The CyberWire Daily Podcast 3.25.19
Ep 807 | 3.25.19

Mueller finds no evidence of Russia collusion. ISIS no longer holds any ground. LockerGoga hits chemical plants. FEMA fumbles PII. Facial recognition. Cyber 9/12. PewDiePie versus T-Series.


Dave Bittner: [00:00:04:10] The US Attorney General has reported to Congress the results of Special Counsel Mueller's investigation. ISIS no longer holds any ground. Expect it back in cyberspace. LockerGoga ransomware hits two chemical plants. FEMA mishandles more than two million disaster victim's PII. Notes on Cyber 9/12 and there's a squabble for YouTube subscribers.

Dave Bittner: [00:00:35:08] Now a moment to tell you about our sponsor, ThreatConnect. Designed by analysts but built for the entire time, ThreatConnect's intelligence driven security operations platform is the only solution available today, with intelligence, automation, analytics and workflows in a single platform.

Dave Bittner: [00:00:52:11] Every day, organizations worldwide use ThreatConnect as the center of their security operations; to detect, respond, re-mediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team.

Dave Bittner: [00:01:12:02] If you want to learn more, check out their newest ebook SOAR Platforms; everything you need to know about security, orchestration, automation and response. The book talks about intelligence driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at and we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:01:46:11] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday March 25th, 2019.

Dave Bittner: [00:01:54:14] Special Counsel Robert Mueller closed his probe of Russian election medaling with a report to the US Attorney General on Friday. Sunday afternoon, Reuters tweeted that Attorney General Barr informed Congress that the investigation found no knowing collusion between the Trump campaign and Russian actors.

Dave Bittner: [00:02:12:01] The Attorney General's letter to the Senate and House Judiciary Committees summarized the investigation into Russian influence operations. Those operations followed two broad directions of attack, trolling from Russia's Internet Research Agency and attacks on democratic party networks. In these matters, the Special Counsel found that neither "The Trump campaign or anyone associated with it conspired or coordinated with Russia in its efforts to influence the 2016 US Presidential Election."

Dave Bittner: [00:02:44:03] Special Counsel Mueller declined to make a recommendation on obstruction of justice, where the evidence is complicated and indistinct and the Attorney General sees nothing to warrant charges. As the letter continues, "after reviewing the Special Counsel's final report on these issues, consulting with department officials, including the Office of Legal Counsel and applying the principles of federal prosecution that guide our charging decisions, Deputy Attorney General Rod Rosenstein and I have concluded that the evidence developed during the Special Counsel's investigation is not sufficient to establish that the President committed an obstruction of justice offense.

Dave Bittner: [00:00:00:00] Our determination was made without regard to and is not based on the constitutional considerations that surround the indictment and criminal prosecution of a sitting President.

Dave Bittner: [00:03:34:03] The Special Counsel will not recommend any further indictments. The full text of the Mueller Report is expected to be released after the Justice Department reviews it, to redact any information the Federal Rule of Criminal Procedure procludes the department from disclosing.

Dave Bittner: [00:03:50:19] ISIS and its caliphate now officially controls no territory, having been ejected from its last enclaves in Syria. Its leader, Abu Bakr al-Baghdadi remains at large, or at least unaccounted for, so does much of the terrorist group's money. Its adherence intend to continue Jihad through the Dar al-harb; which is where most of you listeners reside. ISIS has shown small capability to conduct cyber attacks properly considered, but it has been and can be expected to remain active online, with inspiration and recruitment.

Dave Bittner: [00:04:27:05] Kaspersky Lab reports that Asus laptops were infected with malware via the company's automatic updating system. Kaspersky calls the campaign Operation ShadowHammer. There's no attribution yet and Asus hasn't commented publicly, but Kaspersky says, they've notified the Taiwan based manufacturer and that Asus is working on the problem.

