The CyberWire Daily Podcast 1.2.19
Ep 751 | 1.2.19

Stop the presses—the presses were stopped by ransomware. Video security system found vulnerable to oversharing. Changes in US DoD leadership. An arrest in Moscow, a court ruling in Baltimore.


Dave Bittner: [00:00:03] U.S. newspapers sustained a major cyberattack over the weekend, possibly ransomware, that disrupted printing. The attack is said to have originated overseas, but attribution so far is preliminary, murky and circumstantial. A home security video systems found to have hard-coded credentials. There are changes in U.S. defense leadership. An American is arrested in Moscow on espionage charges. And alleged NSA leaker Hal Martin wins one and loses two in court.

Dave Bittner: [00:00:39] And now a word from our sponsor ExtraHop, the enterprise cyber analytics company delivering security from the inside out. As your organization continues to expand outside the data center to the cloud, branch office and device edge, your attack surface opens up to more and more risk. With major breaches announced nearly every day, security operations teams need a better way to identify vulnerabilities and hunt threats inside the perimeter. ExtraHop cuts through the noise of traditional security alerts with network traffic analysis that provides full east-west visibility, real-time threat detection from core to cloud and guided investigation workflows. All the clarity and context you need to act quickly and with confidence. Don't just take our word for it. Explore the interactive demo at That's And we thank ExtraHop for sponsoring our show.

Dave Bittner: [00:01:42] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday January 2, 2019. Happy New Year, everybody. Great to have you back. Hope you got some rest over the holiday break. Over the weekend, print operations at several major U.S. newspapers were disrupted by a cyberattack. Saturday editions of the San Diego Union Tribune, The Baltimore Sun, The Chicago Tribune, The New York Times, The Wall Street Journal, the Los Angeles Times, the Annapolis Capital Gazette, the Hartford Courant, The New York Daily News, The South Florida Sun Sentinel and The Orlando Sentinel saw their additions delayed as the attacks on print plants affected production.

Dave Bittner: [00:02:23] The attack, which is believed to have involved a variant of Ryuk ransomware, targeted Tribune Publishing. But not all of the affected papers were Tribune properties. Tribune sold both the San Diego Union Tribune and The Los Angeles Times in 2018. But both papers still use Tribune Publishing's print plant. A number of the other affected papers, including The New York Times and The Wall Street Journal, contract to use Tribune printing services for at least portions of their press run, which is how they came to be affected. As The New York Times put it, they were collateral damage in the attack. Tribune Publishing stressed that no customer information was compromised in the incident.

Dave Bittner: [00:03:03] The first signs of the attack surfaced Thursday, were believed to have been contained by Friday but returned with considerable effect on Saturday. Sources in a position to know, according to The New York Times, sent anonymously that, quote, "we believe the intention of the attack was to disable infrastructure, more specifically servers, as opposed to looking to steal information." Attribution remains murky, but the Los Angeles Times says the attack is believed to have originated outside the United States. Neither Tribune Publishing nor the affected papers have reported receiving ransom demands. But the incident seems consistent with a ransomware attack.

Dave Bittner: [00:03:41] Security companies KnowB4 and Check Point have pointed out circumstantial similarities between this attack and operations of the North Korean government. The ransomware employed in the attack, Ryuk, is regarded as an evolved version of Hermes, a strain of malware previously attributed to Pyongyang's Lazarus group. For its part, security firm CrowdStrike thinks Eastern European criminals are the probable culprits. They point to some evidence that the attackers may have used TrickBot, which has surfaced in attacks against financial institutions, to deliver the malware.

Dave Bittner: [00:04:15] In any case, it's too early to come up with any definitive attribution, especially since criminal groups and espionage agencies show an increasing disposition to beg, borrow or steal one another's attack code. The security companies discussing several of the affected papers have said they found Ryuk in their systems, but so far that's as far as the evidence takes us. The U.S. Department of Homeland Security is investigating.

