The CyberWire Daily Podcast 5.25.18
Ep 607 | 5.25.18

VPNFilter takedown. Low-cost Android phones with preloaded adware. Alexa's selective attention. BMW patches connected cars. Cryptocurrency crimes. New swatting charges. GDPR is here.


Dave Bittner: [00:00:03:11] The FBI takedown of VPNFilter may have averted a major state-directed campaign. But the story is still developing. Some discount Android phones come with preloaded software. Amazon's Echo echoed a little too much. BMW patches some potentially serious vulnerabilities in its connected cars. Cryptocurrency exchanges are hit by a double-spending crook. The US Justice Department investigates crypto exchange price manipulation. New charges have been filed in the December Kansas swatting death. And GDPR is now with us. Let the lawsuits begin.

Dave Bittner: [00:00:45:06] Now a moment to tell you about our sponsor ThreatConnect. ThreatConnect will be an exhibitor at the upcoming Gartner Security and Risk Management Conference being held at National Harbor, beginning June 4th. Adam Vincent ThreatConnect's CEO will lead a discussion on architecting for speed. Building a modern cyber service oriented architecture. This session will focus on cyber service oriented architecture. A modern service enabled security stack, communications plan and an analysis layer.

Dave Bittner: [00:01:14:22] Position to support critical security decisions at speed. Vincent will be joined by members of the JPMorgan Chase Security Team.

Dave Bittner: [00:01:23:06] ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels built on the ThreatConnect platform and the products provide adaptability as your organization changes and grows. The pioneer and Threat Intelligence platforms ThreatConnect provides organizations a powerful cyber threat defense and the confidence to make strategic business decisions.

Dave Bittner: [00:01:44:17] With ThreatConnect your team works as a single cohesive unit, reinforced by a global community of peers. Visit ThreatConnect at Booth Number 227 at Gartner Security and Risk Management. That's Booth 227. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:02:10:16] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 25th, 2018.

Dave Bittner: [00:02:22:15] The US FBI is generally being credited with having placed a significant impediment in front of a VPNFilter attack. Widely regarded as the work of Fancy Bear, Russia's military intelligence service, GRU, which goes by other names as well, including Sofacy and APT28. VPNFilter appeared poised for a major campaign against Ukraine. The two suspected triggering events - tomorrow's Futbol Champions league match in Kiev (Real Madrid versus Liverpool) and Ukraine's Constitution Day (June 28) - remain in the future, so we'll see how well the Bureau did. But, so far, bravo FBI.

Dave Bittner: [00:03:03:24] Should such an attack materialize, it's unlikely to be easily contained within Ukraine. The country has been patient zero for other attacks that have gone global notably NotPetya, also widely regarded as made-in-Russia. VPNFilter is regarded as capable of accomplishing the usual things a botnet can do, so the case will bear watching.

Dave Bittner: [00:03:26:05] Security firm Avast warns that it's found a number of discount Android phones that shipped from factory to customer with malware already installed in their firmware. It's adware, and it's called "Cosiloon". It's the work of a criminal group that was uncovered in 2016 by researchers at the security company Dr. Webb. They're back in or still in business. It's the same Cosiloon code, unchanged since it first appeared.

Dave Bittner: [00:03:53:04] According to Avast, this time around the affected phones are from manufacturers including ZTE, Archos and myPhone. The majority of the infected devices aren't according to Avast, certified by Google, which is pursuing various mitigations and talking to the firmware vendors.

Dave Bittner: [00:04:10:22] Most of the problematic phones are in Russia, Italy, Germany and the UK, with some in the US as well. This case is interesting because the infection point seems so far to be unidentified. Someone, however, has clearly managed to compromise a supply chain.

Dave Bittner: [00:04:27:07] Amazon acknowledges that Alexa's Echo was reporting ambient conversations to third party contacts. The company is working on a fix. Here's Amazon's account of what happened as they explained it to WIRED. "Echo woke up due to a word in a background conversation sounding like 'Alexa'. Then the subsequent conversation was heard as a 'send message request' at which point Alexa said out loud "To whom"? At which point the background conversation was interpreted as a name in the customer's contact list. Alexa then asked aloud 'Contact Name', right? Alexa then interpreted background conversation as 'right". What's the lesson? We're building AI along the lines of a selectively attentive teenager. We hope that teenager grows up to be ok. You parents out there will understand and we'll leave Google's Eric Schmidt to argue over AI with Elon Musk about whether AI will be a force for good or for bad. Probably both. But then we're just betting on form because we know people. Not any special people just people in general. We kind of like Alexa. When our editors hear Alexa read the daily summary the editor finds himself convinced of the accuracy of our copy by the conviction with which Alexa reads it.

