The CyberWire Daily Podcast 2.14.19
Ep 781 | 2.14.19

Former Air Force counterintelligence specialist indicted on charges of spying for Iran. Where’s the stolen Equifax data? Two alleged Apophis Squad clowns indicted.


Dave Bittner: [0:00:03] U.S. prosecutors unseal the indictment of a former U.S. Air Force counterintelligence specialist on charges she conspired to commit espionage on behalf of Iran. The U.S. Treasury Department announces further sanctions on Iranian individuals and one organization named in that indictment. Two alleged members of Apophis Squad are indicted. And whatever became of all the data stolen from Equifax? That information's apparently not for sale on the dark web.

Dave Bittner: [0:00:37] It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We here at the CyberWire have long been subscribers to Recorded Future's Cyber Daily. And if it helps us, we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [0:01:33] The CyberWire podcast is made possible in part by RSA Conference taking place March 4 through the 8 at the Moscone Center in San Francisco. The CyberWire is a proud media sponsor of RSA Conference, where the world talks security. Learn more and register today at

Dave Bittner: [0:01:55] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 14, 2019. Today's news has a great deal to do with espionage. This time, the espionage in question is, according to the U.S. Departments of Justice and the Treasury, Iranian. The U.S. Department of Justice has unsealed an indictment against Monica E. Witt, now also known as Fatemah Zahra. She's a former U.S. Air Force technical sergeant who served as a counterintelligence specialist and Farsi linguist between 1997 and 2008.

Dave Bittner: [0:02:32] After leaving the Air Force in 2008, she continued to work as a government contractor, first briefly for Booz Allen Hamilton and then for around two years for Chenega Federal Systems. Before she defected to Iran in 2013, the Washington Post reports, the FBI warned her she was probably the target of recruitment by Iranian intelligence. And she promised to be careful if she returned to Iran and also promised not to give Iran classified material. The indictment charges, of course, that she did exactly that. Recruitment there was, according to the Justice Department. A quite public turn in sympathies was marked by her attendance of a New Horizons Organization conference in Iran on Hollywoodism, that is the depravity of American popular culture.

Dave Bittner: [0:03:20] The indictment alleges that after her defection, Ms. Witt created dossiers - target packages - for Iranian intelligence services on her former colleagues in counterintelligence, thereby contributing to the social engineering of U.S. security and intelligence personnel. The indictment indicates that there were six manners, ways and means of the conspiracy by which Ms. Witt is alleged to have committed espionage. She used her position as a special agent with the Air Force Office of Special Investigations to gain access to classified information. She traveled to Iran, where she identified herself as a U.S. military veteran. She met with members of Iran's Islamic Revolutionary Guard Corps and expressed a desire to defect to Iran. She provided her bona fides to the Revolutionary Guard to demonstrate that she was willing and able to pass them information that would interest them. She created target packages to enable the Iranian government to target U.S. counterintelligence agents.

Dave Bittner: [0:04:20] Finally, the indictment says, she provided U.S. national defense information to the Iranian government. Four Iranian nationals were also indicted. They're referred to collectively as the cyber conspirators because they acted against at least eight U.S. operators - counterintelligence agents - using various social engineering techniques to compromise them and gain access to their organizational networks. The social engineering techniques include spear phishing, fraudulent use of stolen identities and at least one catfish. These attempts seem to have been at least partially successful. All eight of the U.S. agents whom the cyber conspirators approached had, at one time, the Justice Department said in a public statement, worked or interacted with Monica Witt.

Dave Bittner: [0:05:07] The indictment is worth reading, not the least for the set of definitions it lays out at the beginning. Target package is worth a note. It means what you would think. A target package, according to the Air Force Office of Special Investigations, is, quote, "a document or set of documents assembled to enable an intelligence or military unit to find, fix, track and neutralize a threat," end quote. A human target package of the kind Ms. Witt is alleged to have prepared on her former colleagues includes not only the targeted person's official position but an analysis of personal vulnerabilities or other opportunities to exploit the individual and confirmation of the identity and location of the individual.

Dave Bittner: [0:05:47] It also recommends a neutralization plan, where neutralization might include apprehension, recruitment, cyber exploitation or capture-kill operations. In this case, the cyber conspirators are thought to have carried out such neutralization plans. This kind of social engineering is traditional espionage craft carried out in cyberspace. Needless to say, Ms. Witt is not in U.S. custody. She's probably still in Iran. Apparently, she was a volunteer, whose eagerness to serve put some Iranian intelligence officers on their guard, suspecting she herself might be used against them. But ultimately, they apparently decided that she was the genuine article - an ideological motivated asset. In her frustration with Iranian slowness, Ms. Witt apparently considered going to either Wikileaks or the Russians instead. But her heart appears to have been in Tehran. In a coordinated action, the U.S. Treasury Department announced sanctions against the four Iranians and the New Horizons Organization, a now-notorious front group of the Revolutionary Guard.

