ransom is believed to have amounted to only $51,000 but that's still not a good reason to pay the extortionists. There's no particular reason, any more, to think the criminals are likely to make good on their promise to restore your files, and there's also the general principle that one should avoid encouraging crooks.

Dave Bittner: [00:04:45:11] Chinese device manufacturer, ZTE, is being effectively excluded from the US market as the US Government imposes penalties for the company's circumvention of sanctions against North Korea, Iran, Sudan, and Cuba. ZTE is protesting, of course, what could amount to a business-killing decision.

Dave Bittner: [00:05:03:23] Sanctions against Huawei have moved the Chinese company toward a complete exit from the US market. The company says it intends to concentrate on European markets. The US beef with Huawei involved American suspicions that their equipment was insecure and that there was too much risk of Huawei devices being exploited by China's intelligence services. It's an anecdotal observation, but at least one of our stringers was struck by how untrafficked and under-staffed the large Huawei booth at RSA was this year.

Dave Bittner: [00:05:40:14] Now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption, and they'll round out what they can do for you with micro segmentation and analytics. VMware's white paper on a comprehensive approach to security across the digital workspace will take you through the details and more. You'll find it at See what Workspace ONE can do for your enterprise security. We thank VMware for sponsoring the CyberWire.

Dave Bittner: [00:06:39:07] Joining me once again is Dave Dufour. He's the Vice President of Engineering and Cyber Security at Webroot. Dave, we are here at an undisclosed location at RSA. Welcome back.

Dave Dufour: [00:06:49:09] Thanks for having me and it is undisclosed and it was kinda sketchy getting here but we made it.

Dave Bittner: [00:06:55:02] We did, we made it safe and sound. So let's decompress a little bit. Today it is Thursday, as we record this, the last day of RSA. Looking back, a good show for you? What was your takeaway from this year's show?

Dave Dufour: [00:07:07:02] One of my first takeaways was the matching outfits that marketing made us wear were a hit, very popular with the green shoes we have. So thumbs up to that.

Dave Bittner: [00:07:18:08] Very important.

Dave Dufour: [00:07:19:17] But from a pure cyber security play, honestly, I think it was a little toned down this year compared to other years. I don't know that anyone really landed on a specific topic to talk about. We saw a lot of interest in threat intelligence once again. I think, over the last four or five years there were a lot of people that ramped up, realized it was hard and kind of backed away. So we had a lot of discussion there. My old drum that I beat about AI not being ML -I had some really good discussions with folks there. I think people are getting machine learning and understanding it's harder than you think and that you've really got to commit to it. And people are understanding, as it matures, what questions to ask. So I think the consumer is getting smarter about security and machine learning as well.

Dave Bittner: [00:08:07:13] Do you think we're seeing an overall maturation of the industry?

Dave Dufour: [00:08:15:21] I wonder, are we peaking? Are we going to see some shift? Because maybe this is getting a little bit tired, there's a lot of fatigue, I think. Everybody's always like, we can't find people that watch our SOC. We can't find good security professionals. So one thing on that point, I believe people are wanting us to start as an industry, for lack of a better description, Apple-fy some of these solutions because they're so technical and so many of us engineers build them that regular folks either don't care enough, or can't possible use them. And, as an industry, we need to start driving towards that or we're gonna lose people.

Dave Bittner: [00:08:55:12] So it could be a differentiator for folks to really pay attention to that interface design.

Dave Dufour: [00:09:00:01] That's exactly right and understand your customer because you can't be all things to all people. If you're trying to protect people from pointed attacks, maybe a country nation state, or somebody really trying to penetrate you, and you have a solution for that, don't try to sell it down market to somebody who just wants to protect their office computers and then send out invoices at the end of the month to make some money and run their business. You've really got to understand your customer.

Dave Bittner: [00:09:27:04] Is there anything in particular that you hope they take away from this year's show and any words of wisdom?

Dave Dufour: [00:09:36:02] Yeah, actually. I would point back to people are getting smarter about the tech speak and stuff like that. Hopefully they're walking away with more intelligent questions to ask of vendors or products that maybe they have, and they're able to pay attention and cut through the noise and really get to what's important, rather than being excited about some shiny new object.

Dave Bittner: [00:10:01:16] David Dufour, as always, thanks for joining us.

Dave Dufour: [00:10:04:11] Thanks for having me.

Dave Bittner: [00:10:11:08] Now some notes from our sponsor, Cylance. You've heard a lot of warnings about Russian cyber operators and their threat to the power grid in the UK, North America and elsewhere. Ever wonder how they get in? Sure, there's phishing and spear phishing, those can never be discounted, but here's a twist - Cylance has determined that one of their ways into the grid is through routers. They've found that the Bears are using compromised core routers to hit government agencies and organizations in the energy, nuclear and commercial facilities, water, aviation and manufacturing sectors.

Dave Bittner: [00:10:44:03] That's a bigger haul than a phish net could catch don't you think? Go to and check out their report on Energetic DragonFly and DYMALLOY Bear 2.0. You'll find it interesting and edifying. We thank Cylance for sponsoring our show.

Dave Bittner: [00:11:15:11] Joining me now is John Petrik, our CyberWire editor. John, welcome back as we look back at this week here at RSA. What are your thoughts? What's your overall take on the show?

