The CyberWire Daily Podcast 3.1.19
Ep 791 | 3.1.19

Qbot spreads. Bug hunting makes a millionaire. US Cyber Command shows what “persistent engagement” looks like. Huawei agonistes. There’s no Momo, really.


Dave Bittner: [00:00:03:13] Qbot infections are spreading. The bounty-hunting gig economy apparently has its first millionaire. Observers are liking what they see in US Cyber Command’s “persistent engagement.” Canada mulls the extradition of Huawei’s CFO to the US. The US continues to call Huawei a security risk, and Huawei has some things to say back. Dr. Dena Haritos Tsamitis from Carnegie Mellon joins us to talk culture and what she's looking forward to at next week's RSA conference. And the Momo Challenge is a viral online craze, but not the way you may have heard.

Dave Bittner: [00:00:44:13] Now I'd like to share some words about our sponsor, Akamai. You're familiar with cloud security. But what about security at the edge? With the world's only intelligent edge platform, Akamai stops attacks at the edge before they reach your apps, infrastructure and people. Their visibility into 178 billion attacks per day means that Akamai stays ahead of the latest threats, including responding to zero-day vulnerabilities. With 24/7 365 security operation center support around the globe and over 300 security experts in house, Akamai surrounds and protects your users wherever they are. At the core, in the cloud, or at the edge. If you're going to RSA this year, visit Akamai in the North Hall, Booth 6153 to take part in their crack the code challenge for an opportunity to win an new 3D printer. Akamai, intelligent security starts at the edge. Learn more at Akamai, that's A-K-A-M-A-I dot com slash security. And we thank Akamai for sponsoring our show.

Dave Bittner: [00:01:52:18] The CyberWire podcast is made possible in part by RSA Conference, taking place March 4th through the 8th at the Moscone Center in San Fransisco. The CyberWire is a proud media sponsor of RSA Conference where the world talks security. Learn more and register today at

Dave Bittner: [00:02:14:08] From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 1st, 2019.

Dave Bittner: [00:02:22:19] Researchers at security firm Varonis are describing a major campaign to distribute Qbot banking malware. Qbot is polymorphic, and has evolved continuously since its discovery in 2009. Varonis says thousands of machines are now under Qbot's control. They've determined through observation of Qbot’s command-and-control server that infections have been found in Europe, Asia and South America, and that US corporations have come in for particular attention.

Dave Bittner: [00:02:53:18] Bug hunters may be viewed as the gig-economy portion of the cybersecurity sector. Both HackerOne and BugCrowd have reports out on the sub-sector, and they say, understandably, since they’re in the business, that the sector is a healthy one with bug hunters and bug bounty programs finding one another. One of the bug hunters associated with HackerOne has now earned more than a million dollars since he signed up with HackerOne in 2015. Santiago Lopez, 19-years-old, self-taught, and a native of Argentina, earned his bounties by finding 1,670 unique bugs in various products. Congratulations to him. We wonder what Mr. Lopez’s success, however, in finding flaws in software written by or for some very wealthy companies says about compensation in that gig economy.

Dave Bittner: [00:03:44:16] US Cyber Command's action against Russian troll farms during the US midterm election cycle has been receiving generally favorable reviews, with the Atlantic Council’s Jason Healey offering a particularly enthusiastic one in Cipher Brief. It was, Healey says, a specific operation to stop a specific adversary from carrying out a particular operation. It wasn't deterrence and it wasn't signaling. It was, he writes, more like blocking a punch. An op-ed in Lawfare by Ben Buchanan sees the Cyber Command operation as giving some concrete form to what policymakers have called a strategy of “persistent engagement,” and “makes the case to policymakers that Cyber Command has something to offer.” Buchanan concludes by writing, quote, “In this sense, the operation might have more of a long-term impact in the United States than it did in Russia. Clarifying the art of the possible might be the operation’s real lasting success." End quote.

Dave Bittner: [00:04:45:13] Canada has just decided to proceed with an extradition hearing for Meng Wanzhou, Huawei's CFO. She’s currently being detained in Vancouver, where a Canadian court will decide whether she's to be extradited to the US where she will face charges related to money laundering and sanctions evasion. There’s been no decision yet, but observers think it fairly likely that she’ll eventually be turned over to American authorities.

