The CyberWire Daily Podcast 4.8.19
Ep 817 | 4.8.19

US DHS Secretary Nielsen resigns. Credential stuffing campaigns. Cryptojacking disrupts a business. A duty of care, online. Tax season scams.


Dave Bittner: [00:00:00] Hey, everybody. It's Dave. You may have noticed that on our website,, we have picked up the pace when it comes to publishing transcripts of our shows. We want to thank our Patreon subscribers who help fund our transcription efforts to make the CyberWire an even more useful source of cybersecurity news and information. Do check it out. It's

Dave Bittner: [00:00:25] Leadership changes at the U.S. Department of Homeland Security; a look at credential stuffing; cryptojacking disrupts production at an optical equipment manufacturer. The British government moves toward establishing a duty of care that would impose new legal responsibilities on search engines, social media and others. Tax season scams grow more plausible, and some of them are aimed at rounding up money mules.

Dave Bittner: [00:00:55] And now a word from our sponsor ExtraHop, the enterprise cyberanalytics company delivering security from the inside out. Are login credentials compromised? Is that encrypted traffic malicious? Is an attacker accessing sensitive company data? Security teams need to answer questions like these every day. But without complete visibility inside your network, your investigation could take hours, or even weeks. And that's assuming you were able to detect potential threats in the first place. ExtraHop helps enterprise security teams rise above the noise of their complex attack surfaces with complete visibility, real-time threat detection powered by machine learning and guided investigations into late-stage attacks. Check out their interactive demo and be the blue team at That's And we thank ExtraHop for sponsoring our show.

Dave Bittner: [00:01:53] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 8, 2019. U.S. Secretary of Homeland Security Kirstjen Nielsen resigned yesterday. It's unclear who her successor will be. Her resignation letter said she had, quote, "determined it was the right time to step aside" and then cited her hope that her successor "will have the support of Congress and the courts in fixing the laws which have impeded our ability to fully secure America's borders and which have contributed to discord in our nation's discourse," end quote. The former secretary had been regarded as one of the administration's most senior officials with significant cybersecurity experience. And the Department of Homeland Security has, of course, become the government's lead civilian agency involved in the protection of cyberspace. It's thought likely there will be other changes in the Department of Homeland Security. Reports this afternoon indicated that the director of the Secret Service will also be departing.

Dave Bittner: [00:02:56] Security firm Akamai has released a study of credential-stuffing attacks. This easily scaled commodity form of attack especially affects media outlets, gaming companies and the entertainment sector. Looking back at 2018, Akamai says it observed hundreds of millions of credential-stuffing attacks every day. The barriers to entry are low, and there are even YouTube videos, Akamai notes, that offer how-to instructions for criminals wishing to enter the field.

Dave Bittner: [00:03:26] As an attack on optical equipment manufacturer Hoya shows, cryptojacking can disrupt production. The incident began at the beginning of March, when employee network credentials were compromised. The goal of the compromise was to enable the attackers to install coin-mining software in Hoya systems. They did so, noticeably slowing performance of some of the company's servers. The slowdown is said to have affected the ability to take orders and manage production at Hoya plants in Thailand.

Dave Bittner: [00:03:57] British ministers are introducing strict controls over online content. The Telegraph calls it a victory for the duty of care the paper has been calling for. The government says the proposed law's goal is the protection of children and other vulnerable people. The white paper the two responsible ministers issued explicitly cites the recent attack on a New Zealand mosque as an example of the kind of online virulence the regulations would help curb. The white paper would have Her Majesty’s government establish a statutory duty of care that would require companies to take more responsibility for the safety of their users and tackle harm caused by content or activity on their services. A regulator would be empowered to develop codes of practice that would inform compliance with the duty of care.