Dave Bittner: [00:05:50:15] BMW has patched fourteen bugs in its connected car models. They were discovered and disclosed by Tencent's Keen Security Lab. Some of them could have affected control systems. The attacks surfaces include according to Tencent, GSM Communication, BMW Remote Service, BMW Connected Drive Service, UDS Remote Diagnosis. NGTP protocol and Bluetooth Protocol. It's possible to work through these individually or in various combinations to reach some vehicles CAN bus, the Controller Area Network, and that's the serious part.

Dave Bittner: [00:06:27:09] No thinking person would regard inability to use Bluetooth to tell the car radio to tune into Howard Stern as a serious vulnerability, it might even be regarded as a feature, Baba-Booey. But, when you've got the CAN bus you're close to having pwned the car. With the CAN bus compromised it's possible in some models to interfere with steering brakes, accelerator and other controls, so this is more serious than changing radio stations or turning on the windshield wipers.

Dave Bittner: [00:06:57:15] A hacker so far unidentified, has for the past week been hitting Bitcoin exchanges with a "double spend" campaign. As the attack type's name implies, he, she or they were spending the same BitcoinGold coins twice, pulling in about $18 million in the cryptocurrency.

Dave Bittner: [00:07:17:18] The immature and overheated cryptocurrency market has predictably spawned a great deal of fraud. The US Justice Department, working with the Commodity Futures Trading Commission, has opened a wide ranging criminal probe of market manipulation. They're concentrating on such fraudulent practices as spoofing, placing bogus orders to goose prices, pump-and-dump schemes and so forth. There's enough here to keep justice busy and happy for a good long investigatory run. Good hunting, counselors.

Dave Bittner: [00:07:48:03] And finally, GDPR is in effect today with it's expected worldwide implications. Microsoft, for example, is going to treat essentially everyone in the world as if they're covered by the regulation. And, right on cue, the first legal complaints of GDPR violations have been filed. One long term Facebook critic has entered a complaint that Facebook and other platforms, take it or leave it, Hobson's choice approach to obtaining consent amounts to improper coercion. How GDPR will affect people and enterprises generally remains to be seen. The advocacy group Privacy International has begun its own investigation of what it characterizes as shadowy, non-customer facing data companies that accumulate large quantities of personal information.

Dave Bittner: [00:08:38:15] And now a bit about our sponsors at VMware. They're Trust Network for Workspace One can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate.

Dave Bittner: [00:08:52:22] A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro segmentation and analytics. VMware’s white paper on a comprehensive approach to security across the digital workspace will take you through the details and much more. You'll find it at see what Workspace ONE can do for your enterprise security. And we thank VMware for sponsoring our show.

Dave Bittner: [00:09:36:16] Then joining me once again is Joe Carrigan, he's from the Johns Hopkins University Information Security Institute. Joe, welcome back.

Joe Carrigan: [00:09:42:24] Hi Dave.

Dave Bittner: [00:09:43:09] So had an article come by, this was one BleepingComputer and the article was "Malware found in the firmware of 141 low cost Android devices".

Joe Carrigan: [00:09:54:01] Yeah.

Dave Bittner: [00:09:54:16] I wanted to use this sort of as a launching point, a discussion about mobile device security and wade into the waters of iOS versus Android. Now, I am on the iOS and you are on the Android side and I think one thing that leaves us iOS people scratching our heads is that when we see all these security stories about Android we wonder are you guys nuts for using Android devices. But, there are plenty of good reasons for using Android, but I wanted to touch on the security side. How do you approach it, obviously security is important to you. Knowing what you know, how do you make sure that your Android device doesn't have these problems?

Joe Carrigan: [00:10:39:24] Okay, so first off I will say that Apple does a very good job of security. A lot of staff at the institute use Apple for just that reason. They have always taken security very seriously. Google also take security pretty seriously as well. The difference here is that Apple is a very locked in and proprietary system where they maintain a lot of control over their hardware and their software, not only their software but everybody's else's software that goes in there and Android is a lot less so. It's more of an open development platform, the operating system is actually open source. So anybody can install it if they want. That is not the case with Apple.

Joe Carrigan: [00:11:17:13] So from a security standpoint, particularly with this article here, you're looking at these low cost manufacturers, it comes back to the-- nobody knows where this is getting installed, they don't know where in the supply chain it's coming into the phones, that's because these supply chains are not well managed as other major manufacturers. Now, if what's missing from the list are major manufacturers like Motorolo, Samsung, HTC, LG, they're not on the list. So, most of our listeners probably don't need to worry about it. But, if you're looking at a low cost Android device, yes chances are you're running a risk there.