Dave Bittner: [00:05:12:03] The US shows no disposition to relent on its view of Huawei as a security threat. Secretary of State Pompeo is in Manilla, and he’s urging that the Philippines in particular, because after all he’s in Manilla, and the world as a whole should keep its “eyes wide open” about the security problem having Chinese gear in their infrastructure presents.

Dave Bittner: [00:05:33:06] Huawei has been defending itself on two fronts, with a mixture of sharp and soothing words. First is the legal front. The company has entered pleas of not guilty to US charges of industrial espionage. And it’s also saying that CFO Meng did nuthin’, nuthin’ we tell ya. Second, in response to US and Australian insistence that its devices represent a security risk, it continues to deny vigorously that it effectively operates as an arm of Chinese intelligence services. The honeyed words come with the company’s expressions of willingness to submit to collaborative vetting of its hardware with governments, mostly in Europe and the Five Eyes, who wish to see such reassurance.

Dave Bittner: [00:06:15:09] The sharper words come, as they so often do, in the form of tu quoque. The you did it too, and you’re another, bounces off me and sticks to you, in this case comes courtesy of Huawei’s rotating chairman, Guo Ping. "What about all that US NSA and Cyber Command stuff we keep hearing about? Huh? What about that? You’re spying too!" He cites some of Mr. Snowden’s reports as the basis for his complaint, and goes so far as to point out that maybe the US Intelligence Community has its nose out of joint because Huawei won’t oblige them by putting US backdoors into its equipment. And besides, Chairman Guo says, all this US woofing is really about competition, not security. The Americans, he says, know they’re being out-competed, and they don’t like it. In his words, quote, “The global campaign against Huawei has little to do with security, and everything to do with America’s desire to suppress a rising technological competitor.” End quote.

Dave Bittner: [00:07:14:14] Finally, consider the Momo Challenge we’ve been hearing about, the one that’s supposed to be inducing teens, tweens, and even younger Internet users to harm themselves. It’s a real enough instance of a widespread, virally spread belief mania, but not in the way it seemed. Here’s the claim. There are embedded video clips, illustrated by the big-eyes, distorted face of “Momo,” that have been inserted into otherwise innocent YouTube videos. Those embedded clips are said to challenge young people to harm themselves in progressively more dangerous ways, up to the point of suicide. And they’re said to show them ways of carrying out their self-destruction. YouTube makes the right noises about taking children’s safety seriously, but says it can’t find any of the things people say they've found.

Dave Bittner: [00:08:03:01] The Washington Post, Naked Security, and others have been looking for the videos, and they can’t find them, either. Naked Security calls the Momo Challenge “a modern equivalent of a campfire-side horror story.” It was discussed last summer as a “haunted” WhatsApp account that featured Momo’s picture. It resurfaced in an English Facebook group a couple of weeks ago and rapidly entered public discourse over there as part of a larger discussion of content moderation fueled by Parliament’s release of a report on fake news. So there’s really no Momo challenge, and no one’s been able to find the victims who are said to have died taking it.

Dave Bittner: [00:08:43:14] The mania, then, isn't a viral craze to follow Momo, but a viral craze of fear that children are going to hurt themselves. Everyone can, we think, agree that suicide prevention is a serious and important matter. And who wouldn't want to protect children? But there are enough real things to worry about without the scary stories.

Dave Bittner: [00:09:02:20] So no Momo, and if you’re warned about it in your Facebook group or via the email list you're on, tell people there's no epidemic of meme-driven suicide. There's enough online foolishness without creating more of it.

Dave Bittner: [00:09:21:17] And now, a word from our sponsor, LookingGlass Cyber Solutions. Cyber threats are a risky business. Criminals are taking bigger risks than ever before to acquire your organization's sensitive data. As pressure increases, you need a partner to help manage and control your digital business risk. Slide into LookingGlass's booth, number 2327 in the South Hall at RSA Conference 2019 to hear how you can better manage your organization's risky business by leveraging their 20 plus years of investment and trade craft for an outside-in view of your security posture. Or step away from the hectic expo floor for a demo tailored to your business needs in the LookingGlass meeting suites at the Marriott Marquee. Reserve your demo and learn more about LookingGlass at RSA Conference, or visit their website That's And we thank Looking Glass for sponsoring our show.

