The CyberWire Daily Podcast 7.27.18
Ep 650 | 7.27.18

Fancy Bear sniffs around Senatorial staffs. US NSC considers Russian election interference. Chinese and Iranian cyberespionage. Malware loaders. Smart home bugs. Stealing WiFi.


Dave Bittner: [00:00:03] Fancy Bear is said to be snuffling around at least one U.S. senatorial office. The U.S. National Security Council meets to consider Russian election interference. Notes on Chinese and Iranian cyber-espionage. New malware loaders are offered on the black market. Smart home hubs are shown to be hackable. Tenable enjoys a good IPO. And a burglar in Silicon Valley didn't say your money or your life but rather, dude, I'm out of data; can I have your Wi-Fi password?

Dave Bittner: [00:00:37] Now I'd like to share some words about our sponsor Cylance. AI stands for artificial intelligence of course. But nowadays it also means all image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the terminators. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit and check out their report "Security: Using AI for Evil." That's We're happy to say that their products protect our systems here at The CyberWire, and we thank Cylance for sponsoring our show. Major funding for The CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:38] From The CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 27, 2018. The Daily Beast reports that Fancy Bear is snuffling around Senator Claire McCaskill and some of her staffers. She's a Democrat of Missouri. The GRU apparently phished the senator's office with emails purportedly to notify them that their passwords had expired and directing them to a link that would enable them to re-establish their access with a new password. That link, which of course was bogus, led to a nicely convincing page that looked just like the U.S. Senate's Active Directory Federal Services (ph) login page. Each phishing email contained a distinctive link that displayed the target's email address on the phony password reset page. This of course lent credibility to what might otherwise be a bald and unconvincing narrative.

Dave Bittner: [00:02:31] Senator McCaskill's office appears to be one of the targets Microsoft's Tom Burt alluded to at the Aspen Security Forum last week when he told symposiasts that Redmond had found a fake Microsoft domain being used against various political campaigns. Senator McCaskill is up for re-election this year. She's said she's not ready yet to talk about Fancy Bear's phishing attempt, but her office may have something to say next week.

Dave Bittner: [00:02:58] The U.S. National Security Council is meeting today in a session chaired by President Trump to discuss election vulnerabilities and in particular the prospect of Russian interference in the coming midterm vote. For all the recent concern expressed in the U.S. about Russian election and infrastructure finagling and reconnaissance, Russia's not the only adversary the U.S. faces in cyberspace.

Dave Bittner: [00:03:21] This week's report by the National Counterintelligence and Security Center takes note of extensive Chinese and Iranian operations as well. In these last two cases, the recent activity has tended toward cyber-espionage of an industrial kind. Chinese operators work to gain commercial advantage. The center's report listed the areas that have drawn the attention of Beijing's intelligence services - oil, gas and coal bed methane gas energy extraction technologies, smart grids, solar and wind power, biopharmaceuticals - especially new vaccines and drugs - defensive marine systems and radar technologies, hybrid and electric vehicle systems, pollution control, high-end computing and numerically controlled machines as used in manufacturing, space infrastructure and exploration technology, synthetic rubber, rare earth materials, quantum computing and next-generation broadband wireless.

Dave Bittner: [00:04:17] With Iran, the goals are less economic advantage than they are direct, hard kinetic power. Tehran's hackers are out for technology that could improve its missile and space programs. The Iranian threat group called out in the center's report is being called Rocket Kitten, it being as customary to give Iranian groups feline names as it is to call Russian ones bears. Rocket Kitten is not to be confused with Rocket Man, who's either Kim Jong Un or Elton John.

Dave Bittner: [00:04:47] So again, for those of you keeping score at home, if it's a bear, it's Russian, if it's a panda, Chinese. Cats and kittens are Iranian because of course Persian cats. There's less system about other countries, although there's some disposition to see North Korean cobras and Indian elephants, which somehow seems a throwback to the representation of delirium tremens in the old classic pre-Code animated cartoons they used to show really early on Saturday mornings like "Farmer Brown" or "Betty Boop."