Dave Bittner: [00:04:48:21] Operation ShadowHammer appears to have been conducted between June and November of last year and may have affected 51,000 users.

Dave Bittner: [00:04:58:17] The LockerGoga ransomware that afflicted Norsk Hydro has hit two US chemical companies, Hexion and Momentiv. This brings to four the number of known victims of LockerGoga. The first was Altran, the French engineering consultancy hit in January and the second was Norsk Hydro, best known for aluminum production, which sustained a LockerGoga infection earlier this month. Norsk Hydro has largely completed its recovery and both Hexion and Momentiv have theirs underway.

Dave Bittner: [00:05:32:07] On Friday, the US Federal Emergency Management Agency, FEMA, acknowledge improperly disclosing disaster victims' personally identifiable information to an unauthorized third party. The people affected were victims of 2017's California wildfires and of hurricanes Harvey, Irma and Maria.

Dave Bittner: [00:05:51:04] Some two point three million people's data were exposed in what the Washington Post calls the biggest data breach to occur under the current administration. It's not clear whether any crimes have been committed on the basis of the lost data, but if nothing else, the incident will test the government's express determination to hold officials responsible for mishandling data. FEMA has declined to name the contractor with who it over shared.

Dave Bittner: [00:06:17:23] The PCI Software Security Counsel recently published a new software security framework; including the PCI Secure Software Standard and the PCI Secure Software Life Cycle. Rohit Sethi is Chief Operating Officer at Security Compass and he shares his thoughts on what it all means.

Rohit Sethi: [00:06:36:16] It is much more in depth on the requirements for people producing software, to make sure that software is secure. Now, at this point, it's just the standards, there is no program around it, meaning, there isn't anything rolled out yet that says when it's going to be mandatory for specific participants in the payment ecosystem, but we expect that to happen later this year.

Rohit Sethi: [00:06:59:08] I think there's two ways to think about this. There's one from the standard itself. For example, if you're a payment application vendor, you know, what will happen is that, instead of having to go through the standard PA-DSS process, you'll eventually be moving to the software security standard and the two will eventually be rolled into one.

Rohit Sethi: [00:07:24:01] Practically, what that means is, there's going to be a degree of scrutiny in the way that you produce software and how secure that software is, that we haven't really seen from other compliance mandates before.

Rohit Sethi: [00:07:36:23] There's actually two standard, one is the software security standard and one is the secure life cycle standard. The software security standard is, again, a more in depth standard on a special release of software; but one of the things that PCI recognized early on is that, as people are moving to agile and DevOps development, it's simply not feasible to necessarily have every release of software go through the certification process and still remain nimble and agile and user modern software development processes.

Rohit Sethi: [00:08:10:04] They've introduced this concept of a secure life cycle standard, so that, instead of having every single release certified, when organizations are sometimes shipping multiple releases in a day, you can periodically get the software itself certified and then, you have the development process around it certified, then essentially it allows you to release more frequently, without going through the same in depth analysis for every single individual release.

Rohit Sethi: [00:08:39:10] You know, if you're somebody who produces software in the payment ecosystem and specifically payment vendors, you're going to have to, at some point, comply with this standard. There are thoughts about how this might apply to other participants in the ecosystem and, at this point, it doesn't necessarily apply to people who have to comply with the PCI-DSS. That's the common one I think we mostly think of, when we hear PCI, which is a data security standard.

Rohit Sethi: [00:09:07:21] But, as you know, in the PCI-DSS standard, there is actually a section on application security today and, you know, it's possible that at some point in the future, elements of the software security standard could find their way there. A lot of it will depend on how it rolls out and how it's received in industry.

Rohit Sethi: [00:09:28:03] The other, I think, bigger impact, if you will, is, I believe they're setting a precedent and if you look at the OWASP top ten, Open Web Application Security Project top ten, that was a standard that was developed many, many years ago. In 2006, the PCI Data Security Standard, I guess you could say, made OWASP's top ten popular; people learned about this idea that there are ten really common application security risks.