Dave Bittner: [00:10:29:23] And I'm pleased to be joined once again by Professor Awais Rashid. He's a professor of Cyber Security at University of Bristol. Awais, it's great to have you back. We wanted to touch today on edge computing and some of the security challenges there. Can we start off with just a description? What are we talking about when we say, "edge computing?"

Professor Awais Rashid: [00:10:48:03] So edge computing, I suppose, is an extension of the Internet of Things world. We think of deploying a range of wireless sensors and actuators that can work in remote locations and provide all sorts of information back often through the cloud but equally may be able to impact the surrounding, surrounding environment. A good example of this would be, for example, in agricultural technologies where, you know, large scale farms can use it for, for crop management, for treatment against particular types of infections or particular types of insects or whatever. Another example would be, you know, remote monitoring of, say, large scale pipe lines and, and so on and so forth. And some of these sensors can be very simple and not so powerful and others can have some more computational resource within them.

Dave Bittner: [00:11:38:21] And, and so what are some of the specific challenges here and how do you propose we address them?

Professor Awais Rashid: [00:11:45:02] Well, how long is a piece of string is the question. There are, there are a number of challenges, you know. And there are the usual issues that when you have low computation power devices, how do you actually ensure that they can have the level of security that you would want to implement on those devices. The big challenge, of course, comes as the remote nature of the sensors and actuators themselves because potentially attackers can have physical access to these devices because they cannot always be within a-- they, they will-- they're almost always never within a, a physically constrained environment. The other challenge, of course, is how do you actually trust the data that is coming from these devices. How do you actually demonstrate provenance of that data? How do you distinguish between what is an error due to just failure and an error due to malicious interference with the device?

Dr. Dena Haritos Tsamitis: [00:12:39:20] Yeah, that's really a fascinating element of this to me, the notion that you can have a, say, a remote sensor somewhere and if a hacker gets in there and causes it to send you false information about whether a valve is open or closed or something like that, well, that can be a potentially catastrophic problem.

Professor Awais Rashid: [00:12:58:03] Yeah, absolutely and the other challenge of course is that depending on how the systems are architected, you can potentially enter through some of those devices and then pivot onto the more back end systems in, in itself to move across to different parts of the system. I think the key here has to be that we have to have more effective mechanisms for, for provenance of these devices and the data that is coming from these devices. And then sitting underneath are all sorts of challenges of having, you know, effective access control models, effective, you know, cryptographic techniques, you know, low power cryptographic techniques as well as, you know, new types of, for example, intrusion detection and prevention systems that actually are potentially based on data provenance and, and ways to actually verify that provenance in the, in the first instance and authenticity of the device. So there is a range of challenges all the way from the underlying hardware all the way up to the stack to algorithms that may process data from that in order to detect intrusions and prevent intrusions.

Dave Bittner: [00:14:02:00] Yeah. No, it's an interesting challenge. Awais Rashid, thanks for joining us.

Dave Bittner: [00:14:10:06] Now I'd like to share some words about our sponsor Cylance. AI stands for artificial intelligence, of course, but nowadays it also means All Image or Anthropromorphised Incredibly. There's a serious reality under the hype but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms and like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit and check out their report Security Using AI For Evil. That's We're happy to say that their products protect our systems here at the CyberWire and we thank Cylance for sponsoring our show.

Dave Bittner: [00:15:09:01] The CyberWire is proud to be a media sponsor of the 2019 RSA Conference taking place March 4th through the 8th at the Moscone Center in San Fransisco. Today we welcome Dr. Dena Haritos Tsamitis, member of the 2019 RSA Conference Advisory Board and Director of the Information Networking Institute at Carnegie Mellon University.

Dr. Dena Haritos Tsamitis: [00:15:31:07] We've done a lot, so as Director of the Information Networking Institute, I've been Director since 2004 and I was Associate Director previously and when I first started, we only had 6% women in, in my graduate programs and it forced me to really look at what possibly could be the reason for that. So I looked into the research of my colleagues, Lenore Blum and Carol Frieze who are in the computer science department and they've found-- their findings suggest that culture plays a huge role in being able to attract women in particular to computer science and information technology programs. Based upon their recommendations, I took a look at our culture, addressed many of the cultural issues that I thought were perhaps barriers but also and very importantly, I was very proactive in building partnerships with organizations that are focused on attracting women, retaining women, developing women and under-represented minorities so that my students could engage with them.

