The CyberWire Daily Podcast 7.3.18
Ep 633 | 7.3.18

Hybrid warfare. Inveterate DDoS against ProtonMail. Security concerns about Chinese companies. Retail breaches. Agencies scrutinize Facebook data abuse. Infrasound weapons?


Dave Bittner: [00:00:00] Hey, everybody. A quick reminder that if you haven't already done so, you should sign up for our daily cyber email news brief. It includes links to all the stories we cover here on the podcast and dozens of other links that we just don't have time to cover here. So to get that complete daily rundown of everything you need to know about in cybersecurity, check out the CyberWire daily news brief. It's at

Dave Bittner: [00:00:26] Ukraine warns of hybrid warfare during U.N. meetings, ProtonMail DDoS continues, security concerns surrounding ZTE, Huawei and China Mobile, retail data breaches. A quiz app's backup data is accessed by unauthorized parties. The FBI, FTC and SEC sift through Facebook's answers to questions for the record. And a strange set of symptoms among diplomats in China arouses suspicion of infrasound weapons.

Dave Bittner: [00:01:05] And now a word from our sponsor. Who's that sponsor, you say? Well, it's none other than the mysterious team behind the spectacularly successful fake security booth at RSA 2018. You remember. It was the one with no vendor name, no badge scanning and the charismatic snake oil salesman pitching his imaginary cybersecurity cures for all that's ailing businesses around the world. So who was behind that booth? Why did they do it? Who's really sponsoring our show today? Get the answers you've been dying to hear and hear the story behind the booth at That's And we thank whomever it is for sponsoring our show.

Dave Bittner: [00:01:58] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 3, 2018. Ukraine takes the occasion of a counterterrorist officials meeting at the U.N. to outline its experience of Russian hybrid warfare, especially information operations and the use of nominally irregular and thus deniable forces on the ground. Ukraine has been particularly affected by direct Russian cyberattack, notably the two takedowns of portions of its power grid and the large NotPetya infestations. It's noteworthy that the country's counterterror officials should choose to single-out propaganda and disinformation to give this style of information operations its traditional name for a particular mention.

Dave Bittner: [00:02:49] ProtonMail says that the distributed denial of service attacks it sustained continue and that users may experience periodic outages. The privacy-friendly service was hit last week by the Apophis group, a collection of hacktivist skids who've exchanged hard words with ProtonMail over that attack and others. They've told Bleeping Computer that they resented ProtonMail's CTO calling them clowns on Twitter. The outages that continue suggests an unusual inveteracy of the attackers. Neither the lulz nor hurt feelings would seem to be adequate motivation, but who at this point knows? In any case, ProtonMail is taking the usual measures to ward off the jamming.

Dave Bittner: [00:03:32] Sentiment against entanglement with Huawei continues to run through Australian opinion. Fears there, as in the U.S. and elsewhere, center on the company's alleged closeness with Chinese intelligence and security services. There may be other concerns as well. South Korean media note reports by CVE Details that Huawei devices may suffer from an uncomfortably large number of security issues. But disentangling a national telecommunications infrastructure from a large low-cost device provider is no trivial matter. China is, of course, a significant trading partner. And as reaction to U.S. sanctions against ZTE demonstrates, it's not a one-way street. Chinese companies depend upon their international trading partners as well. Huawei does have its defenders in Australia and elsewhere. One such is in the U.S. where United Telecom, a wireless telecommunications provider based in Kansas, says that it would have to suspend service if a proposed FCC ban on the Chinese company's devices were to proceed.

Dave Bittner: [00:04:40] The U.S. administration takes aim at another Chinese company. China Mobile has been denied a Section 214 license on security grounds. China Mobile is the world's largest mobile phone service, but its customers are mostly domestic Chinese users. It had been attempting to enter the U.S. market for the past seven years, but that door seems to have been firmly shut. According to the U.S. Department of Commerce, granting the carrier license to operate in the United States would pose, quote, "unacceptable national security and law enforcement risks," end quote.

Dave Bittner: [00:05:16] Typeform, who's widely used app delivers online quizzes businesses and government agencies use to make their sites stickier, has disclosed that it discovered a data breach last week, compromising first names, dates of birth, mobile numbers and email addresses entered by quiz takers. The company has been notifying its customers - the organizations who use their services, not the individuals who took the quizzes. And much information about the incident comes from those customers. It appears, according to The Register, that the information accessed was in a partial backup of Typeform's data.

Dave Bittner: [00:05:54] Enthusiasm for cloud services continues unabated. But for many organizations and particularly small businesses, it can be challenging to decide which services to move to the cloud and how quickly. Vince Arneja is with 5nine, a company that helps organizations with these transitions. And he offers his perspective.

Vince Arneja: [00:06:14] A lot of companies are currently dealing with the situation around whether they stay private cloud, do they go to hybrid cloud, do they move everything to public cloud. And I think the main thrust of it is around, where do you put the workloads? Where do you put the workloads that are sensitive? Where do you put the workloads that are more database-centric? That's really where a lot of enterprises whether they be small, medium or large are assessing their needs going forward.

