The CyberWire Daily Podcast 9.6.18
Ep 678 | 9.6.18

Cyberwar looms between Russia and the UK. Twitter and Facebook complete testimony, but inquiries continue. Unpatched MikroTik routers exploited. OilRig's new tricks.


Dave Bittner: [00:00:03] Novichok attacks have brought Britain and Russia to the brink of cyberwar. The U.K. will take its case to the U.N. Security Council. Twitter and Facebook have completed their testimony on Capitol Hill, but investigation of tech's role in influence operations and public discourse continue, so do concerns about election security. Unpatched MikroTik routers are being exploited in the wild, and OilRig shows some new tricks.

Dave Bittner: [00:00:37] Now I'd like to share some words about our sponsor FireEye. They're hosting their annual Cyber Defense Summit in Washington, D.C., from October 1 through October 4. The first two days are devoted to introductory, intermediate and advanced training. It's hands-on, small group and interactive. And it's going to be conducted by some of the best in the business, FireEye's experienced cybersecurity experts. Check out the list of courses at But of course, there's more, and you won't want to miss that either. The 64th U.S. secretary of state, Madeleine K. Albright, will be there to deliver the guest keynote. Her topic - economy and security in the 21st century. And former Home Depot CEO Frank Blake will share what he learned from his company's 2014 data breach. Don't miss it. To learn more and to register, go to That's, and we thank FireEye for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:45] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 6, 2018. The day's biggest story comes from the United Kingdom. We may be seeing something that amounts almost to declared cyberwar between the U.K. and Russia. British Prime Minister May told Commons yesterday that the government had identified the attackers responsible for the Novichok nerve agent attacks. Those attacks were an attempted assassination of a former GRU officer Sergei Skripal and his daughter Yulia back in March. Skripal had been living in the U.K. after being exchanged in a spy swap with Russia. He'd been working for British intelligence.

Dave Bittner: [00:02:30] Prime Minister May named Alexander Petrov and Ruslan Boshirov, characterizing them as GRU operatives. She said the attacks were almost certainly approved at a high level. Other leading conservatives were equally direct. The chairman of the Commons' Foreign Affairs Committee, Tom Tugendhat, said there's no doubt the attacks were state ordered. And President Putin bears responsibility for a war-like act. The prime minister said that the full range of tools from across our national security apparatus will be used against the GRU. That full range of tools is understood to encompass, principally, offensive cyber operations. The prime minister briefed U.S. President Trump Tuesday, Canadian Prime Minister Trudeau yesterday and has requested an emergency meeting of the United Nations Security Council.

Dave Bittner: [00:03:25] Russia has consistently denied any involvement in the Novichok attacks, demanding to see the evidence and claiming that the incident is an Anglo-American provocation probably aided and abetted by the Czechs. Essentially no one believes this, certainly not outside of Russia and probably not within Russia, either. The two GRU officers named - and whose names Russian President Putin's foreign policy adviser, Yuri Ushakov, told reporters, do not mean anything to me - will be prosecuted if British authorities can get their hands on them. And the GRU-associated organizations will face a range of sanctions. But from what's being said in London, this won't be a simple matter of law enforcement or sanctions. The story is still developing, but active cyber offensive operations against Russia by the U.K. and possibly the other four of the five eyes seem highly likely.

Dave Bittner: [00:04:20] The encryption debate continues, highlighted by recent reports of a memo from the Five Eyes group - that's the U.S., U.K., Canada, Australia and New Zealand - demanding that service providers create customized solutions tailored to their individual system architectures that are capable of meeting lawful access requirements. Many read that as being a back door. Robert Anderson is a principal at the Chertoff Group and previously worked in the FBI.

Robert Anderson: [00:04:48] You know, I think my position on this, quite frankly, especially over the last three years since I've been in the private sector and left the FBI after I retired, it's changed. You know, one of the reasons it has changed is because - between running practices in the private sector that respond to cyberbreaches of, you know, personal, identifiable information, banking information and a variety of other things, I think that the tech companies that are producing different levels of encryption have a fiduciary responsibility to their clients to make sure that that can't be breached. I think when you do put in back doors - and I've seen it a lot in the several thousand breaches that I've run for clients since I've left the FBI - it opens up risk to hundreds of thousands of people.

