The CyberWire Daily Podcast 11.19.18
Ep 728 | 11.19.18

CISA is now officially an agency. Cozy Bear is back. Gmail spoofing issue opens social engineering possibilities. Speculation about “cyber 9/11s.”


Dave Bittner: [0:00:00] Hello, everyone. A quick reminder that in addition to our daily podcast, we also publish a daily news brief that you can subscribe to and have delivered via email every day. It's a great companion piece to the daily podcast, with dozens of links to all the day's cybersecurity news. So do check it out and subscribe over on our website. That's It's the CyberWire Daily News Brief at Thanks.

Dave Bittner: [0:00:28] CISA is now an agency within DHS. Cozy Bear is back and spearphishing in American civilian waters. Ukrainian authorities say they've detected and blocked a malware campaign that appears targeted against former Soviet Republics. A reported Gmail issue may make for more plausible social engineering. The Outlaw criminal group expands into cryptojacking. Infrastructure, financial and data corruption attacks are discussed as possible cyber 9/11s.

Dave Bittner: [0:01:04] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web - developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely - because that's what you want, actionable intelligence. So sign up for the Cyber Daily email, where every day you'll receive the top trending indicators Recorded Future captures crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [0:02:16] Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [0:02:20] From the CyberWire studio at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 19, 2018. The new U.S. Cybersecurity Agency - the Cybersecurity and Infrastructure Agency or CISA - is now ready for its groundbreaking. President Trump signed the legislation that authorized it into law on Friday. The CISA Act, in effect, reorganized and clarified the charter for the Department of Homeland Security's National Protection and Programs Directorate - best known simply by its initials NPPD. It's now an agency responsible for overseeing civilian cybersecurity across the federal government, with an expansive brief to support state, local and private sector cybersecurity efforts as well.

Dave Bittner: [0:03:07] Christopher Krebs, the NPPD's director, will become CISA's first director. Krebs characterized CISA's establishment, which has been widely described as a rebranding, as more of a groundbreaking than a ribbon-cutting. He said, as reported by the Federal News Network, that the new agency has a two-year road map to achieving its full operational capability. A number of familiar officials will remain with CISA. Jeanette Manfra, for one, will serve as assistant director for cybersecurity and communications. As a new agency, roughly on par with other DHS organizations - like the Federal Emergency Management Agency and the Secret Service - CISA will receive increased budgetary and operational authority. That may be a good thing too because the civilian side could probably benefit from increased resources and attention. Even if CISA isn't exactly shovel-ready, it will have plenty to tackle.

Dave Bittner: [0:04:06] As an example of what the new agency will be up against, consider news that began to develop late last week. Guess who's back and interested in U.S. civilian agencies and the private sector? Cozy Bear, that's who. This is that other Russian cyber operational agency, the quieter sister to GRU's Fancy Bear. Cozy Bear discreetly established itself in the Democratic National Committee's networks early in the 2016 election cycle - months before the flashier and more ostentatious Fancy Bear showed up and blew the gaff. Cozy had last been prominent in 2017 when it conducted espionage campaigns against government targets in Norway and the Netherlands. Cozy Bear is generally associated with either the FSB or SVR, both of which are KGB descendants in the current Russian security and intelligence bureaucracy.

Dave Bittner: [0:05:00] According to ZDNet and Reuters, the group has been engaged in spearphishing U.S. targets. CrowdStrike and FireEye, among others, have been reporting the discovery and watching the operation. CrowdStrike says Cozy Bear has been impersonating a U.S. State Department official in spearphishing emails. The payload is a link to a legitimate but compromised website. Targets form a familiar set of Cozy Bear interests - government agencies, including law enforcement agencies, think tanks and business information services. Cozy Bear, by the way - if you're keeping score at home - is also known as APT29, the Dukes or PowerDuke.