Dave Bittner: [00:05:17] Anyway, flashpoint researchers report that malware loaders continue their evolution and proliferation. They offer two new loaders, Aurora and Kardon, as examples. They're both for sale in dark web criminal markets. Aurora boasts that it's not only undetectable but that it also features the ability to create self-healing bots. Kardon's selling point is simplicity. It arrives on victim machines with what Flashpoint calls a fully-integrated bot shop.

Dave Bittner: [00:05:48] Cisco's Talos group has found 20 vulnerabilities in Samsung SmartThings Hub controllers. They say flaws could enable attackers to control the smart home from light bulb to thermostat and to remotely monitor activity through connected devices. Cisco discloses these discoveries responsibly, so Samsung has had an opportunity to develop fixes. Users should look for updates.

Dave Bittner: [00:06:13] Google's security keys, which the company says protect its 85,000 employees from phishing, look good. But unsurprisingly, they're not a 24-karat perfect password alternative. KnowBe4 suggests ways in which the keys might prove hackable. Again, that's not to say that the keys aren't a good thing, but it is to recognize that cybersecurity deals with conflict and that conflict occurs among human beings, who see, learn, react and adapt.

Dave Bittner: [00:06:41] Tenable began offering its shares on the Nasdaq yesterday, and its debut was a very good one - up 32 percent at closing. Investors like its subscription model and have given the company a value of somewhere around $3 billion. Two other IPOs in the sector that analysts widely expect in the not-too-distant future are CrowdStrike and Tanium.

Dave Bittner: [00:07:04] Those who work in the industry will recognize buzzword bingo, which may be played during long sessions of PowerPoint in corporate offices. If you hear the briefer offer a sentence like we'll leverage synergy for an out-of-the-box disruptive innovation, you're entitled to holler bingo. You can play a similar game with the news - cliche bingo. In so far as the news instantiates cliches - and it must be factual news, not opinion journalism - track it on your card and look for five in a row. Here's a story that's almost there.

Dave Bittner: [00:07:37] Ars Technica reports an arrest in Palo Alto, Calif. - that's the very heart of Silicon Valley of course - in which a young man aged 17, so his name has been primly redacted from the police reports, broke into a couple's home in the middle of the night. He appeared in their bedroom and awakened them with a request to use their Wi-Fi because, as he put it, he was out of data. He was wearing a mask at the time. That's at least four cliches right there. If it turns out he wanted the Wi-Fi so he could play Fortnite, we'd be hollering bingo loud enough so everyone could hear from Baltimore to Berkeley. Sad.

Dave Bittner: [00:08:15] Today is SysAdmin Appreciation Day, the 19th annual one. Do something nice for your systems administrators. And remember; the four saddest words in the world when spoken by a manager are why don't we just. Make them happier words by following them with knock off early and go out for pizza on the company dime. Have a great weekend, everybody.

Dave Bittner: [00:08:42] And now a bit about our sponsors at VMWare. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro-segmentation and analytics. VMWare's white paper on a comprehensive approach to security across the digital workspace will take you through the details and much more. You'll find it at See what Workspace ONE can do for your enterprise security - And we thank VMWare for sponsoring our show.

Dave Bittner: [00:09:43] And joining me once again is Dr. Charles Clancy. He's the director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, welcome back. You know, over the years we've seen more and more RF spectrum being carved out - being reprovisioned, I suppose, for digital services. And that makes sense. But I'm wondering. Is it automatic that as we carve away analog - what used to be analog radio spectrum, does the stuff that replaces it automatically become digital? And are there cases where it makes sense to sometimes leave things analog?