Robert Anderson: [00:05:40] So I think there really needs to be, nowadays, a new dialogue - that's kind of started at the federal and state level, especially the kind of leading technical companies around the United States - to have a discussion on how can they help law enforcement obtain information that they may need, either be a warrant or other means, to protect this country. But at the same time, protecting the clients that have, you know, employed them or hired them to hold their data secretly or in a secure manner.

Dave Bittner: [00:06:12] So can you take us through - what would that dialogue sound like?

Robert Anderson: [00:06:15] I think the first thing that you need to have - start is a common ground. There's a lot of information that, quite frankly, state, local, municipal law enforcements and even some federal law enforcement organizations really don't know how to mine. There's a tremendous amount of open-source data throughout the internet and through apps that people put on their phones that can provide law enforcement with a lot of information. It can provide law enforcement with location of an individual, where individuals like to frequently shop or go eat. There's a variety of things that, without breaking the trust of the clients to keep their data secure, they can assist the law enforcement organization on learning how to mine that data. And whether it's mined through open sources or through a warrant, I think that's a huge step in the right direction.

Dave Bittner: [00:07:09] Do you think there is a legislative solution to this if you had - well, I remember certain levels of encryption used to be categorized as munitions, and it was prohibited from being exported. Is that a path to pursue or is that going to lead us nowhere?

Robert Anderson: [00:07:25] Well, I think a couple things need to happen, right? One is that the federal government's IT infrastructure is lagging. It's way behind the private sector. And a lot of that is because the traditional rules and laws that are set in place to procure IT or any type of, really, infrastructure - it takes a very long time. So between the bidding process, the multiple bidders, getting it funded usually in the second or third fiscal year from when you started - by the time you have the IT infrastructure installed, it's already very much out of date when you're trying to keep up with the private sector. And whether that's defense contracting, banking or, you know, any other type of private sector needs, historically, the private sector moves much faster. They don't have all those rules in place.

Robert Anderson: [00:08:16] So one thing is I think you need to level the playing fields. And I think the Congress and Senate can help on this. I think they can help the federal organizations that need updated IT modernization to allow to procure and install that equipment much quicker and faster. That, in turn, will help these organizations actually communicate to private sector companies and organizations much quicker and on an equal basis.

Robert Anderson: [00:08:42] And I think that's a huge start to this. I think one of the other crucial things that tech giants can help with - and again, it stays clear of actually decrypting or opening back doors - but setting up training on digital evidence collection that - I can guarantee you that there may be parts of the federal or state law enforcement community may understand, but overall, you know, we have 70,000 police organizations across this country. When you go to most countries, they have one, maybe two because it's a giant federal police force. It's a lot harder to make sure that everybody in the country that we live in actually have the ability to do these types of digital investigations. So I think that would be a huge help. And again, it doesn't break that barrier of encryption that the clients are expecting from these companies.

Dave Bittner: [00:09:36] That's Robert Anderson from the Chertoff Group.

Dave Bittner: [00:09:41] Hearings on social media, held yesterday by the Senate Select Committee on Intelligence, elicited from Facebook's Sheryl Sandberg her example of what might companies like hers be expected to do against foreign influence operations - suspend inauthentic accounts the way Facebook, Google and Twitter did when FireEye tipped them to such accounts' links to Iran's government. She said, quote, "in our mind, that's the system working," end quote. But larger questions about disinfecting online nastiness remained unanswered, quite possibly because they're unanswerable. The U.S. Department of Justice announced that it will be looking at social media providers for signs of suppressing certain kinds of expression and for engaging in anti-competitive practices.

Dave Bittner: [00:10:28] We turn to notes on evolving threats that industry researchers have had their eyes on recently. Qihoo 360 warns of multiple malware attacks spreading across vulnerable unpatched MikroTik routers. They've identified more than 370,000 vulnerable devices. The vulnerability in question was patched in April, so this represents another case in which threat actors are exploiting known issues. MikroTik routers are widely used and have been the subject of several waves of attack. One of the better-known earlier waves involved exploits WikiLeaks publicized in its Vault 7 leaks.