Dave Bittner: [00:04:45] And who would be legally responsible for this? The proposed statute would apply to companies that allow users to share or discover user-generated content or interact with each other online. That covers, as the authors acknowledge, a lot of ground - file-hosting sites, public discussion fora, messaging services, social media platforms and, of course, search engines. The white paper announces the government's commitment to an internet that's free, open and secure and to freedom of expression online. It aspires to an internet where companies keep their users safe and uncontaminated by criminal, terrorist and hostile foreign state activity. And it wants rules and norms for the internet that discourage harmful behavior. Achieving those together, as several commenters have observed, may be challenging.

Dave Bittner: [00:05:35] Consider the case of Facebook. It's been found that the social network not only hosted a thriving, active collection of criminal groups trading in a vigorous hood-to-hood market, but as Gizmodo points out, the social network's algorithms even made it easy for the crooks to find one another. Facebook notes correctly that the groups were, for years, in violation of its terms of service and has dismantled them. Now, it seems as much of a sure thing, and such things can be sure, that Facebook is not now and never has been interested in cultivating a criminal customer base, but a criminal customer base assembled itself on Facebook's platform. The moral seems to be that policing content to maintain an online environment that's both free and uncontaminated by various nastiness is by no means a trivial problem.

Dave Bittner: [00:06:25] It's tax season. Have you noticed? We have. And we noticed that, as usual, our finance desk has put off filing their 1040s until the weekend. And you and I, friends, aren't the only ones who've noticed that April 15 is approaching. The criminals have also taken cognizance of the deadline. Researchers at IBM's X-Force find that online criminals are redoubling their efforts as tax season enters its home stretch. The attackers are showing a propensity to impersonate major payroll and accounting firms, including Paychex and ADP. Emails that appear to be from those sources are, of course, likelier to be taken at face value than emails from, say, Leon's House of Tax Prep Bargains or Deductions R Us.

Dave Bittner: [00:07:09] And the quality of prose is better, too, according to X-Force. A lot of mass-market fraud is pretty implausible on the face of it, likely to fool the inexperienced and the unwary with come-ons like, agency of U.S. government is suspending your social security number, or maybe, is here your important tax form; open attachment now, now, now. That's not what X-Force is observing. Instead, they're seeing fairly well-crafted vectors for Trickbot malware, well-designed to steal banking information. Where businesses are targeted, X-Force thinks the goal is likely to be direct theft; where individuals are targeted, the researchers think interestingly that the crook's goal is to use the victims as money mules through whose accounts they can move ill-gotten cash obtained in other theft. So use email skeptically - don't let the crooks make a money mule out of you.

Dave Bittner: [00:08:01] And finally, we send our well-wishes for a speedy recovery to Andrew Kalat, co-host of the "Defensive Security" podcast. Andrew has been facing some unexpected medical issues, and we hope he gets well soon so he can get back behind that mic with co-host Jerry Bell.

Dave Bittner: [00:08:21] Now a moment to tell you about our sponsor ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in; it's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data, but to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free - no installation required. Go to That's And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:09:30] And joining me once again is Rick Howard. He's the chief security officer at Palo Alto Networks. Rick, it's great to have you back. Something that you are quite passionate about is the work that you do with The Cyber Threat Alliance, and we wanted to take some time today to highlight some of the successes you've had there.

Rick Howard: [00:09:46] Yeah. Thanks, Dave. Yeah, I want to take a moment and just kind of punch out the highlight reel because it is an important thing, and thanks for giving me the time to do that. And for those who don't know what it is, The Cyber Threat Alliance is an information-sharing organization for cybersecurity vendors. About five years ago, four of us - Palo Alto Networks, Symantec, Fortinet and Intel McAfee; that's back when Intel and McAfee were the same thing...

Dave Bittner: [00:10:10] (Laughter).

Rick Howard: [00:10:11] ...Got together and said, you know, every other commercial vertical has an intelligence-sharing organization - you know, organizations like the FS-ISAC for financials, the Automotive ISAC, the Aviation ISAC, the defense industrial base and a bunch of others. And members in all those sharing verticals are fierce competitors, so why is the security vendor community so unique that we can't share in order to support our mutual customers? The answer - it's not, right? So we got together to try to figure it out. We realized that all of us have the ability to update our own products with new prevention and detection controls, on the fly. And just an example, at Palo Alto Networks, when Unit 42 discovers some new bad-guy thing, we can convert that intelligence into multiple preventive controls, down the intrusion kill chain and deliver them to our 60,000 customers around the world in about five minutes. That is an amazing capability, and all the other security vendors have something similar.

