The CyberWire Daily Podcast 7.9.18
Ep 636 | 7.9.18

Malware infections down during World Cup matches. UK-Russia tensions. Australian National University hacked. Data breach notes. Calls for cooperation. Tell it to the Marines.


Dave Bittner: [00:00:03] If your nation's team was playing a World Cup match, you probably weren't visiting dodgy websites. Concerns mount in the U.K. that Russia may be readying a long-expected attack on British infrastructure and holding it until the Cup is decided. The Australian National University is hacked in an apparent espionage attempt. Data breaches at Timehop domain factory and Macy's. Russia calls for international cooperation. And the Marines say it wasn't them on that dating app.

Dave Bittner: [00:00:37] It's time for a message from our sponsor Recorded Future. You've heard of Recorded Future. They're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give InfoSec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today, and stay ahead of the cyberattacks. Go to, and subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And the price is right. It's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:44] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 9, 2018. Enigma software has found that malware infections are off about 20 percent in countries on the days in which their teams are playing in the World Cup. The biggest game day drop in malware infection was observed in Uruguay, which saw a falloff of slightly more than 41 percent. Other drop-offs in this particular leaderboard were Croatia, down 29 percent, Mexico, 23 percent, Sweden narrowly nosing out Belgium, with both countries just shy of 22 percent, France ahead of Colombia, both just above 19 percent, Switzerland and Spain, coming in slightly over 18 percent, Germany and Brazil, just below 18 percent, and England at 17 percent. There's been one exception to the trend - Russia.

Dave Bittner: [00:02:41] The countries hosting the games is the outlier with infection rates actually rising almost 6 percent on match days. These are - we stress - game day drops presumably due to people going offline to watch the matches - probably in pubs, sports, bars, the dens of friends and so on. The World Cup continues to provide plenty of phish bait for malicious links, attachments and so on. Enigma has tracked rising and falling infection rates against significant outside events for some time. And their findings are interesting. Rates, for example, tend to spike during holiday shopping seasons. Think Black Friday and Cyber Monday. And they tend to drop during penitential religious seasons, like Lent, where observant users of the internet are less likely to go online.

Dave Bittner: [00:03:29] There is some concern in the U.K. that a long-expected Russian cyber campaign directed against British infrastructure is only on hold during the World Cup and that it will be executed once the games are over. Tensions between the two countries rose over the weekend, as the first known death in the Salisbury nerve agent attacks occurred - Dawn Sturgess, a bystander who was probably an accidental victim and not a target of the attack at all. The U.K. has opened a murder investigation. Denial of involvement in the sad affair will continue to figure in Russian official and deniable propaganda.

Dave Bittner: [00:04:06] The Australian National University reported sustaining an attack on its networks last week. The Sydney Morning Herald says that Australian federal officials have confirmed both that the university's network was compromised and that the attack was mounted from China. The goal would appear to be espionage, but the story is still developing.

Dave Bittner: [00:04:26] Timehop, which resurfaces posts from social media accounts, disclosed Saturday that it had sustained a breach that compromised personal data of 21 million users. Roughly a fifth of those users had associated a phone number with their account. The attackers appear to have accessed Timehop's environment through an admin account not protected by multifactor authentication. Timehop has deactivated all authorization tokens provided by other social networking sites. And users who wish to continue to use the service will have to reauthenticate each social media account to the Timehop app. Many observers in the security industry have been pointing to the incident as a cautionary tale on two counts - first what an attacker can do if they get privileged credentials, and second the importance of using multifactor authentication.

Dave Bittner: [00:05:17] DomainFactory, a large web-hosting firm based in Germany, disclosed at the end of last week that it had sustained a data breach. Heise Online reported Saturday that an attacker who seems to have been interested in getting some sort of unspecified help collecting money he says an unnamed individual - not DomainFactor - owes him. The data exposed are consequential. They include customer names, physical and mailing addresses, telephone numbers, passwords, bank account information and Schufa credit scores. The hacker began talking about his activities on a DomainFactory support forum, where he was initially regarded as nothing more than a pest interested in drawing attention to himself. Unfortunately, he turned out to have the goods. To prove that he'd accessed the hosting company's data, he posted samples online. Investigation and recovery are in progress.

Dave Bittner: [00:06:13] Macy's e-commerce platform has also sustained a data breach. The Detroit Free Press has reported that the retailer is warning customers that it detected suspicious log-in activity on June 11 and that after investigating the department store concluded that an unauthorized third party had, since late April, been using valid usernames and passwords to access customers' accounts. Macy's is blocking the accounts it's determined to have been affected until customers can securely re-establish them.