Dave Bittner: [0:05:41] Ukraine's CERT, working with the country's foreign intelligence service, says it stopped battlespace preparation for a campaign that would've installed a new version of the Teredo espionage and attack-staging malware. There's no attribution, but they note that the campaign appeared interested in former Soviet republics. It's designed to run only on systems localized to the languages prevalent in the near abroad - among them, Ukrainian, Belarusian, Russian, Armenian, Azerbaijani, Uzbek and Tatar. CERT-UA recommends the usual hygienic measures against infection. Be wary of opening attachments. Disable auto run for removable media. Be skeptical when an operating system displays a message that a file requires that certain software be installed before it can be opened. And, of course, regularly and securely backup your files.

Dave Bittner: [0:06:33] Researchers report a Gmail flaw that enables a user to add an arbitrary email address to the from field. The social engineering possibilities are obvious, but the approach is an unusual one. Researcher and software developer Tom Cotton told Bleeping Computer that a colleague of his found, in her Gmail account sent folder, some messages she hadn't in fact sent. What seems to have happened is that an anomaly in the from field permits it to be structured to contain a recipient's address or, indeed, any address. This, of course, could facilitate business email compromise or other forms of fraud.

Dave Bittner: [0:07:12] Trend Micro is tracking the Outlaw criminal group, which is engaged in a renewed botnet campaign for cryptojacking, scanning and brute-forcing of credentials. It uses an Internet Relay Chat, that is, IRC bot, to attack. Outlaw's initial goal appears to have been creation of infrastructure that could be used to mount distributed-denial-of-service attacks. From there, they moved on to brute-forcing SSH to increase the botnet's size. And most recently, they moved on to cryptojacking.

Dave Bittner: [0:07:43] Fears of infrastructure attacks continue to surface, notably in the U.K.'s parliament, according to The Guardian. CNBC offers a rundown of cyber 9/11 possibilities - knocking out essential services, attacking financial systems in such a fashion as to cause a financial panic or altering data rather than simply deleting, stealing or rendering that data unavailable. So what does a nation do when it comes under such an attack? NATO has some ideas. The alliance said late last week that it would not itself, as an alliance, conduct offensive cyber operations. It would, however, as Luftwaffe Major General Wolfgang Renner, head of NATO's cyber operations center, put it last week, quote, "integrate sovereign cyberspace effects from the allies who are willing to volunteer," end quote. This may seem like a distinction without a difference. But the answer represents the relative immaturity of international norms in cyberspace and NATO's attempt to map the legal distinction between national initiatives and collective defense to the new domain.

Dave Bittner: [0:08:55] And now a few words about our sponsor, our friends in the technology news world, Techmeme. You probably know Techmeme from their curated, online, comprehensive view of all the day's tech news. And now they also produce the Techmeme "Ride Home" podcast. If you like the CyberWire and you're looking for even more technology news, Techmeme "Ride Home" is the podcast for you. We're fans, and we think you'll like it, too. It's 15 to 20 minutes long and hosted by veteran podcaster Brian McCullough. You may know Brian from the "Internet History" podcast. The "Ride Home" distills Techmeme's content into, well, the kind of things you'd like to listen to on the ride home - headlines, context and conversation about the world of tech. It posts every weekday afternoon around 5 p.m. - great for afternoon drive time in the U.S. Be sure to search your favorite podcast app for "Ride Home" and subscribe today. That's the Techmeme "Ride Home" podcast. And we thank the Techmeme "Ride Home" podcast for sponsoring our show.

Dave Bittner: [0:10:03] And joining me once again is Rick Howard. He's the chief security officer at Palo Alto Networks. And he also leads Unit 42, which is their threat intel group. Rick, it's great to have you back. You and I talk about the Cybersecurity Canon project, about the books that are recommended there. You've got a book you want to recommend for us this month.

Rick Howard: [0:10:23] Yeah. I've been running the Cybersecurity Canon project for the past five years. And for your listeners that don't know what it is, it's kind of a baseball hall of fame but only for cybersecurity books, OK? We have a committee of network defenders. These are CISOs and journalists, consultants and the like. They read the books and write book reviews that make the case that the book fits into one of three categories. First, this is a must-read by all cybersecurity professionals. Second is maybe it's not a must-read. But if you are interested in the topic, this is the book for it.