Charles Clancy: [00:10:20] That's a great point. If you look at the transition of many different types of wireless signals - we've seen the transition of FM radio to digital. We've seen the transition from broadcast UHF and VHF television to digital. And even the cell phone standards that we use - 1G cell phones were all analog. But as we moved to 2G, 3G, 4G and now 5G, they're increasingly sophisticated and increasingly digital. So I think there's a variety of perspectives you can take on that. First, digital is always going to be more efficient. You can always pack more data into the same spectrum and do it in a more flexible way if it's digital. But a digital transmission and receiver system is inherently more complicated, more sophisticated. If you think back to perhaps the 1970s and 1980s, being able to build a crystal radio and listen into FM and AM broadcasts...

Dave Bittner: [00:11:16] Sure.

Charles Clancy: [00:11:16] That's really not possible with modern technologies.

Dave Bittner: [00:11:19] But even from a security point of view - I mean, I think about something like, you know, before everything went to mobile devices, you know, we had cordless phones in our homes. And the analog ones - your next-door neighbor with a scanner could listen to your conversations. When they went digital, they couldn't do that anymore.

Charles Clancy: [00:11:33] Oh, exactly. So digital offers the ability to provide encryption and authentication that you really can't do in an analog context. And in fact, that was one of the big use cases for 2G, was that the 1G phones of the 1980s - particularly on the West Coast there was so much fraud that the networks were starting to fall apart because no one was paying for service. So one of the driving use cases for 2G was, well, if we can actually use encryption to effectively authenticate users and effectively bill users.

Dave Bittner: [00:12:05] Now, are there still some legacy systems out there? I'm thinking, for example, of things like air traffic control. They're still on an analog system, aren't they?

Charles Clancy: [00:12:14] Yes. There are many systems that are still analog from shortwave radio to VHS. A lot of the amateur radio bands are still all analog. And then certainly, as you point out, things like air traffic control are still primarily analog. Analog has a lot of features going for it. Generally, the quality of the signal is better over longer ranges. However, again, it has the - it lacks those security features. So air traffic control is an interesting example where we want resiliency and we want to have less sophisticated transmitters and receivers so that we're more guaranteed that the system will be available and functional, but at the same time it leaves them open to jamming and spoofing and other sorts of attacks which potentially could be catastrophic in a scenario like air traffic control.

Dave Bittner: [00:13:00] Yeah. It's interesting. All right, well, as always, Dr. Charles Clancy, thanks for joining us.

Charles Clancy: [00:13:05] Thank you.

Dave Bittner: [00:13:13] And now a word from our sponsor. Who's that sponsor, you say? Well, it's none other than the mysterious team behind the spectacularly successful fake security booth at RSA 2018. You remember. It was the one with no vendor name, no badge scanning and the charismatic snake oil salesman pitching his imaginary cybersecurity cures for all that's ailing businesses around the world. So who was behind that booth? Why did they do it? Who's really sponsoring our show today? Get the answers you've been dying to hear and hear the story behind the booth at That's And we thank whomever it is for sponsoring our show.

Dave Bittner: [00:14:09] My guest today is Lisa Beegle. She's Akamai's senior manager of security intelligence. Today we're discussing Akamai's summer edition of their "State of the Internet/Security" report.

Dave Bittner: [00:14:20] Now, what are you seeing in terms of overall longer-term trends? Is the velocity increasing? Are the abilities to fight these things keeping pace? Where do things stand today?

Lisa Beegle: [00:14:33] So I would say that I've seen a couple of things. One is this year I'm seeing the multi-gig attacks again, whereas last year you probably saw - anything around 200 megs of sorts was kind of the highlight. But I also attribute that to the fact that the attackers got smarter.

Lisa Beegle: [00:14:53] And what I mean by that is from a learning standpoint, they understand what those thresholds were. So if you hit somebody with a hundred gigs in 30 seconds, the chances of there being an actual documented alert minimizes. So when you're looking at actual attack activity, you're seeing some of those smaller numbers. Whereas now I'm seeing that trending of, you know, 2 gigs, 10 gigs, a hundred gigs-plus types of attacks. I mean, obviously, the 1.35 terabits was significant, and there were some indicators prior to that of 200-plus-gig attacks. So you are seeing that.