Dave Bittner: [00:11:05] Palo Alto Networks reports that Iranian threat actor OilRig has adopted a more evasive variant of the OopsIE Trojan. OilRig has been active against government targets in the Middle East for some time - against, to be specific, regional rivals of Iran. It's shown considerable resourcefulness in adapting commodity tools and adding useful functionality as it becomes available. It's now doing so with its incorporation of the OopsIE Trojan. This malware starts its execution by conducting multiple checks for virtualized environments and sandboxes. It checks such items as CPU fan information - a first for OopsIE - temperature, mouse pointer, hard disk, motherboard, time zone and human interaction. In checking for time zone, it executes only if it finds itself in five specific time zones. Then the Trojan sleeps for 2 seconds, moves to the AppData folder and ensures persistence. How is OilRig spreading this ingenious payload? Through a familiar and well-proven method - spear-phishing.

Dave Bittner: [00:12:13] The Billington Cybersecurity Summit is running today in Washington, D.C. As it always does, the summit will feature leaders from government and industry sharing their perspectives on threats, risks, innovation and investment. You'll find our live tweets from the conference in our Twitter timeline if you haven't seen them already, and we'll have more on the proceedings in upcoming issues of the CyberWire.

Dave Bittner: [00:12:40] I'd like to take a minute to tell you about an exciting CyberWire event. It's the 5th Annual Women in Cybersecurity Reception. It's taking place October 18 at the International Spy Museum's new facility at L'Enfant Plaza in Washington, D.C. The Women in Cybersecurity Reception highlights and celebrates the value and successes of women in the cybersecurity industry. The focus of the event is networking, and it brings together leaders from the private sector, academia and government from across the region and women at various points in their careers. The reception also provides a for women seeking cybersecurity careers to connect with the technical and business professionals who are shaping the future of our industry. It's not a marketing event; it's just about creating connections. We're grateful to our sponsors. Here are some of them. Our hosting sponsor is Northrop Grumman. Our presenting sponsors are CenturyLink and Cylance. Our platinum sponsor is Cooley. Gold Sponsors include T. Rowe Price, VMware, Accenture Security, ObserveIT, Saul Ewing Arnstein & Lehr, and Exelon. Tune in tomorrow. We'll share some more of our sponsors.

Dave Bittner: [00:13:46] And if your company is interested in supporting this important event, we still have a few sponsorship opportunities available. As it's been in previous years, this is an invitation-only event. We do it this way to ensure a mix of women with diverse backgrounds and at different career levels. If you're interested in getting an invitation to this year's event, tell us a little bit about yourself and request one at our website, That's We look forward to hearing from you, and we hope to see you there.

Dave Bittner: [00:14:28] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. And he's also my co-host on the "Hacking Humans" podcast, which, if you are not listening to and subscribing to, shame on you.


Dave Bittner: [00:14:40] So Joe, welcome back.

Joe Carrigan: [00:14:42] Hi, Dave.

Dave Bittner: [00:14:43] So interesting story came by - this was written by Hillary Grigonis from Digital Trends. And this is "Biometrics Scanner Catches Impostor at U.S. Airport on Just Third Day of Use."

Joe Carrigan: [00:14:56] Right.

Dave Bittner: [00:14:56] So this is the Customs and Border Protection folks. What's going on here?

Joe Carrigan: [00:15:01] So what's happened - somebody comes in, and they present a Brazilian passport.

Dave Bittner: [00:15:06] Right.

Joe Carrigan: [00:15:07] Something gets flagged, and the guy gets searched, and they find his actual passport, which is actually from the Congo, in his shoe. All right? So what has happened is this guy has tried to commit a crime. He has tried to come into the country illegally with a falsified document.

Dave Bittner: [00:15:25] And so, presumably, the system scans his face...

Joe Carrigan: [00:15:29] Scans his face, the picture on his passport - I would guess the way this works is the picture on the passport and the face that the human has are compared by the agents sitting there...

Dave Bittner: [00:15:43] Right.

