The CyberWire Daily Podcast 10.25.18
Ep 712 | 10.25.18

Influence operations, da. Direct hacking? Maybe nyet. Chalubo botnet borrows old tricks. Financial sector alert in Mexico. Airline breach disclosed. Lawsuits over privacy. ICS Security notes.


Peter Kilpe: [00:00:04] The U.S. Department of Homeland Security sees lower than expected rates of Russian election system probing, even as Russian information operations continue. Sophos warns of the emergence of the Linux-based Chalubo botnet. Mexico's central bank raises its alert level. Cathay Pacific discloses a breach of passenger information. Privacy-related fines in lawsuits. And notes from the 2018 ICS Cyber Security Conference.

Dave Bittner: [00:00:39] Now I'd like to share some words about our sponsor Cylance. AI stands for artificial intelligence, of course, but nowadays, it also means all image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit and check out their report "Security: Using AI for Evil." That's We're happy to say that their products protect our systems here at the CyberWire. And we thank Cylance for sponsoring our show.

Peter Kilpe: [00:01:36] Major funding for the CyberWire was provided by Cylance. From the CyberWire at DataTribe, with your CyberWire summary for Thursday, October 25, 2018, I'm Peter Kilpe, executive editor, sitting in for the still-vacationing Dave Bittner. Dave will be back in the studio on Monday.

Peter Kilpe: [00:01:54] The U.S. Department of Homeland Security is not seeing expected rates of Russian election system probing, but its National Protection and Programs Directorate doesn't necessarily find this reassuring, wondering instead what it might be missing. That information operations have continued is attested to by the recent U.S. indictment of a Russian troll facilitator. DHS is increasing its assistance to election officials overseeing particularly close races.

Peter Kilpe: [00:02:19] The effect of U.S. Cyber Command's campaign of warning Russian information operators and whatever else Fort Meade may be doing remains to be seen. Some observers see a possible model for retaliation and deterrence in the quiet information campaign the U.S. and NATO allies ran against Serbian leader Slobodan Milosevic in the late 1990s. The campaign worked to push Milosevic's key backers - bankrollers and business partners - away from the dictator. He became increasingly isolated and increasingly vulnerable to the campaign that eventually took down his regime and ended the war in the Balkans.

Peter Kilpe: [00:02:54] SophosLabs reports the discovery of a large botnet that it exploits poorly secured SSH servers and various equally poorly secured IoT devices. Called Chalubo, after its use of the ChaCha stream cipher, the botnet is adapted to run distributed denial-of-service attacks. It's Linux-based, but researchers say Chalubo is using obfuscation techniques usually associated with Windows-based malicious code. It's also borrowed code from both Xor.DDoS and Mirai. Observers offer the usual sensible recommendations about securing devices. Familiarity in this case shouldn't breed contempt. Advice to attend to basic hygiene is always worth taking seriously.

Peter Kilpe: [00:03:36] Mexico's central bank has raised the alert level for the country's financial system after insurer AXA reported sustaining a cyberattack that attempted to compromise cash payment systems.

Peter Kilpe: [00:03:47] Hong Kong-based Cathay Pacific has sustained a major data breach. The airline disclosed yesterday that almost 9 1/2 million passengers may have been affected. Personal information compromised includes passport numbers, identity numbers, credit card numbers, frequent flyer membership program numbers, customer service comments and travel history. Cathay Pacific noticed the suspicious activity in March confirmed the incident by May but apparently waited until this week to notify affected passengers.

Peter Kilpe: [00:04:16] The U.K.'s Information Commissioner's Office has assessed the maximum allowable penalty, 500,000 pounds, against Facebook for its role in the Cambridge Analytica data scandal. Five hundred thousand is not much, perhaps, for a company as big as Facebook, but the fact that it's the maximum penalty allowable under the laws that were then current should give companies pause with respect to regulatory risk. Those risks, at least in terms of the penalties regulators and the courts are able to readily impose, are likely to increase.

Peter Kilpe: [00:04:47] The plaintiffs' bar is likely to play a significant role in the development of privacy and security standards of practice. Facebook this week has been served with a lawsuit that alleges the company tracked a user's location even after that user had turned off such tracking. The plaintiff, says the suit, quote, "relied on Facebook's promise that if he turned the location history off, Facebook would no longer build a location history logging his private location information,” unquote.

Peter Kilpe: [00:05:14] The plaintiff alleges that Facebook continued to track him without consent. The lawsuit is similar to a class-action suit against Google that alleges similar location tracking by Google's apps and services, even after users change their device settings to prevent such tracking. Both suits accuse Facebook and Google with violating California privacy laws.