Lisa Beegle: [00:15:28] I think the other thing is just there's more access. So when you're looking at the uptick of all overall attacks themselves, that increase, there's a huge mix of, you know, the gamers, the script kiddies as well as some of the more astute and educated type of attackers. And discerning the two becomes a little cloudy because you do see in some instances targets that see both. And in some instances, you see just that specific target is - so that memcached attack - that was specifically targeted to a single organization. And you could identify that. You didn't see that overlap of attack activity.

Lisa Beegle: [00:16:11] So I think that because you have more resource - and one highlight would be the YouTube attack with the 12-year-old developer. And, you know, I had a conversation with somebody before, and they said, well, yeah, he's 12. That being said, the complexity associated with the attack meant that he was capable. And the fact that you are seeing younger folks that have those types of capabilities is concerning from a futures perspective.

Dave Bittner: [00:16:42] Yeah. I think it's an interesting perspective. I mean, when you look at, you know, the ability to amplify attacks the way that the memcached attacks took place, be able to - there are multipliers there. And you have to wonder what - you know, what are the unknowns in the future in terms of capabilities to that level of amplification?

Lisa Beegle: [00:17:04] Yeah. And that's the thing. I mean, that was obviously a rarity. That doesn't necessarily mean it's an anomaly. There are probably things that a lot of us aren't aware of. I mean, this was something that I do believe is - was identified several years ago. But it was the change that was made by Linux inadvertently, so to speak, that really did cause the greater collateral damage from an exposure standpoint, whether that's because organizations didn't have enough resources and weren't aware of that - being exposed or, you know, just because of the change itself. So it's hard to say.

Lisa Beegle: [00:17:41] But you have to believe that once things are out there from a vulnerability standpoint, there are ways to then adapt and conform them. And I think that's kind of the risk that we face today. There's so much out there that it's hard to say where the next thing's going to come from. I mean, there's always chatter with some of these botnets. And you see the old toolkits being reused. You're seeing, you know, even from a takedown perspective things that were taken down many years ago re-emerging in a different way. So it's kind of an arms race of sorts.

Dave Bittner: [00:18:15 ] Now, what are your recommendations for folks? Looking at the trends as you're tracking them, what do you - what are some of the things you recommend in terms of folks protecting themselves?

Lisa Beegle: [00:18:25] I think first and foremost understanding your own environments becomes key. And I know that's not always easy, but you have changing resource. You have changing network configurations. You have changes within providers themselves. But really wrapping their heads around what their environment looks like first and foremost and keeping track of that is very, very important whether that's from acquisitions or downsizing. So I think that in and of itself exposes a customer in some way.

Lisa Beegle: [00:18:53] The other thing is ensuring that once they've kind of identified those components in their environment, making sure that they aren't vulnerable in some way. And if they are, taking action or assessing what that risk potentially could be from a business perspective. And then incorporating all of that into their internal runbook or playbook of sorts and identifying, what is acceptance of risk? What is not? Who are our providers? Where do we have some level of exposure? What's our redundancy?

Lisa Beegle: [00:19:25] And then executing that. You've got to practice it. You've got to understand it. And you have to do that at a minimum every quarter because everything's changing. We change our environment. The customer changes their environment. So anything as it relates to reacting, identifying - seconds, minutes can be incredibly impactful from a decision-making standpoint, from an identification standpoint. So if I had to say anything, those are kind of those key components and understanding your environment, practicing and executing and understanding what that risk might be.

Dave Bittner: [00:20:00] That's Lisa Beegle from Akamai. You can find their summer edition of the "State of the Internet/Security" report on their website.

Dave Bittner: [00:20:11] And that's The CyberWire. Thanks to all of our sponsors for making The CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at The CyberWire. And thanks to our supporting sponsor VMWare, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:20:39] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.