Dave Bittner: [00:06:44] As expected and scheduled, the Reserve Bank of India will no longer provide services to cryptocurrency exchanges. This will have the effect of forcing cryptocurrency transactions into cash channels. Russia's President Putin called Friday for closer international cooperation on cybersecurity. Addressing a cyber conference in Moscow, Mr. Putin said, quote, "cyber threats have reached such a scale that they could only be neutralized by combined efforts of the entire international community. We have repeatedly seen that some nations' egoism, their attempts to act squarely to their own advantages, hurt the global information stability." Mr. Putin demurely left the egotistical nations unspecified.

Dave Bittner: [00:07:30] And finally, the U.S. Marine Corps has looked into claims that some of its recruiters were using dating apps to find prospective Marines. And the Marine Corps says, no, it wasn't them. So beware, you lonely ones; that winsome gunnery sergeant you just met online may not be what they claim to be.

Dave Bittner: [00:07:53] Now a moment to tell you about our sponsor ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. Want to learn more? Check out their newest paper entitled "More is Not More: Busting the Myth that More Threat Intel Feeds Lead to Better Security." It's a common misconception that a large quantity of threat intelligence feeds leads to more effective security. Unfortunately, threat feed overindulgence can lead to confusion, disorganization and inaccurate threat reports. Instead of adding more threat intel feeds, you should incorporate the feeds that provide the most value to your company's security operations. To find the paper or to register for a free ThreatConnect account visit And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:09:11] And I'm pleased to be joined once again by Malek Ben Salem. She's the senior R&D manager for security at Accenture labs, and she's also a New America cybersecurity fellow. Malek, welcome back. You have some insights to share when it comes to GDPR, which of course is a hot topic these days. But you all recently published some information to help people navigate what they have to deal with since it went into effect.

Malek Ben Salem: [00:09:35] Yeah, absolutely. So we just published a point of view on building explainable security programs under GDPR. We know that, you know, most people - or most companies are getting ahead with their GDPR compliance. But the new standard now for intelligent enterprises will be to create and maintain transparent and explainable security programs globally and to proactively share them with our customers, employees and business partners. But building a data collection program that is explainable is easier said than done. So what we really listed out for CSOs and security executives is certain steps that they should consider to build such programs. Number one is updating their security operation processes. Building the data collection program that's explainable will require creating new data governance processes and, most importantly, approaching algorithms differently. We know that a lot of - let's say data erasure requests may involve the use of automated processes, sometimes machine-learning algorithms. Under the GDPR requirement, these have to be explainable.

Malek Ben Salem: [00:10:58] So what CSOs should consider is create a - or add a human into the loop within those processes or at least make sure that the process generates a paper trail that explains the conclusion of the algorithm that's being run. The second step we recommend is strengthening consent management frameworks. With each new data item that a company collects, again under the GDPR requirement, they need to get consent from the owner of that data. So what that means is that they'll have to create a repeatable automated process for obtaining this consent.

Malek Ben Salem: [00:11:42] But what's more critical - or a better long-term strategy may be for the chief data protection officer in conjunction with the CSO to regularly refresh the company's consent management framework both inside and outside the enterprise. The third step we recommend is federating and automating erasure processes. We know that companies under GDPR now are liable for data breaches for third companies that they share data with. And by the same token, they're required to honor erasure requests. These are the right to erasure or the right to be forgotten types of requests. They have to honor those requests for data that they have shared with third parties.

Malek Ben Salem: [00:12:29] So they need to have a process for that. A CSO would need agile tools to mine the data quickly, to redact it or remove it entirely and should consider installing security mechanisms, such as rate limiting, because if they have a process that would honor those data erasure requests automatically, that process would have extremely high privileges and access to data that is extremely valuable for the company. So it needs to be monitored very well and secured before it purges large amounts of data. And so we recommend at least installing security mechanisms such as rate limiting for that process.

Malek Ben Salem: [00:13:15] And then finally, as the fourth recommendation, we recommend to CSOs that they revisit digital trust across their entire ecosystem and third-party platforms. Finally, we recommend that CSOs look at the entire cost of ownership under GDPR. We know that GDPR exempts specific types of encrypted data sets from the 72-hour reporting requirement for breaches. So CSOs may be tempted to encrypt more data. That comes at the expense of building an explainable security program when the data is expensed - is encrypted. So they need to consider the total cost of ownership and the benefits that come - or the reduction of liability that comes with encrypting data versus the longer-term benefit of building an explainable program that will build the resilience and trust they need to keep growing.

Dave Bittner: [00:14:19] All right, well, it's good advice as always. If people want to find out more, what is the name of the report? How can they find it?

Malek Ben Salem: [00:14:25] It's the Accenture Security Technology Vision for 2018.

Dave Bittner: [00:14:31] All right, well as always, Malek Ben Salem, thanks for joining us.

Malek Ben Salem: [00:14:34] Thank you, Dave.

Dave Bittner: [00:14:40] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:15:08] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they are co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.