The CyberWire Daily Podcast 11.6.18
Ep 720 | 11.6.18

Iran complains, threatens, and spies. Election Day cybersecurity notes.


Dave Bittner: [00:00:03:07] Iran accuses Israel of a second Stuxnet, claims the attack was thwarted and threatens retaliation. Tehran's not neglecting domestic surveillance of its own: Persian Stalker is involved with some pretty suspicious greyware. It's Election Day in the US and officials are cautiously optimistic that work to secure the voting will be successful. Concerns about information operations persist and people continue to work to distinguish them from good-old-fashioned American confident chatter.

Dave Bittner: [00:00:39:11] It's time to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows.

Dave Bittner: [00:01:18:16] Want to learn more? Check out their newest White Paper, titled Threat Intelligence Platforms, Open Source versus Commercial. As a member of a maturing security team evaluating Threat Intelligence Platforms, or TIP, you may be asking yourself whether you should use an open source solution, like a Malware Information Sharing Platform, or MISP, or buy a tip from one of the many vendors offering solutions. In this White Paper, ThreatConnect explains the key technical and economic considerations every security team needs to make when evaluating threat intel solutions, to help you determine which is right for your team. To read the Paper, visit That's And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:02:10:05] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 6th, 2018.

Dave Bittner: [00:02:22:12] Rumors of a "second Stuxnet" were reinforced yesterday when Iran's Telecommunications Minister accused Israel of having attacked Iran's telecommunications infrastructure. The Minister said the attack was unsuccessful and, according to Reuters, vowed retaliation. Another senior Iranian official had last week said, tersely, that Tehran had found a new "version of Stuxnet," apparently installed in some phones. This is apparently the attack the Telecommunications Minister is referring to.

Dave Bittner: [00:02:54:21] It's worth noting that this needn't be taken as implying that Iranian defenses have detected and blocked another Stuxnet variant. Stuxnet, which came to light in 2010, was directed at disabling Centrifuges used to refine uranium for Iran's nuclear weapons program. It attacked programmable logic controllers, looking specifically for the Siemens Step7 software, known to have been used at the Natanz nuclear facility. This latest attack, if it took place, seems to be a different matter altogether, spyware and not a campaign to take down an industrial process. So perhaps "Stuxnet 2.0" is best understood as "something the Israelis are doing to us."

Dave Bittner: [00:03:39:21] Cisco Talos research outlines the activities of "Persian Stalker" and Iranian domestic covert surveillance campaign that relies on penetrating social networks to keep an eye on possible dissent. Telegram is a favorite target, with Instagram running second. Talos calls Persian Stalker's apps "greyware" - not quite malware, but perhaps an unwanted program. It does, after all, perform as advertised. This seems shyly reticent. After all, the Telegram clones can often pull a user's contact list, and the Instagram clones send full session data out to backend servers. That seems plenty unwanted to us.

Dave Bittner: [00:04:22:14] Business Insider notes that observers think Iranian cyber operations against US oil production capabilities are a growing possibility as the US tightens sanctions against Tehran.

Dave Bittner: [00:04:35:09] Security professionals working in higher education face a unique set of challenges, providing protection to employees and students, critical systems and all of the devices that those students bring with them every semester. Security networking company, Infoblox, recently surveyed higher ed security teams to get a sense for what they're facing. Victor Danevich is CTO, Field Engineering, at Infoblox.

Victor Danevich: [00:04:58:20] I think the most significant thing is that about every 15 weeks, or every new semester, you've got a new batch of people coming in with different types of devices, and the number of things that are coming in are changing exponentially fast and specifically the Internet of things. So whether it's a watch or phone, Alexa, or you've got students bringing in PlayStations or anything like that, sometimes it can get up to four and in some cases seven devices per student coming in. And every 15 weeks there's a new wave of all these different types of devices that are coming in and the techniques have to be updated and changed as time goes along. I think that's probably one of the biggest differences, you know, versus like an enterprise type approach. Enterprise, you control the type of device that's out there. In a university, you don't.

Dave Bittner: [00:05:46:03] Can you take us through some of the key findings?

Victor Danevich: [00:05:48:16] One of them was about 81% of the IT professionals state that securing campuses would become more challenging as time goes on, and I think for those exact type reasons, it's a complete new set of devices that are coming in, updated code changes and things. Just when you think you might have a handle on something, this next batch of students and wave of equipment starts to come in that can make things a little bit more challenging. 89% of those indicated that there was some type of substantial increase in the number of connected devices on their network, most predominantly in the Wi-Fi area.