Dave Bittner: [00:11:52:16] On the iOS side, there are no low cost iOS devices.

Joe Carrigan: [00:11:56:09] That's exactly right. That's exactly right, but you know, and maybe perhaps you could say on the Android side there are no secure low cost options for Android.

Dave Bittner: [00:12:06:07] What about just general App hygiene. I mean since you don't have to go through Google's walled garden you can side load Apps, is this something you avoid?

Joe Carrigan: [00:12:13:10] Yes, you should not do that. But, again, because the operating system is a little more open you have the capability of doing that. It's like having a swimming pool, you know it's one of the most dangerous things you can do to your house but you can just walk out back and take a swim any time you want.

Dave Bittner: [00:12:28:09] It's the only recreational activity where you have a full time person standing by to make sure you don't die.

Joe Carrigan: [00:12:33:07] Right. I will say this though, my next Android phone will be the Google device. And I'm going to do my best to stick with those Google devices because they're in more control over the environment than say, a third party developer like Samsung, LG or HTC is.

Dave Bittner: [00:12:49:19] So you're going to get those updates more quickly from Google?

Joe Carrigan: [00:12:53:08] And you're going to have less of a configuration management problem. Like, for example, when the Stagefright vulnerability came out Samsung had no idea and I had a Samsung phone at the time. Samsung was really lagging behind because they had five or six different models of the phone that they supported across four or five different carriers. Well, that's a real problem for them. But, Google doesn't have that, Google makes one model of the phone, one or two models because they have two different technologies for cellphone networks and they support those. It's the same thing that Apple does with the iPhone. They have one or two models and then they will end of life them which you have to do with these phones for security reasons.

Dave Bittner: [00:13:31:19] Right, so they're not orphaned out there?

Joe Carrigan: [00:13:33:06] Correct.

Dave Bittner: [00:13:33:18] All right, good information as always, Joe, are we still friends?

Joe Carrigan: [00:13:36:17] Yes, of course.

Dave Bittner: [00:13:37:00] All right, terrific. Thanks for coming Joe.

Joe Carrigan: [00:13:39:20] It's my pleasure.

Dave Bittner: [00:13:40:12] Good talking to you.

Dave Bittner: [00:13:45:09] And now a few words from our sponsor Cybric. We all heard the important and welcome themes coming out of RSA this year, on resiliency and collaboration. This is underscored of course by the steady stream of innovations we see coming out of the cyber security industry. But, what does all this really mean for IT security and development teams day to day. Join Mike Brown retired Rear Admiral in the US Navy and former director, Cybersecurity Coordination for DHS and DOD for a lively discussion on the industries current direction. The type of collaboration that yields immediate results to teams and the criticality of protecting application infrastructure.

Dave Bittner: [00:14:23:19] This insightful webinar is taking place on Wednesday Jun 20th at 1.00 p.m. Eastern time. So be sure to register at and tune in on the 20th. That's cybric, And we thank Cybric for sponsoring our show.

Dave Bittner: [00:14:53:20] My guest today is Mischel Kwon she's the founder and CEO of MKACyber and she has more than thirty-five years of experience in IT and security. Mischel served as the deputy director for IT Security staff at the United States Department of Justice where she built the first justice security operation center JSOC to monitor and defend the DOJ network against cyber threats. Mischel previous served as Vice President of Public Sector Security for RSA Security and as the director for the United States Computer Emergency Readiness Team. That's US CERT. I asked her where she thinks we stand today when it comes to security operation centers or SOCs?

Mischel Kwon: [00:15:35:02] I think we're in a unique position. I think we have had a lot of over the past, we can almost say twenty years, but more recently even five years, we've had a lot of scary things happen. And, I think a lot of our SOCs are being driven by scary things. Because some of the attacks that we have had or most of the attacks are kind of hard to understand from a technical aspect and definitely hard to understand how to detect them, we've created this culture of a hero. I would say a highly technical person who detects something and understands it and therefore we put a lot of trust into that hero and we allow that hero to run our SOC.

Mischel Kwon: [00:16:26:12] What we've realized as of late is that may not be the best solution. Though we need that hero to do the detection that hero may not know the business, that hero may not be good at running a little mini business which, you know, SOC or any organization is a little mini business. We need to move to a place where we understand what's happening, how we're spending our money, if we're doing it efficiently, and if we're approaching the problem methodically. Not just the things that interest the analysts, but the things that need to be done.