Joe Carrigan: [00:15:43] ...At CBP. If this guy's coming in with a fake passport with his picture on it, then it has to be the case that the U.S. government has access to the original picture.

Dave Bittner: [00:15:53] Right, from Brazil.

Joe Carrigan: [00:15:54] From Brazil.

Dave Bittner: [00:15:55] The person whose name is on that Brazilian passport. So we must have - we have some sort of sharing agreement at our borders with those databases.

Joe Carrigan: [00:16:04] Which would make sense to me - that there is some kind of information about - that might just have passport numbers and names and pictures in a database somewhere

Dave Bittner: [00:16:12] Countries that are our allies.

Joe Carrigan: [00:16:13] Now...

Dave Bittner: [00:16:14] So it's working as it should be designed, right? No problem? People - you know, potentially people up to no good coming into our business - or into our country, rather - no problem here.

Joe Carrigan: [00:16:24] Yeah, I don't know how I feel about this...

Dave Bittner: [00:16:26] (Laughter) OK.

Joe Carrigan: [00:16:28] (Laughter) Because I don't recall anything, when I applied for my passport a number of years ago, saying that my information would be distributed to foreign governments. And that is apparently what has happened.

Dave Bittner: [00:16:38] I mean, that's the kind of thing I can imagine being some part of some treaty - you know...

Joe Carrigan: [00:16:42] Probably is.

Dave Bittner: [00:16:42] ...Information - border protection information exchange or something like that.

Joe Carrigan: [00:16:46] That every country has to go through this.

Dave Bittner: [00:16:48] Right.

Joe Carrigan: [00:16:48] So, you know, part of me says, you know, I didn't know this was happening. But the other part of me goes, well, you should have had some kind of expectation of this happening.

Dave Bittner: [00:16:55] Yeah.

Joe Carrigan: [00:16:56] It's almost a necessary thing to do in order to assure that every country can secure their borders, which is what every country wants to do.

Dave Bittner: [00:17:02] Now, do you feel differently about this if it was going on within the United States versus...

Joe Carrigan: [00:17:07] Very much so.

Dave Bittner: [00:17:09] ...Just at the border?

Joe Carrigan: [00:17:09] If this...

Dave Bittner: [00:17:09] So if I'm flying domestically and they're checking my ID using some sort of biometric scanning thing, that raises your hackles, or...

Joe Carrigan: [00:17:18] Actually, yeah, with flying, not so much. I mean, you could always take an alternative means of travel, I guess. But, you know, it still kind of irritates me.

Dave Bittner: [00:17:25] Yeah.

Joe Carrigan: [00:17:53] The big thing about this - all the security stuff - is it generally tends to be security theater, right? So everything we're doing - all this liberty that we're sacrificing is not netting us much. That's my concern. You know, they penetration test the system, right? Their success rate at catching the weapons in these tests was 10 percent. They caught 10 percent of the weapons that went on, which means 90 percent of the weapons pass through the security checkpoint...

Dave Bittner: [00:17:53] Right.

Joe Carrigan: [00:17:54] ...Which is not a good result. I don't - that's an old result. I don't know if they've improved the process or anything. We certainly haven't heard anything about that recently.

Dave Bittner: [00:18:01] Well, and on the other hand, how often do you hear about a plane being hijacked? So maybe the security theater is - you know, made the bad guys move on to other methods.

Joe Carrigan: [00:18:09] Right, and they have moved on to other methods. And bad guys are going to do bad things. It's just the way the universe works. I would really, really, really have a problem with this and - if this was something that law enforcement within the United States was doing. I would think that then we'd have some kind of unreasonable search and seizure going on. But to enter the border of a country - you know, it's kind of creepy, but I'm not sure I can get opposed to it - I could be opposed to it.

Dave Bittner: [00:18:41] All right. Well, I mean, it's interesting; you know, these systems are up and running. And here's an example of it functioning the way it was intended, I suppose.

Joe Carrigan: [00:18:48] Yep.

Dave Bittner: [00:18:49] All right. Well, as always, Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:18:51] My pleasure, Dave.

Dave Bittner: [00:18:55] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at

Dave Bittner: [00:19:04] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor; we actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:19:30] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.