Rick Howard: [00:11:08] The point is, with the alliance, when something new is found and shared, we can deliver prevention controls around the planet for every member in the organization in minutes to hours. This is orchestration at its best, executed by the security vendor community automatically so that our mutual customers don't have to manually deploy their prevention controls themselves.

Dave Bittner: [00:11:30] So this is a true community effort.

Rick Howard: [00:11:33] It really is. And it was a weird idea at the beginning, but more and more, people are - more security vendors are coming online and understanding what we're trying to do. So we've had new members added every year. And two years ago, The Cyber Threat Alliance became a nonprofit, and we gotten Michael Daniel - he was President Obama's former cyber czar - to be the president of the company. The original four security vendors, plus Cisco and Check Point, became the board members to it, and so we were off and running.

Rick Howard: [00:12:01] Now, this past year, 2018, we added seven additional members to bring the total to 21, and the other thing is they're not all U.S.-based - we have Radware from Israel, NEC from Japan. We're sharing about 75,000 indicators of compromise a day between members, and we are moving closer to sharing complete adversary playbooks. This is the idea of a STIX package that contains miner's attack techniques and all the associated indicators of compromise for very specific adversaries. So that's fantastic. The other great success story in 2018 - it just kind of happened organically - is that the members' willingness to share their independent research before going public. You know, all of us write blogs and, you know, announce really interesting things...

Dave Bittner: [00:12:47] Right.

Rick Howard: [00:12:47] So that we - and we can talk about it. So this happened for the first time this year with Cisco, when they released - they were getting ready to release their research on the VPN Filter problem; this is an attack against a bunch of home routers in the world.

Dave Bittner: [00:13:03] Right.

Rick Howard: [00:13:03] So Cisco got us all in a room and gave us the update to their research. A couple of days before they went public, we all went back and updated our products, and when Cisco finally published their research paper, all of us had protections in place before the world found out about it.

Dave Bittner: [00:13:20] Oh, interesting.

Rick Howard: [00:13:21] Yeah. So fantastic, right? So - and since then, The Cyber Threat Alliance members have executed some 20 other early sharing efforts from all the members, you know, whenever we come up with something interesting to talk about. So...

Dave Bittner: [00:13:34] So help me understand here - so it makes sure that everybody's ready with the defenses deployed when a public announcement is made, but I suppose there's also a certain element of peer review there as well?

Rick Howard: [00:13:45] Peer review, yeah. Then we can always add on to say, hey, did you think about this? Did you get that right?

Dave Bittner: [00:13:49] Right.

Rick Howard: [00:13:50] You know, so yeah, it's kind of a check. And these are the smartest cybersecurity intelligence people on the planet, all sharing threat intelligence to the other to make sure that the story is correct. I mean, it's a fantastic mechanism, and that just kind of grew out organically. So we're pretty happy about that.

Dave Bittner: [00:14:05] Yeah, terrific.

Rick Howard: [00:14:06] So that's the highlight reel. OK, the bottom line to all your listeners is this - please tell your vendors to join, tell them to call me, and we'll get them hooked up.

Dave Bittner: [00:14:14] (Laughter) All right. Fair enough. Well, as always, Rick Howard, thanks for joining us. Thanks for the update.

Rick Howard: [00:14:19] Thank you, sir.

Dave Bittner: [00:14:24] And that's the CyberWire. For links to all of today's stories, check out our CyberWire daily news brief at

Dave Bittner: [00:14:31] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at

Dave Bittner: [00:14:43] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Hah. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics. That's at

Dave Bittner: [00:15:11] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, our staff writer is Tim Nodar, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.