Dave Bittner: [00:06:42] And what do you suppose the deciding factors for people should be as to where they place their various assets?

Vince Arneja: [00:06:48] So a lot of it has to do with, you know, the industry and the security regulations that the corporation is bound to. That obviously factors into their decisions around, do they go into an all-public cloud infrastructure? Or do they somehow balance it between private and public? And what sort of security posture they'd need to have in these computing environments - you know, obviously, the types of applications and workloads they're running. So what we're seeing is a lot of companies are betting on hybrid. They're basically betting on the fact that it's just like anything else. There's always a middle ground that ends up being what's typically utilized versus one extreme or another. And so hybrid seems to be that middle ground where a lot of companies are settling and obviously trying to figure out, you know, do I put my sensitive applications here? Do I put my databases here? How do I balance it? And so a lot of that's, you know, being discussed internally, I'm sure, with CIOs, CSOs, et cetera.

Dave Bittner: [00:07:49] And how much should - do they benefit from diversity, not putting all their eggs in one basket or, you know, spreading backups across various systems, that sort of thing?

Vince Arneja: [00:07:59] Yeah, absolutely. That's critical, right? You need to be multivendor. You need to be, in some regards, multicloud. you need to be multicloud-computing environment in order to spread around the applications, workloads, databases, et cetera. So a lot of companies that are larger in size can take that approach and, you know, manage the cost and manage the infrastructure. But a lot of the smaller companies that we talked to, for example, have a tough time with that, that sort of multipronged approach across these different cloud-computing environments.

Dave Bittner: [00:08:33] Now for those smaller companies, what typically is holding them back? Is it complexity or cost or a combination of the two?

Vince Arneja: [00:08:41] It's a combination of the two, plus if you factor in the unknown, right? A lot of these smaller companies just don't know enough in regards to the cloud-computing environments. And so they're risk averse because they're - whatever they have currently, even though it might be Band-Aided together, is working. And so do they want to really disrupt that? If so, what's the process involved? Typically, they're looking for a vendor to handhold them through the process because they just don't have the skill set, the comfort level, the knowledge, the time, you know, the resources. And so they're hamstrung in regards to that sort of notion of moving to hybrid.

Dave Bittner: [00:09:20] Now what's your advice to people who are looking to make that transition as easy as possible? What should their approach be?

Vince Arneja: [00:09:27] So, I mean, obviously, just like anything else, you want to start small. You want to assess, you know, the options around public cloud. You want to get a couple of workloads set up with your tenant in Azure, for example. You want to think about, you know, the simple workloads that aren't necessarily production or sensitive in nature, putting those out there. You know, possibly using technologies and tools from certain vendors that make it easier for you to do it all through a platform that allows for you to manage and secure that environment. I think - well, we've seen in my interaction with a lot of our customers - a lot of them six months ago were assessing Azure. And now they're actually moving workloads to Azure now that they've gotten more comfortable. And so it's one of those things where it takes a little time to do it, but you've got to put your toe in the water and, you know, start to do that over some time.

Dave Bittner: [00:10:24] That's Vince Arneja from 5nine.

Dave Bittner: [00:10:28] Adidas continues to investigate customer-data exposure. It's not alone. Fortnum & Mason, purveyors of luxury goods, has sustained a breach said to affect more than 20,000 customers and a third-party recruiting service PageUp, used by British hospitality company Whitbread, may have lost applicants' data.

Dave Bittner: [00:10:51] U.S. federal law enforcement and regulatory agencies are close reading Facebook's long response to Congress on data abuse. This isn't merely picking over the bones of Cambridge Analytica but appears to be a set of serious independent inquiries by organizations with diverse roles, missions and responsibilities. The agencies looking are the FBI, as one would expect, but also the somewhat flintier Federal Trade Commission and Securities and Exchange Commission.

Dave Bittner: [00:11:20] Finally, there's a very odd case from China similar to events that have occurred over the years in other diplomatic stations. It's not strictly speaking a cybersecurity issue, but it does touch on intelligence and other forms of diplomatic security. U.S. consular personnel have been moved out of China after odd sounds and strange debilitation were reported. The symptoms are said to be neurological, similar in some respects to a concussion. And the reported sounds are described as simply abnormal but not extraordinarily loud, indeed, not even audible to normal human hearing. What to make of the event is uncertain. Explanations range from some sort of deliberate attack to malfunctioning surveillance equipment to shared delusion. But the symptoms are real enough whatever their origin for the State Department to take them seriously.