Dave Bittner: [0:06:55] Researchers at Nokia recently published the latest version of their threat intelligence report. Kevin McNamee is director of the Nokia Threat Intelligence Lab.

Kevin McNamee: [0:07:04] The main thing that we found in this report was the increase in IoT botnets - rogue IoT devices on the internet. These devices are being collected, gathered together and formed into botnets that can be used primarily for DDoS attacks. They are also used for credential stuffing. They're used for coin mining and also used for identity theft. To put it in perspective, the IoT bots themselves were responsible for about 78 percent of the actual network activity we detected in the networks where we're deployed.

Dave Bittner: [0:07:41] And so what does this indicate to you in terms of, you know, year over year trends and what we might expect this year?

Kevin McNamee: [0:07:47] In the upcoming year, I only would expect it to increase. We started to see this activity in 2016, 2017 with the outbreak of the Mirai botnet. And the Mirai source code was actually distributed on the network. It was given away publicly. And since then, we've seen an evolution of a number of - fairly large number of different IoT bots based on this Mirai source code.

Dave Bittner: [0:08:16] And what are you seeing in terms of effectively defending against these sorts of things? Have we grown in sophistication from that end of things?

Kevin McNamee: [0:08:24] Sadly no, not at the moment. But there's - certainly, there's a number of efforts by various - by the carriers themselves, by standards organizations to help solve this problem. The main issue with the IoT devices, of course, is they're on the network. And they're unprotected. These tend to be small devices. They don't have antivirus. They're not protected by firewalls. So if they are visible and - in other words, if they have a public internet IP address or they're accessible through a home router, it is possible to scan these devices. And they'll literally be infected - if they're vulnerable, they'll be infected in a matter of minutes on the internet itself.

Kevin McNamee: [0:09:04] So the key thing - one thing that protects them is if you can conceal their presence from the internet itself. If you're - got a home network, make sure you've put your home router correctly configured so they're not visible to the internet. And if you're on - you know, on a - sort of deployed on a mobile network, on a carrier network, then, again, the use of carrier-grade NAT or something like that - the service provider can provide some protection by making these devices less visible.

Dave Bittner: [0:09:31] Now, one of the things the report points out is that, you know, we expect to see 5G networks coming online throughout this year. And that could have an effect on the adoption of IoT devices there.

Kevin McNamee: [0:09:43] Yeah, that's correct. I think 5G, in general, from a security perspective, brings - it brings some very good, new developments to the security area. But it also creates a situation that can be, potentially, bad. The good stuff that's there is that the whole control plane is now encrypted and strongly authenticated, which is really good. They have introduced slicing, which provides network segregation, which is also very good. And, of course, the main benefits of 5G are the increased bandwidth and the ability to deploy these IoT devices.

Kevin McNamee: [0:10:15] But some of those things also bring a sort of a negative effect. For example, the fact that you've got more bandwidth than more IoT devices means that these botnets that we've seen, which are primarily used for DDoS attacks, have - going to get more bandwidth they can leverage in the DDoS attack. And they're going to be more visible when 5G comes along. So even something like slicing, if you put all your IoT devices in a particular network - 5G slice - it means that people - the attackers are going to know which - that's a good slice to attack because there's potentially vulnerable devices there.

Kevin McNamee: [0:10:48] The important thing is to make sure you treat IoT devices, the security, seriously. First of all, they should be securely configured and securely deployed. You have to be able to patch these devices and get security patches out to them right away. The communications and the authentication that you use has to be robust. And it has to be secure. A lot of the Mirai attacks are using default passwords to break into these things. That's, of course, crazy. You have to make sure that there's strong authentication and use digital certificates and stuff like that.

Kevin McNamee: [0:11:17] And I think the final thing is that these devices are relatively helpless on their own. They should be monitored for potential security violations, monitored for potential bad traffic. And I would say that the carrier - the network carriers, people that are building the networks - they should be able to detect rogue IoT devices and remove them from their network should that be required because these DDoS attacks can become quite severe.

Dave Bittner: [0:11:42] That's Kevin McNamee from Nokia. You can find their threat intelligence report on their website.

Dave Bittner: [0:11:49] Here's another bit of espionage news. Stolen PII usually turns up for sale in some dark web market, of course. That's the typical way criminals monetize their take. But curiously, that, apparently, hasn't happened with the data lost in 2017's big Equifax breach. The information's nowhere to be found. CNBC has been speaking with sources, who are convinced that a foreign intelligence service has the data and, indeed, that a foreign intelligence service was responsible for hacking it in the first place. It's, of course, possible that a common criminal stole the information and then decided it was too hot to fence. But that's looking increasingly unlikely. PII are, of course, useful in social engineering, that is in recruiting agents. Who might have been responsible is unknown.