Rohit Sethi: [00:09:58:19] What happened was, after PCI adopted it, I wouldn't say every single other standard followed PCI, but there are something like 30 different standards today that all reference the OWASP top ten.

Rohit Sethi: [00:10:14:10] PCI has this, I guess you could say, reputation of being kind of the leader from the compliance standpoint and so, what we believe is, PCI is stepping up the scrutiny that we're seeing on payment applications, the payment providers, by way of software security, that is largely absent from the entire rest of industry, with the exception of a handful of pockets in, let's say, defense and large banks. Most industries do not have any mandates to produce secure software, they have other security mandates, but they don't have to build security into the development process.

Rohit Sethi: [00:10:52:20] I think it'll be hard for things like, say, industrial Internet of things providers and automotive manufacturers and telecom and other parts of infrastructure, that are really critical to really justify that they don't also make sure the products are very robust and secure, in the same way as payments are doing today. We feel like PCI is setting a precedent and other industries are going to follow suit.

Dave Bittner: [00:11:23:11] That's Rohit Sethi from Security Compass.

Dave Bittner: [00:11:28:11] We were able to spend last Thursday and Friday in Crystal City, Virginia, observing the Atlantic Council's Cyber 9/12 Strategy Challenge. The competition challenged teams of students to develop policy response recommendations for the US President. The scenario was a tabletop exercise with well crafted ancillary material. It presented the competing teams with an evolving situation, designed to capture much of the ambiguity crises carry.

Dave Bittner: [00:11:55:12] Congratulations to the two winning teams and their coaches, NDU Team Three of the US National Defense University won the professional track and the US Air Force Academy's team Delongrand took top honors in the student tracks. Congratulations to the other participants as well, the ones we observed, represented themselves and their home institutions with credit.

Dave Bittner: [00:12:18:19] We won't go into details about the scenario, because we don't want a reputation of the Orson Welles War of the Worlds moment we had the last time we did so, but we will say that the scenario featured several superficially, or perhaps coincidentally related incidents. In any case, the exercise was, for the most part, conducted under the Chatham House rules and will honor the conventions of non-attribution by confining ourselves to general observations.

Dave Bittner: [00:12:46:22] It was striking how difficult the teams found it to acknowledge and accommodate conditions of uncertainty. The exercise materials intentionally left a great deal in doubt and most of the teams tended, in their recommendations, to be more confident in their understanding of the evolving situation than the evidence wanted. The teams also tended to perceive connections on disparate events, where in fact no such connection existed and were nothing beyond.

Dave Bittner: [00:13:13:23] Simple correlation, similarity, coincidence and so forth led many to conclude that the scenario painted a picture of a large scale coordinated cyber attack by a hostile nation state. One of the harder lessons to learn is skepticism about our tendency as humans to perceive noise as signal.

Dave Bittner: [00:13:32:20] In the presentations themselves, some of the teams drifted away from considering their audience. A decision briefing is prepared for a particular decision maker and its goal is to inform the decision not to display the briefer's command of their material.

Dave Bittner: [00:13:48:09] One other lesson was drawn by a student we had occasion to speak with. Policy is a lot harder and more complex than technical people tend to think it is.

Dave Bittner: [00:13:57:22] Another interesting exercise by the Atlantic Council, a very good and intelligent effort by all who competed.

Dave Bittner: [00:14:06:10] Finally, ransomware motivated by fandom flares in the fight for the top rank in YouTube. It's between T-Series and, of course, PewDiePie. Mr Pie's adherents have been distributing PewDiePie ransomware, regarded as a poor copy of ShellLocker and, more recently and dangerously, pewCrypt, both with a view to forcing victims to subscribe to Mr Pie's channel. There is no particular reason to think that Mr Pie is orchestrating his fans' hacks; but, on the other hand, it must be said that YouTube stars, as we've come to call them, hardly offer the most edifying of examples. Stay in school, kids.