Dave Bittner: [00:12:13] U.S. and Canadian diplomats and their families experienced unusual symptoms in Cuba during 2017. Again, the cause was obscure, but there was inconclusive public speculation about some form of acoustic device. Symptoms included hearing loss, headaches, visual problems, difficulty with balance and sleep problems. Speculation at the time turned toward Russia. But again, nothing was definitively established at least publicly. Similar symptoms were reported in Tashkent by U.S. diplomatic and aid personnel accredited to Uzbekistan. The likeliest explanation would appear to be infrasound, low-frequency sound waves below the human hearing range. U.S. Secretary of State Pompeo has raised the matter with his Chinese counterparts during talks otherwise devoted to North Korean matters.

Dave Bittner: [00:13:09] I'd like to take a minute to tell you about an exciting CyberWire event, the 5th Annual Women in Cyber Security Reception, taking place October 18 at the International Spy Museum's new facility in Washington, D.C. The Women in Cyber Security Reception highlights and celebrates the value and successes of women in the cybersecurity industry. The focus of the event is networking. And it brings together leaders from the private sector, academia and government from across the region and women at varying points on the career spectrum. The reception also provides a forum for women seeking cybersecurity careers to connect with the technical and business professionals who are shaping the future of our industry. It's not a marketing event. It's just about creating connections.

Dave Bittner: [00:13:55] We're grateful to our sponsors Northrop Grumman, CenturyLink, Cylance, Accenture, Cooley, T. Rowe Price, VMware, Delta Risk, SecureStrux and Edwards Performance Systems. If your company is interested in supporting this important event, we still have some great sponsorship opportunities available. We're also partnering with Maryland Art Place to have a special work of art created for the event that attendees can take home with them. As it's been in previous years, this event is invitation only. We do it this way to ensure a mix of women with diverse backgrounds and at different career levels. If you are interested in getting an invitation to this year's event, tell us a little bit about yourself and request one at our website That's We look forward to hearing from you. We hope to see you there.

Dave Bittner: [00:14:57] And I'm pleased to be joined once again by Rick Howard. He's the chief security officer at Palo Alto Networks. He also heads up Unit 42, which is their threat intel team. Rick, welcome back. You and I have talked about the Cyber Threat Alliance before. You've got some updates for us. Why should the Cyber Threat Alliance be on folks' radar?

Rick Howard: [00:15:14] Yeah, it's - and you're right. We have talked about it in the past, OK. It's kind of an ISAC for security vendors. But it has really two key differences from the other ISACs in the world, all right? First is that you have to share to be part of the group, OK? In other ISACs, most people don't have the resources to share. So - but in this, you can't be part of the club - OK? - unless you share, and we measure it daily. And the second unique thing about it is that since we are security vendors, we already have the ability to update our own products with new intelligence. It happens with all the automation in the background. It's why you buy us, right?

Rick Howard: [00:15:51] But now that you get a bunch of vendors sharing intelligence with each other, we can send and get prevention controls deployed around the world in minutes to hours if you're using one of the products from the members of the alliance, all right. So it's a really interesting idea. Customers have been after us for years to get organized. Well, we finally got it going, and it's working. And the use case, though, that proves the point that this is something that should've been existing for years finally happened a couple of weeks ago. OK, the Cisco intelligence team, Talos, published an intelligence report on an adversary playbook called VPNFilter. Are you familiar with this?

Dave Bittner: [00:16:30] Oh, sure. We've reported on it.

Rick Howard: [00:16:31] Sure. So this active campaign compromised some 500,000 home routers. And it installed - the malware they installed had a brick option which allowed the attackers, if they wanted to, to destroy all those routers with just a push of the button. Now, Cisco had been working on this report for several months in secret and had been working with law enforcement to arrest the individuals involved - because Cisco was part of the Cyber Threat Alliance, Talos - the Talos analysts briefed the entire VPNFilter situation to the alliance members and provided details around the adversary playbook used way before they published it in public, right? And so all of the alliance members were able to get prevention controls in place before the information went public and the bad guys knew what we were talking about, OK.

Rick Howard: [00:17:18] And so this is why the Cyber Threat Alliance exists, to distribute those prevention controls around the world in a timely fashion - in this case, hours - to better protect our mutual customers, OK. And this is why - this is the plug here, right? - why network defenders should not buy equipment and services from vendors who are not in the alliance. There is no reason that a security vendor should not be part of this community to help our mutual customers. So here is the ask for your listeners. When security vendors visit and they try to sell them their wares, they should be asking them, why aren't they a member of the Cyber Threat Alliance? And better yet, if they are publishing a formal RFP to replace some security kit this year, make those vendors answer it in writing. Now, they can still choose them. I'm not trying to force them into choosing, all right. But they should make that vendor go through the pain, all right, 'cause...


Rick Howard: [00:18:07] ...They absolutely should be part of the Cyber Threat Alliance. And we want them in the club.

Dave Bittner: [00:18:11] All right. Well, it's a compelling pitch for sure. As always, Rick Howard, thanks for joining us.

Rick Howard: [00:18:15] (Laughter) Thank you, sir.

Dave Bittner: [00:18:22] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:18:50] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.