Dave Bittner: [00:04:42] With a new year ahead of us, there's no relief in sight to the talent shortages faced in the security industry. One approach to making the pool of potential candidates deeper is to look within your own organization and take a more human-centric approach. Steve Durbin is managing director of the ISF, the Information Security Forum, and he offers these thoughts.

Steve Durbin: [00:05:03] Pulling together the security workforce typically means you're going to have to go hunting in different parts of the organization - assuming you're a large corporation, of course - for people who have been doing bits and pieces of this over some while. And that is one of the challenges corporations. How do we get this very much more high-level strategic perspective on our security workforce? How do we pull them together from the different parts of the organization that they are currently sitting in and get them all focused and in the same direction? I think it's about really playing to the strengths that exist in most large-scale organizations today.

Steve Durbin: [00:05:43] What I mean by that is it's about taking much more of a human-centric approach. It's about collaborating with your human resources function and taking advantage of some of those well-established HR practices to build out a diverse workforce of capable individuals that map across to the challenges that you're facing. And if we think about the way that perhaps security has traditionally gone about doing it, that perhaps is not the way that it's been done. So it is about really trying to identify the skill sets that are required, ride the wave out into the strategic period that you that you're working through, determining where you have those skill sets in your organization - they may be coming from the business.

Steve Durbin: [00:06:27] Very often when I talk to senior executives about how can they build out a sustainable security workforce, they are surprised when I say, well, don't just look in the technical area. Look in the business area. You know, if we're trying to put in place a security enablement to fuel cooperation, we need to understand how the business is working. And let's take some of those business people, put them into the security function. If we're trying to get awareness programs going, well, marketing, training, they're adept at doing that kind of thing. So let's involve them.

Steve Durbin: [00:06:57] So I think that, for a lot of organizations, it's about taking a much more holistic approach in the way in which they go about building out their security workforce and calling on some of the skill sets that they already have in the enterprise that are pretty well-suited to solving some of these challenges.

Dave Bittner: [00:07:15] And so how do you suppose you put together an environment that will attract those people from other parts of the organization, who may not be accustomed to the culture, the care and feeding of the cybersecurity workforce?

Steve Durbin: [00:07:28] Yeah, and I think there's a little bit - it depends on the organization here, Dave. But, you know, part of it is about perhaps overcoming some of the prejudice that might exist. I mean, there are some, you know, very well-embedded views - aren't there? - of what security is all about. It's very technical. It can be dull. They're the guys who tell us what we can't do. The reality of security in cyber, in particular today, is that it's a hugely fast moving, very dynamic environment - why? - because things are moving so very, very quickly.

Steve Durbin: [00:08:02] And I think that what we need to be doing in order to attract the right sorts of skill sets in there is to stop insisting on this host of specific technical skills. You know, you have to have a CISSP. You have to have a certain amount of experience and qualifications - because the reality is that that just eliminates a large portion of current prospective information security professionals who could very well have a key role to play.

Dave Bittner: [00:08:28] That's Steve Durbin. He's managing director of the ISF.

Dave Bittner: [00:08:33] Security firm Rapid7 has disclosed hard-coded credentials in Guardzilla home surveillance video systems. They contain a shared Amazon S3 credential for storing saved video data. This means, in effect, that all users of the Guardzilla all-in-one video security system could access one another's saved home video. Rapid7, which credits researchers at Zero-Day All Day with the discovery, recommends that users of the system not enable Guardzilla's cloud-based information storage.

Dave Bittner: [00:09:05] There are a few changes at senior levels of the U.S. Defense Department and intelligence community. Secretary of Defense Mattis is out, moved on earlier than the February exit his resignation letter had specified. He's been replaced on an acting basis by Patrick Shanahan, the deputy secretary. No permanent replacement has been named. Principal Assistant to the Secretary of Defense Dana White has also left the Pentagon, to be replaced on an acting basis by Charles E. Summers Jr.

Dave Bittner: [00:09:35] The National Geospatial Intelligence Agency, the NGIA, will also receive a new director in February, as Robert Cardillo, who's led the agency since 2014, will be succeeded by Rear Admiral Robert Sharp, currently head of naval intelligence.