Dave Bittner: [00:14:55:16] Now a word from our sponsor at KnowBe4. Email is still the number one attack vector the bad guys use, with a whopping 91% of cyber attacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization with an on demand webinar by Roger A. Grimes, KnowBe4's Data Driven Defense Evangelist. Roger walks you through ten incredible ways you can be hacked by email and how to stop the bad guys and he also shares a hacking demo by KnowBe4's Chief Hacking Officer, Kevin Mitnick.

Dave Bittner: [00:15:29:00] Check out the ten incredible ways, including, how silent malware launch, remote password hash capture and rogue rules work. Why rogue documents establishing fake relationships and comprising a user's ethics are so effective. Details behind click jacking and web beacons and how to defend against all of these. Go to to watch the webinar and we thank KnowBe4 for sponsoring our show.

Dave Bittner: [00:16:15:06] Joining me once again is Robert M. Lee, he is the CEO at Dragos. Rob, it's always great to have you back. You all at Dragos recently made an announcement, a purchase, that's going to benefit a lot of people. What's going on here?

Robert M. Lee: [00:16:29:21] Yes, absolutely. Our company's a technology company in the ICS or industrial security space. There's a lot of people that want to get started in ICS security, but it may not be really attainable, or there are a lot of companies that want to dip their toe into doing something, but it's very difficult, I think, to go from we're not doing anything today to, hey, we're rolling out an industry security program.

Robert M. Lee: [00:16:50:18] One of the early companies in this space was a company called NexDefense. They had a technology that used to be called Sophia and then got re-branded as Integrity. It was a continuous monitoring for the purpose of asset identification tool, one of the first passive asset identification tools in the industrial security community. It came out of Idaho National Labs and then, of course, NexDefense built a company around it.

Robert M. Lee: [00:16:55:21] We announced that we had purchased NexDefense and so we got access to their product and we bought out the company. By purchasing NexDefense, it allows us to have access to their product as well, which is Integrity and then a legacy product that we actually had, which was an assessment tool called Cyberlens and had been used in the community for a long time. We've taken Cyberlens, the assessment tool and Integrity, which is more of a fully professional, continuous monitoring asset identification tool and we're just making it free to the community.

Robert M. Lee: [00:17:40:02] Essentially, if you're in the community, you're welcome to download them for free. They're really meant to help people get a handle on asset identification, or at least a starting place; not a full feature asset identification tool. Obviously we're a company, it's a hey, if you really want a professional tool, that's going to help you do this long term, as well as threat detection response and everything else, sure, go buy our product. But, hey, for the rest of the community, as a starting place and especially for the smaller players, just, here's a tool to go get started.

Robert M. Lee: [00:18:09:10] I think, something that we can all agree on is the industrial community is special and we all care that we keep the lights on and the water going and similar, so, one of the cool things about running a company that's trying to give back to the community; so, you know, have the tools, have fun, if you need more, obviously come and contact us. But it's mainly a, well we hope this helps the community some.

Dave Bittner: [00:18:32:13] Alright. Well Robert M. Lee, thanks for joining us.

Dave Bittner: [00:18:39:14] That's the CyberWire. Thanks to all of our sponsors for making this CyberWire possible; especially our supporting sponsor, ObserveIT; the leading insider threat management platform. Learn more at

Dave Bittner: [00:18:52:04] The CyberWire podcast is proudly produced in Maryland, out of the start-up studios of DataTribe; where they're co-building the next generation of cyber security teams and technology. I want to give a special shout out to the newest member of our CyberWire team, Tim Nodar. Tim joins us as a Staff Writer and we're excited to be sharing his contributions with all of you; so welcome aboard Tim. Our CyberWire Editor is John Petrik, Social Media Editor, Jennifer Eiben, Technical Editor, Chris Russell, Executive Editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.