Rick Howard: [0:10:54] And most importantly, the third category is do not read, OK? - because if you decided that you were going to read a book this year to learn something new and you went to Amazon and looked for cybersecurity books, you would have some 2,000 books to choose from. How would you decide which one to read? So enter the Cybersecurity Canon project. After five years, we have 17 books in the hall of fame and roughly 70 books that are on the candidate list. And so this month, I thought I would highlight one of the hall of fame inductees from last year. It's called "Worm: The Digital World" (ph) by Mark Bowden. OK, and we inducted it into the hall of fame in 2018. Have you read this before, David?

Dave Bittner: [0:11:33] No, I have not.

Rick Howard: [0:11:34] All right. So "Worm" is the story of how the cybersecurity community came together to do battle with what seemed at the time to be the largest and most significant cyberthreat to date, the Conficker worm. All right. And back then, it was the time of the Estonian and Georgian distributed denial-of-service attacks. And the Conficker Botnet was growing to be the largest DDoS delivery system ever created. So a white hat group of cyber uber-geeks form what they call themselves, the Conficker Cabal, with a mission to stop the worm because most of the world cannot even understand it, let alone do something about it.

Rick Howard: [0:12:09] Now, Mark Bowden, the author, he wrote - the reason I love him or - there's lots of reason to like what he writes about. But he was the author of "Black Hawk Down," OK, a story of modern warfare. And among many other fabulous books, he wrote "The City of Hue" (ph) this past year about Vietnam. It was fantastic, but he also wrote the screenplay to the "Black Hawk Down" movie. All right. And so - but the thing about it, he is not a geek. All right. And he decided he was going to learn about cybersecurity, and he did a fantastic job. He accurately captures the essence of our cybersecurity community in times of crisis. And when we inducted him to the hall of fame last year, I got to interview him on camera. OK. And it was a dream come true. Sometimes I can't believe they pay me money to do this job.

Dave Bittner: [0:12:55] (Laughter).

Rick Howard: [0:13:05] It's fantastic. Bowden compares us all to cybersecurity superheroes, OK, like the X-Men of Marvel Comics fame because of what he sees as our superhuman ability to work with computers and our desire to help each other and to save the world. Let me read a small passage that demonstrates this notion. OK, this is from the book.

Rick Howard: [0:13:14] (Reading) What were superheroes after all but those with special powers? Marvel's creations were also invariably outsiders - not just special but mutant, a little bit off, defiantly antisocial, prone to sarcasm and cracking wise, suspicious of authority, both governmental and corporate. They went about their day jobs as unassuming techies, men whose conversation was guaranteed to produce the glaze. But out here in the cyberworld, they were nothing less than the anointed, the guardians, the special ones - not just the ones capable of seeing the threat that no one else could see but the only ones who can conceivably stop it.

Rick Howard: [0:13:50] I love that, OK, and I aspire to be that. I wish I could be all those things he mentioned in there. All right. But in the end, the Conficker Cabal failed. OK. To use a chess analogy, the Cabal maneuvered the Conficker worm hackers into a check by preventing it from receiving any new instructions. But they were unable to kill it completely or to put it into checkmate. Today it still rages on. It still doesn't do anything, but it continues to grow. Security professionals will learn nothing new in terms of technology and craft, but they will remember that scary time and how we were all very worried about 1, April 2009, the day that the world thought Conficker would come to light.

Rick Howard: [0:14:32] Newbies will get a lot out of this book, though. Bowden does a great job of simply and clearly explaining many of the key technical pieces that make the internet run. If you are new to the community, this book makes a great introduction. It is a cybersecurity hall of fame inductee. And all of us should've read it by now. But more importantly, how can you not like a book where the author favorably compares the cybersecurity community to the X-Men. OK. As Stan Lee likes to say, enough said.

Dave Bittner: [0:14:58] All right. Well, you make a compelling case for it. I will have to check it out. Our ongoing book club between you and me...

Rick Howard: [0:15:07] (Laughter).

Dave Bittner: [0:15:07] So as always, a good recommendation. Rick Howard, thanks for joining us.

Rick Howard: [0:15:11] Thank you, sir.

Dave Bittner: [0:15:17] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [0:15:32] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [0:15:45] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed.

Dave Bittner: [0:16:00] And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at

Dave Bittner: [0:16:13] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.