Dave Bittner: [00:06:26:03] Now the folks who are running these networks on campuses, do they feel like they've got the resources to keep up or are they constantly in a game of catch-up?

Victor Danevich: [00:06:34:22] Constant catch-up no doubt. I think, you know and again, one of the probably bigger changes and things to think about in enterprise versus higher education, is in an enterprise you control the devices, you kind of can control the flow of how things happen within your environment. A university can't. So keeping up is this every 15 week type cycle and it really starts to make you think about your approach to training, your team, your staff, everything else that's going along with it. The tools, the technology, the scanning, you know, the types of devices, my discovery capabilities, anything along those lines is in constant change and flux.

Dave Bittner: [00:07:17:20] Now one of the things that your study highlighted was this notion of the real problem with insider threats. What did you find there?

Victor Danevich: [00:07:26:03] Well the insider threats can come in a lot of different areas and folds. With insider threat you come in with an infected device and the student may or may not know, it could even be a campus lab piece of equipment, it could be an IoT type device that might have been infected with something, it could have been an actual staff or some type of employee. The type of threat then begins to propagate malware within the network in an uncontrolled fashion.

Dave Bittner: [00:07:55:20] So what are your recommendations? How can these network defenders get on top of this?

Victor Danevich: [00:08:01:10] I think there's a bunch of different things they can do and I think probably the most important from a higher education IT type person that's trying to service the network, is discovery of the type of tools. And these are things that continue to change, you know, on a very, very rapid basis. In terms of discovery, what classification? You can use things like DHCP fingerprinting, to find out the type of device. But the whole focus here is about really understanding the type of device that's on your network and the type of threat that be out there. The second kind of component with them is take advantage of your vendors and different types of tools to understand how to better protect your network. In the case of Infoblox for us it's DNS and implementing black lists and taking the time to be able to check DNS queries as they exit your network, whether or not they're part of a malware type network or some type of reason that they shouldn't be accessing. And either provide some type of blocking or control, at least a word or notification that this type of activity.

Victor Danevich: [00:09:08:06] The next step, and this is kind of the big change I think that's occurring in there, it's just not simply implementing black lists or some type of level of control, but it's now starting to focus on the clue's loop process of making that happen. So not only just providing the black list, having your users leverage your network to be able to check those types of things. But then taking that information, passing into some further processing it, learning from the type of discoveries and activity that might be going on within your network and then being able to apply some kind of corrective action or policy to be able to address that.

Victor Danevich: [00:09:42:19] What's changing though, very, very simple common old technique for a closed loop cycle and providing feedback. But what's changing right now is just the amount of data in malware and threats and different things that are going on, and you can't just simply come in on a Monday morning, grab a cup of coffee and start working through some alerts or different logs. It's changing at the speed of light and you need artificial intelligence, some type of machine learning to be able to understand those patterns, to be able to apply it, to be able to fine tune your policies, that says okay, out of these 10,000 some threats that have just come in or alerts that have come in, which ones are most important that I need to be able to do some type of blocking? What's hurting my organization? What's consuming or what's causing a problem?

Dave Bittner: [00:10:29:04] That's Victor Danevich from Infoblox.

Dave Bittner: [00:10:33:18] It is of course Election Day in the US and so far there are no reports of any unusual interference in the voting. As WIRED notes, measures taken to secure the election have been "unprecedented," and while there are surely lessons to be drawn and improvements to be made, officials seem cautiously optimistic about cybersecurity of the midterms. Should there be evidence of serious foreign interference, everyone thinks US Cyber Command is loaded for Bear - they've got keyboards and connectivity at Fort Meade and they're not afraid to use them.

Dave Bittner: [00:11:07:13] Concerns about influence operations persist, with Facebook saying last night that it had blocked 115 accounts for "coordinated inauthenticity." This formula seems to be a winning one for Facebook - they can credibly claim to be enforcing transparency and not engaging in viewpoint censorship. There is some dissatisfaction with how Facebook's advertising transparency tool is working and some senators have asked the social network to buck up the tool's performance. Twitter says it's ready but the New York Times says the service remains infested with bots.

Dave Bittner: [00:11:43:24] Worries about the elections have been focused largely upon a well established record of Russian online propaganda directed at simple disruption. That's disruption in the sense of exploiting fissures in the targeted society with a goal of exacerbating mutual mistrust and eroding confidence in civil society and government institutions.