Peter Kilpe: [00:05:34] Dave recently talked with Justin Harvey from Accenture on insourcing versus outsourcing threat intelligence. We'll hear that interview after the break.

Dave Bittner: [00:05:46] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro segmentation and analytics. VMWare's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at See what Workspace ONE can do for your enterprise security - And we thank VMware for sponsoring our show.

Dave Bittner: [00:06:46] And joining me once again is Justin Harvey. He's the Global Incident Response leader at Accenture. Justin, it's great to have you back. I wanted to touch today on threat intelligence. And specifically, what's your guidance for companies to know when they should outsource threat intelligence or keep it inside?

Justin Harvey: [00:07:02] Well, it's not always about threat feeds. I think that a lot of organizations feel that if they get their threat feeds and they can install them - that that's enough. So that leads us to the conclusion that more and more companies have started to realize that. And they say to themselves, should we insource and collect and curate and analyze the threat intelligence that we have in our own enterprise? Or should we outsource that to a third-party provider? And the answer that I think that many of us have come up with is that there's simply not enough skilled people out there that can not only build and run a threat intelligence organization but sustain it over time.

Justin Harvey: [00:07:48] And I think that one of the big recommendations that we have is actually consider outsourcing that to a third party because it's all about perspective, Dave. It's all about threat intelligence organizations are only really as good as their aperture. How much data are they sourcing? Do they have access to a wide swath of net flow and DNS data and strategic threat intelligence and actually monitoring and having the capability to access the dark web? And what we have found is that the more that companies outsource their threat intelligence to a trusted party, the higher value and actionable threat intelligence they can get from those organizations.

Dave Bittner: [00:08:35] Now, are the two things necessarily completely mutually exclusive? Is it possible to dial in a little of both - both have an in-house group but then rely on outsourcing for some of it, as well?

Justin Harvey: [00:08:46] Sure. Absolutely. Sometimes, you don't need a full-fledged threat intelligence team with, like, 15, 20 guys and gals doing that intelligence. Sometimes, you can get away with one or two people that are acting as intermediaries and medium-level analysts. And then they can take what they're observing within the enterprise and work with a trusted third party.

Justin Harvey: [00:09:09] Also, there are higher levels of risk associated with some forms of threat intelligence. Let's take the dark web, for instance. There is quite a bit of risk that can be incurred by creating personas, by infiltrating some of the dark web trading sites and commerce sites for trading PHI, PII and cardholder data. And our advice is leave that up to the companies that specialize in that, that have the ability to invest to create these personas and to do the fake trading in transactions in order to get access to that data and make it actionable.

Dave Bittner: [00:09:51] All right. Justin Harvey, thanks for joining us.

Justin Harvey: [00:09:53] Thank you.

Peter Kilpe: [00:09:57] Wednesday's sessions of the 2018 ICS Security Conference continued examination of risk management and the importance of security operators engaging the realities on the plant floor. In a presentation on consequence-driven risk management, LEO Cyber Security's Clint Bodungen stated a first principle. We do cybersecurity because cyberthreats pose a risk to the business. He argued that cyber risks should not be viewed as process hazards. Identifying consequences helps determine safety controls and define the possible impact of events. He also offered a skeptical take on the familiar risk equation, which depends on speculative numbers and lends a specious appearance of rigor to what is, in fact, a questionable and subjective process.

Peter Kilpe: [00:10:38] Two security leaders from Sony, Kristin Demoranville and Stuart King described the realities of assessing security in factories. A security assessment is neither a tour nor a policy enforcement drill. Their argument was security comes down to people and processes, which is neither surprising nor controversial. But the lessons they drew were instructive. It is essential to recognize, they said, that, quote, "anything will break production,” unquote - that is, surprising events that you the security officer would not expect to be a problem, in fact, can disrupt industrial processes. It's important to discover the factory and understand how it works. And it's important to establish trust with the people that work there. Hanging out on the line and in break rooms will give you a realistic appreciation for the facility's risk.

Peter Kilpe: [00:11:22] Demoranville and King said you will find that not everything that looks like a risk is, in fact, a risk. And many things that look benign actually do pose a risk. The factory is, they said, best understood as a family. People tend to work there for years. They know one another well. And they don't know the outsiders who come through and assess their work family's cybersecurity. It's important to gain and merit their trust.

Peter Kilpe: [00:11:46] We heard Tuesday from Dragos on the TRITON/TRISIS malware deployed against the Saudi petrochemical facility. Yesterday, Nozomi's co-founder Dr. Andrea Carcano spoke about their own investigation of the malware, including the reverse engineering of the probable attack methods. His conclusion was that the exploitation of industrial control systems is no longer for the elite. Increased connectivity, readily available exploitation tools and malware samples and easily accessible ICS documentation and equipment combined to lower barriers to entry. The 2018 ICS Cyber Security Conference concludes today. We'll have more coverage tomorrow.