Dave Bittner: [0:12:37] After all the creepy allegations and suspicions of espionage, it's almost with relief that we turn to more ordinary, squalid, motiveless cybercrime. And nobody does squalid and motiveless better than the creeps of Apophis Squad. We hope soon to be able to say did, putting them in the past tense. A leading alleged Apophis Squad skid, Mr. Timothy Dalton Vaughn, whose hacker names include HDGZero, WantedByFeds and Xavier Farbel, was indicted by the feds after his identity was compromised via a hacked gaming site. That an Apophis Squad member should be hoisted on his gaming petard seems almost too good to be true, but there you have it.

Dave Bittner: [0:13:18] One of his alleged confederates, Mr. George Duke-Cohan, was also indicted. Their alleged activities include swatting, DDoS, doxing, bomb threats, bogus 911 calls phony, reports of airliner hijackings - in short, the whole sad customary run of skid lulz (ph). There was a criminal commerce angle to some of their misbehavior. They are said to have advertised their services online. If you had a grudge against your high school, for example, for a small consideration, Mr. Vaughn and Duke-Cohan would allegedly shoot off a bomb threat to shake things up. Should they be found guilty - and, hey, they're entitled to the presumption of innocence - may their names be forgotten. May they be placed where they will do no further harm and, one hopes, where they will be rehabilitated.

Dave Bittner: [0:14:09] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data. But to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free - no installation required. Go to That's And we thank ObserveIT for sponsoring our show.

Dave Bittner: [0:15:17] And joining me once again is Malek Ben Salem. She's the senior R&D manager for security at Accenture Labs. Malek, it's great to have you back. We wanted to touch today on security when it comes to containers and, specifically, some stuff you wanted to share about reducing the attack surface. What do you have for us today?

Malek Ben Salem: [0:15:36] Yeah. So this is research that we've conducted over the last year and that we've recently published at Black Hat Europe. And the research looked at public container images. We know that a lot of people use the existing public container images, which are full of vulnerabilities, unfortunately. These are container images that are available on Docker Hub, for instance. They're official Docker images that people reuse because, you know, they think they're the standard.

Malek Ben Salem: [0:16:10] The problem is that, as I mentioned, these have, potentially, thousands of vulnerabilities. So if you think about a container, a container, you know, runs or is supposed to run one single application. Dislike Unix tools, containers should be atomic in nature. They perform one task. But they should perform it very efficiently, which means that a container should be developed to run just that one application that it needs to run. And only the required libraries, the required binaries, files and network protocols that are required to support that application should be part of the container. Now, this is not the case for the container images that we see out there. These images are used over and over by developers. And they contain vulnerabilities that get carried over to many new operational environments.

Malek Ben Salem: [0:17:07] So in our research, we've developed a tool that profiles the application running on each container. It identifies the subset of resources that are essential for that application to run correctly and to perform its normal operations. And the profiling is container-wide. It's very fine-grained, so it comes back with that subset of required libraries, binaries, et cetera. And it strips out - removes the other libraries that are not required for that application. What this does, eventually, then is that it removes all the vulnerabilities associated with those libraries that are not needed for that application. Therefore, it reduces the attack surface for these containers. So according to our study, we've been able to remove 50 to 70 percent of vulnerabilities for these containers - these container images that are out there without impacting the application's functionality.

Dave Bittner: [0:18:12] Now, help me understand. How have the available sort of, I guess, open-sourced containers - how have they strayed from that original intention for containers? - the simplicity that was supposed to be part of the initial design.

Malek Ben Salem: [0:18:28] Well, I guess, it's just - as we know, people like to reuse stuff. Developers are lazy. When they can reuse stuff, they don't bother to create a minimal image. There are some minimal images. There's a small base image layer called minideb, for instance, that is supposed to be used that's available on Docker Hub. It's a minimalist Debian-based image that's built specifically to be used as a base image for containers. You know, just - we know developers - I don't want to say lazy but just stayed off...

Dave Bittner: [0:19:05] Yeah, it's human nature.

Malek Ben Salem: [0:19:07] They take the easy way. So if...

Dave Bittner: [0:19:08] Right.

Malek Ben Salem: [0:19:09] ...There is a container that's already running the application they're looking for, they don't build one from scratch with this smaller or with this minimalist base image. They just reuse the available container that's running the application.

Dave Bittner: [0:19:27] But then the risk there is that that container has a lot of unnecessary stuff along for the ride that could present an unnecessarily large attack surface.

Malek Ben Salem: [0:19:36] Exactly.

Dave Bittner: [0:19:37] Yeah. All right. Well, it's interesting work you're up to there. As always, Malek Ben Salem, thanks for joining us.

Malek Ben Salem: [0:19:44] Thanks for having me, Dave.

Dave Bittner: [0:19:50] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.