Dave Bittner: [00:09:52] In Russia, a U.S. citizen has been arrested on suspicion of espionage. The FSB says that Paul Whelan, security lead for automotive parts manufacturer BorgWarner, will be charged with spying. Whelan was in Moscow for the wedding of a friend. Details of the case are sparse, and Whelan's family rejects the notion that he was spying. Observers speculate that the arrest represents retaliation for recent U.S. arrests of Russian nationals on espionage charges, especially the arrest of Maria Butina, who last month took a guilty plea in a U.S. spying beef.

Dave Bittner: [00:10:27] Alleged NSA leaker Hal Martin succeeded in having incriminating statements he made during a 2016 FBI raid on his house suppressed. He wasn't Mirandized. But physical evidence the bureau's special agents collected, including large quantities of classified materials squirreled away in Mr. Martin's Maryland residence, remains admissible. The failure to read him his rights seems curious. The government said it was a non-custodial interview and that Mr. Martin was free to leave at any time.

Dave Bittner: [00:10:57] But their having entered his house armed and announced by flash bangs and their having handcuffed him led U.S. District Judge Richard D. Bennett to conclude that the interview was custodial, as they say, and that the special agents should have mirandized Mr. Martin no matter how otherwise friendly the interview may have grown over the hours they were together.

Dave Bittner: [00:11:19] Many observers have noted that the warrant to search Mr. Martin's property came in the wake of some ambiguous tweets he posted that could be read as having suggested he had secrets to offer. But, of course, Twitter is a notoriously low-context medium, and Mr. Martin's posts could be entirely innocent. He's charged with 20 counts of willful retention of national defense information. The former NSA contractor's trial is scheduled for this coming June 17.

Dave Bittner: [00:11:48] And finally, the Dark Overlords are said to be back. According to Motherboard, this time they're threatening to dox insurance companies to prove that the 9/11 terror attacks in New York, Virginia and Pennsylvania were put-up jobs by a bunch of conspirators - unless, of course, the insurance companies pay the Dark Overlords a ransom. Serious people will of course ignore the conspiracy nonsense and not pay the ransom. Of course, when the authorities finally get around to arresting the Dark Overlords, we hope they remember to read them their rights. We've seen that done on TV.


Dave Bittner: [00:12:29] Now a moment to tell you about our sponsor Attila Security. Attacks on the U.S. defense industrial base supply chain, otherwise known as DIBs, is one of the most pervasive cyber threats facing our nation today. DIBs are vulnerable for a variety of reasons, ranging from legacy software and systems and a corporate culture that values operations over IT security. Cybercriminals exploit these weaknesses and target their attacks on DIBs in order to gain access to government networks. Attila Security is tackling this threat head-on. Attila Security's GoSilent technology features a portable security appliance that installs in minutes by any non-technical user. GoSilent is a firewall and VPN in one and turns unsecured data transmissions into top-secret-level security communications in just minutes. Attila Security's products and solutions enable organizations to keep data secure while avoiding disruptions to daily operations. To learn more about how Attila secures the DIB supply chain, visit That's spelled And we thank Attila are sponsoring our show.

Dave Bittner: [00:13:53] And I'm pleased to be joined once again by Ben Yelin. He's a senior law and policy analyst at the University of Maryland's Center for Health and Homeland Security. Ben, it's great to have you back, as always. Interesting article from The Naked Security over on Sophos - this was written by Lisa Vaas. And they're asking the question, does wiping your iPhone count as destroying evidence? What's going on here?

Ben Yelin: [00:14:16] So this is a fascinating case. It was a young woman who was arrested in relation to a drive-by shooting. And the police at least suspected that there was some sort of valuable evidence on her iPhone. And while she was in police custody, the contents of her iPhone were completely erased. The reason I use the passive voice there is because she and her defense says that she is technologically illiterate and would have absolutely no idea how to erase the contents of her device.