Mischel Kwon: [00:17:08:07] So, I think what's happened is in SOC is a lot of SOC's fail because of lack of business organization. And, lack of an ability to manage. You hear a lot of people befuddled with how do I come up with SOC metrics. Well, you can only come up with SOC metrics if you have a process and you gather statistics from that process, so that you can measure. That is sorely lacking in most SOC's today because we allow an organic process, because we're afraid to manage the smart people. We're beginning to realize the smart people like us to be more organized and they like it when they have more money and more tools. So, if we can come to some kind of a good arrangement where we have a good SOC process we have the data that the analysts actually need.

Mischel Kwon: [00:18:04:11] We organize it in a good way, we document our processes and make the things we find repeatable so that other people can monitor the repeatable things and the smart people can continue hunting and finding new things. Then we've made everybody happy. We've made the smart people happy and we can measure and improve and report out how well we're doing things. That's really important and I'm really happy that we're moving to this place in SOC. And part of what drives us to this new place is many people are moving towards a managed service solution because the other is just too difficult to articulate the benefit and the cost. Whereas moving to a NSSP model the onus is on the NSSP to then articulate its worth.

Dave Bittner: [00:19:04:16] Do you think it's a matter of people perhaps not knowing the right questions to ask when they're out there shopping around?

Mischel Kwon: [00:19:11:19] Oh, absolutely. We see a lot of questions around SLA's and around buzz words without a lot of understanding. A lot of companies don't understand what their threat model is and what types of attacks they should be looking to have detected and I think those two pieces are critical and important when shopping for an outsource SOC.

Mischel Kwon: [00:19:36:15] I also think it's important to understand what your security architecture looks like, what your assets are, your high value targets. Understanding, something about what you are and what you're made of and what could possibly be attacked. And articulating that to the vendor so that they can then articulate back, how they can detect and help you and what their capability would be based on the data you would give them. I don't think that's where the discussion is today. I think the discussion is still back on Tier1, Tier2, Tier3 twenty four by seven, how many bodies. And, that's not the same discussion as, "I have this problem how do you solve it?"

Mischel Kwon: [00:20:24:03] We're still pretty far apart in those discussions and I think that's where we're going to see a lot of growth in the next coming years is looking at how do you articulate your needs from a SOC. And then, how does that outsource SOC meet that need.

Dave Bittner: [00:20:41:10] I want to switch gears a little bit and discuss your career. You've been in the business for a while now in IT and Cybersecurity. I'm curious what your views are on diversity, having come up through the business a while ago. Where do you see you're standing today when it comes to making sure that we have the diversity that we need?

Mischel Kwon: [00:21:07:05] We're a long way from there. Having just come back from the RSA conference and watching the sea of white male faces coming out of the conference doors, we're a long way from there. And I think it's important to look at the situation because it's really hard to get good broad answers when everyone looks the same. It's really easy to have conversation when everyone is the same and thinks alike can have the same belief structures and brings the same way of thinking to the table. The conversations are easy. When the conversations are hard is when we get a better result.

Dave Bittner: [00:21:50:06] There's a natural tension there though because it makes sense that human nature would be to shy away from having those hard discussions?

Mischel Kwon: [00:21:58:05] Absolutely, and human nature makes us pick people like we are. And human nature gives us unconscious bias. And, we have to move to being aware of that. We have to put things in place that allow us to push back on that unconscious bias and that's hard because you know it's unconscious we're not thinking about it. So, putting some safeguards in place so that we think more broadly it's a hard thing to do. We really have to move in those directions.

Mischel Kwon: [00:22:31:09] We do it at our company in our hiring process. We have it wrapped into our corporate docs for our C Level and our board, we have to interview at least one person in diversity when filling those positions. And that seems so simple and it seems so light, but in the end it's great, we have a very diverse board and a very diverse C Level. That's critically important. We do what we call anonymous hiring. We take every piece of information that would tell us anything about the person's race, religion, sex, out of the resume so that when we hire people we are at least going through the first few screening steps not knowing anything about the person's diversity.

Mischel Kwon: [00:23:17:24] We have found that that has created a very diverse workforce and it allowed us to put away unconscious bias and hire people based on technical competency. And, it's been hard for some managers. We've had actually some senior managers leave us not wanting to hire that way. And that's okay. In accepting diversity we accept those challenges because it brings us a better workforce.

Dave Bittner: [00:23:45:02] That's Mischel Kwon from MKACyber.

Dave Bittner: [00:23:52:08] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence visit and Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:24:11:14] And thanks to our supporting sponsor VMWare creators of WorkSpace One Intelligence. Learn more at The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:24:29:21] Our show is produced by Pratt Street Media with Editor John Petrik. Social Media Editor Jennifer Eiben. Technical Editor Chris Russell. Executive Editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.