John Petrik: [00:11:26:19] It was an interesting show, as it always is. I was struck this year by a somewhat more relaxed tone to the show than what I saw last year. Last year I remember being struck by the number of people that were shoving and throwing elbows and thinking that was an almost palpable tension on the floor. I didn't see that this year - there seemed to be a calmer, less concerned atmosphere. As far as the content of the show itself, there were a lot more barkers - the exhibit hall sounded a lot more like a carnival midway than I've heard them in the past. The giveaways have changed - socks are now a thing. If you need socks the exhibitors are prepared to give them to you.

John Petrik: [00:12:06:15] Those are some of the things we see on the floor. I think, the most interesting big presentations were the presentation by Secretary Nielsen of the US Department of Homeland Security. It's clear that as the senior administration official speaking at the world's major security conference. She was the one who was delivering the message that the US has offensive cyber capabilities and is prepared to retaliate against a nation state cyberattack. Now obviously, DHS is not going to be the agency that's going to do the counter attacking but that was a clear marker being laid down for a new deterrence regime.

Dave Bittner: [00:12:45:13] In terms of messages from vendors, evolution of tools, that sort of thing, was this an evolutionary year? I don't really think I saw anything revolutionary out there.

John Petrik: [00:12:57:16] No, nor did I. I did see some interesting signs of people being concerned about directly addressing some of the threats that the sector has faced over the past year. There was considerable attention to distributed denial of service attacks for example and how you managed those. That was new. There was the familiar emphasis on the importance of basic hygiene, that the zero days may get the press and all of the scare stuff, but the actual attacks are typically carried using known vulnerabilities against unpatched systems. They're being carried out through social engineering. They're being carried out using very well understood ways that organizations can prepare themselves through parry. So there was a lot of talk of that. There was an interesting emphasis on the part of some of the vendors on a specific kind of training, specifically war gaming and exercises of that kind.

John Petrik: [00:13:51:24] I had a chance to talk with Chad Gray at Booz Allen Hamilton about that. That is now a major part of what they offer their clients and it's used as both a planning tool and an appropriation tool. Also interestingly enough, they see it used as a training tool and even a tool for vetting prospective employees. So that was an interesting development. There was a lot of attention given to the private sector, Cyber Geneva Convention, where some 34 tech companies, led, for the most part, by Microsoft, and Microsoft has been banging the drums for a long time for some sort of international norms to govern conduct in cyberspace. So, anyway, you've got 34 companies that have signed on to agree that they will not conduct offensive cyber operations on behalf of any nation state. If you look at the list of the companies that signed on for that, I don't think any of them would have been in that business anyway. I didn't see any people who were developing attack tools or were likely to be major contractors for any government that was interested in conducting offensive operations. So, you might want to take that avowal with a grain of salt.

John Petrik: [00:15:01:11] Facebook was one of the signatories and there's perhaps a degree of irony there, since Facebook's data collection has been controversial, to say the least, over the past year. If they're serious about supporting the development of international norms I think that it's a good idea for companies to take the metaphor seriously. If you say you want a Geneva Convention for Cyberspace think about what the actual Geneva Convention does. The Geneva Convention's do a number of things, but if your understanding of them, heck, anyone who's watched reruns of Hogan's Heroes has some rough appreciation of the Geneva Conventions. The Great Escape was on cable here in the hotel over the last two nights, so you had a chance to refresh yourself there, but one of the major things the Geneva Conventions have done is they establish certain norms for the protection of noncombatants, of people who are protected categories; prisoners of war for example.

John Petrik: [00:16:01:06] That's the Hogan's Heroes angle. But also civilians, different kinds of noncombatants. These people have a kind of status and there are rules of war designed to protect them. There are rules of war designed to protect certain kinds of infrastructure to, for example, discourage attacks against medical facilities, that kind of thing. And it would be worthwhile thinking through what you think the conventions would look like in cyberspace - what they should look like, how you'd like to see them evolve.

John Petrik: [00:16:33:06] It's clear, and we heard this at an after party for Recorded Future, and an interesting session they held in which they had some experts talking about cyber warfare, cyber conflict. And the point they made, and I think they're correct in this, is that cyber conflict or cyber warfare isn't going to be conducted in a vacuum. It's not going to be a purely cyber conflict. That cyber tools are going to be used in fighting larger conflicts, just the way it is not usual to see a purely maritime war or a purely land war or purely air war. You don't see those. shell fire missile. So I think that those kinds of things are worth, worth some thought as people think about the extension of the rules of armed conflict in cyberspace.

John Petrik: [00:17:08:11] What you do see is you see these different domains being operated in by combatants, by contesting powers and cyber's one of those, that one of those speakers at that event was talking about one of the most significant acts of cyber war that he had seen in the fight against ISIS was basically the use of intelligence collected through cyber means for targeting ISIS cyber operators. So that wasn't a case of hacking back, that was a case of finding them, identifying them and then attacking them with a drone launched shell fire missile. I think that those kinds of things are worth some thought, as people think about the extension of the rules of armed conflict in cyberspace.

Dave Bittner: [00:17:54:18] John Petrik, thanks for joining us. That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, through the use of artificial intelligence, visit, and thanks to our supporting sponsor, VMware, creators of Workspace ONE intelligence. Learn more at

Dave Bittner: [00:18:20:21] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.