Ben Yelin: [00:14:46] Now, I think it almost certainly is a crime to take some sort of affirmative action to delete the contents of your device because that is the equivalent of destroying evidence, which, of course, in and of itself, is a crime. And there are lots of ways technologically to delete the contents of your device. Using the Find My iPhone app, for example, as it relates to an iPhone, once that phone has been lost or stolen, you can press that kill switch, and it will delete all of that data.

Dave Bittner: [00:15:17] Right.

Ben Yelin: [00:15:17] Now, there's no proof that that happened in this case, although perhaps somebody who knew this suspect was looking out for her and was able to have maybe her password or Apple ID or whatever and logged in for her to erase this information. The more interesting hypothetical that this article presented is, what if there's some sort of technology - and it may or may not exist at this point - where the device would automatically detonate or delete all of its information after 24 hours person has not logged in?

Ben Yelin: [00:15:51] So it would contemplate a scenario where a person is afraid that their phone is going to get lost or stolen and that if for some reason they don't log in or enter their passcode within 24 hours, the presumption should be that it has been stolen, and therefore the device should erase itself.

Dave Bittner: [00:16:06] Right.

Ben Yelin: [00:16:07] In that hypothetical, a person would not have taken the affirmative step of deleting their information specifically to evade law enforcement or specifically to conceal evidence. And I think the standard is very different. The fact that an affirmative step at least allegedly took place here where somebody - whether it was the defendant herself or somebody she knew - pressed that kill switch, I think makes it different and makes it far more likely that the conviction would be upheld because she did destroy evidence. She did press that kill switch. But I think we're going to see cases in the future about that latter scenario.

Dave Bittner: [00:16:48] Yeah. And I've seen instances - I believe on the iPhone you can set it up where if you mis-enter a password a certain number of times, it will go into a wipe - you know, it will wipe the phone. But that requires action on behalf of the police or whoever's trying to get into it. So it's a little different there.

Ben Yelin: [00:17:05] Right. It is different because, again, this hypothetical we're talking about here is where no affirmative step is taken by anybody...

Dave Bittner: [00:17:12] Right.

Ben Yelin: [00:17:13] ...Whether it's law enforcement or the defendant. Presumably the defendant would set up this technology not in anticipation of concealing evidence but in anticipation of preventing people from gaining access to his or her information.

Dave Bittner: [00:17:25] Right.

Ben Yelin: [00:17:25] So it's a completely innocuous act that takes place outside the context of any sort of arrest or criminal prosecution.

Dave Bittner: [00:17:34] Yeah.

Ben Yelin: [00:17:34] And I think that's, you know, very different when we're talking about destroying evidence. And I think that that case is going to present itself. And in my opinion, I think there is a real distinction between pressing that kill switch after you've been arrested - after you know there might be evidence against you versus sort of mechanical, regular operation on behalf of your device that deletes information on some sort of circumstance, like you haven't logged into your phone within 24 hours.

Dave Bittner: [00:18:04] Now, do you suppose that law enforcement could make the case that you would be in some way obligated to inform them that this device is going to detonate if not logged into in a certain amount of time?

Ben Yelin: [00:18:15] I mean, that's an interesting question. I don't think necessarily it would ever be on law enforcement's mind. I mean, it's not going to be part of a Miranda warning where it says, if you have your device on auto lock, be sure to disable it. A person is in custody, so they're not going to have access to that device anyway, you know. And then we get into potential Fifth Amendment issues. What if you have that kill switch on? The government's presents you with that device and says, turn off that kill switch. We want to maintain this information. Then you have to take an affirmative step to potentially incriminate yourself.

Dave Bittner: [00:18:51] Right.

Ben Yelin: [00:18:52] And the complications here are endless. But I think the question of destroying of evidence is completely different if there hasn't been that affirmative step post arrest where the information has been deleted.

Dave Bittner: [00:19:06] All right. Ben Yelin, thanks for joining us. And that's the CyberWire.

Dave Bittner: [00:19:15] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at

Dave Bittner: [00:19:26] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.