Dr. Dena Haritos Tsamitis: [00:16:38:17] Through these partnerships I have established fellowships and scholarships for women and under-represented minorities. I've established mentoring programs, a number of initiatives to, again, not only attract women to the program and under-represented minorities but help retain them and develop them and nurture them and inspire them while they're students in my program and as they go on to the field, to later become leaders.

Dr. Dena Haritos Tsamitis: [00:17:07:07] The great thing that I've seen happen is that many of these alumni who've been a part of, of these partnership programs with organizations have gone on to the field and be leaders in the area. One important initiative that I created was Women@INI that we finally call WINI. It's an organization with a mission of helping attract, retain, nurture and inspire our students in the program but also to build this network that our students can have as they go onto the field and stay connected with the INI. And I've seen that the leaders of each class have taken the lessons that they've learned and the inspiration that they felt and they've gone on to create organizations and, and employer research groups in the organizations they serve. One student who graduated maybe 12 years ago went onto create such an organization in Apple.

Dave Bittner: [00:18:07:01] And how do you measure success? How's it been going?

Dr. Dena Haritos Tsamitis: [00:18:10:12] Well, it's been going well 'cause when I started in 2002, we had 6% women and our last incoming class was well over 40% women.

Dave Bittner: [00:18:20:01] Wow.

Dr. Dena Haritos Tsamitis: [00:18:20:20] We don't even look at retention rates because it's very rare for a student not to graduate who's entered the program. We, we've made a huge investment into our admissions' criteria so we, we've been very successful on the fact of in selecting students, admitting students who will be successful on our program. We've done a lot, we, we've made a huge investment in developing this pipeline but there's more work to be done and I'm talking about graduate programs, pipeline into graduate programs that when we think about undergraduate students, you know, the pipeline is K through 12.

Dave Bittner: [00:19:01:05] I wanna switch gears a little bit and talk about the RSA Conference that's coming up next week. You are a member of the RSA Conference Advisory Board. I'm wondering what are you looking forward to with this week to come?

Dr. Dena Haritos Tsamitis: [00:19:14:21] Well, I'm looking forward to a number of initiatives that are going to take place. One in particular I am very invested in is the RSA Scholars Program. I think this was launched about five years ago and the RSA Scholars Program brings in students from across the country to present their research in a poster session to conference attendees. And in addition, these RSA Scholars have access to-- well, they get a free registration for the conference. Their travel is supported, their travel and accommodation, but they get to interact with the keynote speakers. They have VIP seating, they're invited to lunches and dinners with the speakers and it just gives them such an amazing access to the network, the cyber security network and exposure to a breadth of companies and organizations. It's a really special program.

Dr. Dena Haritos Tsamitis: [00:20:18:12] I've seen in these years since we've been involved, we were the first institution to get involved, how they've strengthened the program and ensured that the schools represented were diverse, the topics are diverse and it's really, I think, a, a gem there that I, I would love to create awareness about that-- you know, 'cause I'd like to see these students supported by conference attendees. You know, I encourage all the conference attendees to attend the poster presentation and get to know these students. You know, these are great students to hire. Universities can see them as perspective PhD students or graduate students so-- but they're, they're amazing talent with great potential and, like I said, I'm very proud of it and I'm very much looking forward to that. We have four students going this year.

Dr. Dena Haritos Tsamitis: [00:21:11:23] And then I've seen in the conference program a number of presentations that do focus on diversity and, and how to develop the pipeline. There's another session that talks about creating-- one of my good friends, Joyce Brocaglia as well as a colleague here from Carnegie Mellon University, Bobbie Stempfley are presenting on presentation techniques for women in the field. So there are a number of, of exciting topics that are integrated throughout the conference that are part of this diversity initiative that RSA has invested a lot of time and effort in and has received a lot of feedback from their advisory board on, so I'm really looking forward to see how it plays out and I'm sure that conference attendees will notice this, will take note.

Dave Bittner: [00:22:05:20] That's Dr Dena Haritos Tsamitis. She's Director of the Information Networking Institute and Founding Director of Education, Training and Outreach at CyLab, at Carnegie Mellon University. She's also an advisory board member of RSA Conference.

Dave Bittner: [00:22:25:05] And that's the CyberWire. Thanks to all of our sponsors for making this CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cyber security teams and technology. Our CyberWire Editor is John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.