Peter Kilpe: [00:12:25] Barracuda Networks this morning released findings from its recently concluded global research into software-defined wide-area networks. The report, "Security, Connectivity and Control: The Challenges and Opportunities of SD-WAN," describes the responses of IT and security professionals to questions about SD-WAN deployments. Their concerns are unsurprising. They want cost savings, simplicity and, not the least, security. Tony Pepper is CEO and co-founder of Egress Software Technologies, a provider of privacy and risk management software designed to manage and protect unstructured data. Dave spoke with him earlier about the growing variety and volume of unstructured data and why it can be challenging for many organizations to protect it.

Tony Pepper: [00:13:06] When we talk about unstructured data, we mean any type of content that really is installed in a more traditional structured sense - so in back-end databases. So we are talking about email content, whether that's message content or attachments, but also any type of files or documents. And they can include audio files and video files as well.

Dave Bittner: [00:13:29] So what are the challenges when it comes to securing that data?

Tony Pepper: [00:13:32] Well, I think one of the challenges is really two-fold really. I think the first challenge is what is sensitive and what is not sensitive. And I think end users have a real difficulty in sometimes being educated on when to protect that, you know. And, again, there are programs like data classification to help. And they go certainly some way to do that. But I still think end users in the enterprise are really just unclear as to what is sensitive and what is not sensitive. So I think that's the first point.

Tony Pepper: [00:14:06] I think the next point is because unstructured data now is being created in different new forms - so whereas traditionally, unstructured data was typically documents and PowerPoints, some PDFs and stuff like that and images. Actually now sort of unstructured data in the modern business is often audio files and very large video files. Not only is there more volume, but also the individual files, they're just getting bigger.

Dave Bittner: [00:14:33] And so what are your recommendations? How can people go about approaching this problem?

Tony Pepper: [00:14:39] Well, I think the first thing to say is, you know, the traditional way of solving any kind of data security is to put it in a boundary - is to kind of almost take it away from end users because apparently end users can't figure it out. I think end users can figure it out. I just think the reality is that the solutions on the market are just either too difficult to use or ultimately aren't sophisticated enough to be able to aid end users. So what they've done to approach that is actually take it away. And lots of technology on the market is - you know, it carries out rule-based regular-expression policy control at the edge of the network.

Tony Pepper: [00:15:13] But actually, that is not a way to tackle this long term. The only way to tackle this long term is to deliver capability to end users that they really engage with - but also really helps them, that actually says, well, using machine learning and, certainly in our case, we can actually, you know, with a very, very high degree of probability, suggest what type of data this is and also either autorecommend - or actually autodeliver an appropriate level of protection but done in a way that users are really part of that process. So that's the first thing. I think you've got to - you know, you've got to deliver tools around end users that makes them more productive, helps them in their day-to-day job and automates a lot of that real confusion. I think, you know, that's certainly the first piece.

Tony Pepper: [00:15:59] I think the second piece - I think I just touched on - modern use in modern technology now. I think we're moving away from more traditional, regular expression-based DLP capability to more, much more intelligent ways to - not only understanding what's sensitive and what not sensitive. But let's actually - lets go that little bit further. Let's also use machine learning to actually say - well, long before we're going to figure out if it needs an appropriate level of protection, let's make sure that the information we're sharing is going to the right recipients because actually, if you look at the breaches in information security across the United States and worldwide, actually that is the largest segment of breaches of security, whereby end users in business, not maliciously but accidentally, are communicating with the wrong recipients.

Tony Pepper: [00:16:49] They're just accidentally sharing with people they didn't realize. Maybe Outlook's autofilled out a recipient, typically with the same name of the person - the first name of the person they're trying to communicate with. And then it autocompletes. And then it's gone. And then it's too late. So I think we look at this in a much broader sense and kind of say, well, the first thing we need to do is communicate with the right people. And the next thing we need to do is make sure that we apply the right level of security and control. And the only way you can do that is using machine learning.

Peter Kilpe: [00:17:19] That's Tony Pepper from Egress Software Technologies. And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at

Peter Kilpe: [00:17:33] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.

Peter Kilpe: [00:17:49] Thanks to our supporting sponsor VMware, creators of Workspace ONE intelligence. Learn more at

Peter Kilpe: [00:17:56] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. CyberWire editor is John Petrik. Social media editor is Jennifer Eiben. And technical editor is Chris Russell. I'm Peter Kilpe, sitting in for Dave Bittner. He'll be back next week. Thanks for listening.