Dave Bittner: [00:12:05:03] According to Politico, other observers note that when it comes to trolling irresponsibly and so on, Americans do just fine on their own without foreign help, thank you very much. So in this case, as Pogo Possum said a half century ago, "We have met the enemy and he is us." The enemy often is.

Dave Bittner: [00:12:30:19] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro segmentation and analytics. VMware's White Paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at See what Workspace ONE can do for your enterprise security. And we thank VMware for sponsoring our show.

Dave Bittner: [00:13:31:09] And joining me once again is Ben Yelin. He's a Senior Law and Policy Analyst from the University of Maryland's Center for Health and Homeland Security. Ben, it's good to have you back. This was an article that came by from Forbes, from Thomas Brewster was the author here, and it was titled "To Catch A Robber, The FBI Attempted An Unprecedented Grab For Google Location Data." Describe to us what's going on here.

Ben Yelin: [00:13:53:10] So this is a very interesting case. FBI was conducting investigation into a number of robberies that took place in the Portland, Oregon, area, and they made what was an unprecedented request of Google, specifically for people who use Google Maps devices, and they requested information, identifying information on all users of that software who were present in the location of these robberies. These are known as reverse location warrants. So it's just a general authorization to identify everybody who was in a given area within reach of a cell tower, that could be identified, and I think they gave a radius of like three miles or something. Which is a relatively wide radius when you're talking about four separate locations across the City of Portland. So the question of course is, is this constitutional, particularly the fact that there's no individualized suspicion here. When our Fourth Amendment requires a level of specificity, the government obtain a warrant to just collect information on everybody.

Ben Yelin: [00:15:00:07] This is a question that the Supreme Court has not answered. In fact in the Carpenter case that came out this year, they explicitly declined to extend their holding to these types of searches. So you know the FBI doesn't have particularly clear guidance on this. In this case Google, for whatever reason, whether they wanted to protect their reputation or they weren't able to obtain the proper information, basically just never complied with the warrant. Eventually it became a mute issue because the government was able to find the criminal suspect without the use of that reverse search, but I think we're going to find a situation in the future where somebody's going to be convicted of a crime because they were encapsulated in a search. And it's a very fundamental Fourth Amendment principle that every search has to be supported by probable cause, which has to be augmented with a level of specificity, that a particular person was in a particular location committing a particular crime.

Ben Yelin: [00:16:04:23] Even though you could make a case that these searches are reasonable, to protect public safety, and that people are willingly sharing their location information to Google or third parties so they don't have the reasonable expectation of privacy in that information. I think you're still going to have that concern of the sweeping warrants that will end up capturing critical information from completely innocent people. So I think it's definitely an issue we're going to have to look out for. This ended up not being the case that would make through our court system, because the government was able to obtain an arrest without this data, but we're going to have that case soon and it's going to be interesting to see how it turns out.

Dave Bittner: [00:16:46:04] It's fascinating to me because on the face of it, as an armchair observer of these sorts of things, it's hard for me to imagine someone going in this direction, because it seems you can't go in front of a judge and say, "Listen the crime was committed here, I'd like to search the whole neighborhood."

Ben Yelin: [00:17:06:03] I think it runs afoul of our most basic Fourth Amendment principles. That's actually what the ACRU said about this case. Our Fourth Amendment comes from our English heritage, where its great scholars took great offense at the idea of general warrants. Where the government or the king without any sort of specificity would go into a person's house and see what they could find. And that led to potential tyranny because you had some sort of authority figure, not with any level of actual suspicion, doing their best to dig up evidence of a crime and that's what this sounds like. It's obviously a different iteration of it, but when we're talking about our most cherished Fourth Amendment principles, I mean particularity when it comes to warrant applications is so incredibly fundamental. Unless this is an application of a third party doctrine, which I think is a valid argument, I still think it could be an unreasonable search and seizure and I think particularly because it runs afoul of our critical Fourth Amendment principles.

Dave Bittner: [00:18:15:03] Time will tell, we'll see how it plays out. It's interesting that it's inevitable that this is the kind of thing that will have to run through our legal system. I suppose that's the way it's supposed to work.

Ben Yelin: [00:18:27:10] Absolutely, I think this is on a collision course with the Supreme Courts, specifically since the court mentioned this issue in the Carpenter case, it's obviously on their mind. I think it's something we have to follow closely.

Dave Bittner: [00:18:41:05] Ben Yelin, thanks for joining us.

Dave Bittner: [00:18:48:01] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:19:16:00] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire Editor is John Petrik. Social Media Editor Jennifer Eiben. Technical Editor Chris Russell. Executive Editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.