The CyberWire Daily Podcast 5.22.19
Ep 849 | 5.22.19

Fancy Bear fingered, again. Warnings for travelers. Political parties get a cybersecurity grade. Updates on US restrictions on Chinese companies.


Dave Bittner: [00:00:03] Fancy Bear's latest campaign is using malware reported to VirusTotal by U.S. Cyber Command. IBM's X-Force looks at cybersecurity for travelers and shares a bunch of horror stories. SecurityScorecard looks at the online security of political parties in the U.S. and Europe. Some are better than others, but all could use some help. Updates on Huawei and other Chinese companies facing U.S. sanctions. And if you're listening to this in the U.S., you may believe you know more than, in fact, you do.

Dave Bittner: [00:00:39] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Have login credentials been compromised? Are attackers hiding in encrypted traffic? Enterprise security teams face questions like these every day. But without complete visibility inside your network, your investigation could take hours, or even weeks, and that's assuming you are able to detect potential threats in the first place. ExtraHop helps you rise above the noise of your complex attack surface with complete visibility, real-time threat detection powered by machine learning and guided investigations the SANS Institute calls fast and amazingly thorough. Learn more at, or be the blue team in the interactive demo. That's And we thank ExtraHop for sponsoring our show.

Dave Bittner: [00:01:35] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 22, 2019.

Dave Bittner: [00:01:43] Fancy Bear, Russia's GRU, is actively exploiting malware U.S. Cyber Command reported to VirusTotal last week. CyberScoop says many found the warning useful and welcomed Cyber Com's heads-up. Kaspersky Lab and Check Point's ZoneAlarm have been tracking the attacks and say that the malware in use looks like the XTunnel tool Fancy Bear used against the U.S. Democratic National Committee in early 2016. The malware comes in a big and noisy package, a bit more than 3 megabytes in size.

Dave Bittner: [00:02:16] U.S. Cyber Command did not attribute the malware to a Russian intelligence service or, indeed, to any other threat actor, but lots of other people have. And in general, Cyber Command has enjoyed good notices for posting the malware to VirusTotal. Forewarned is, or at least can be, forearmed. And some hope that such reporting might serve a useful deterrent purpose.

Dave Bittner: [00:02:39] An IBM X-Force study of cybersecurity for travelers features a flurry of make-your-flesh-creep tales that amount to a cyberspace version of Gahan Wilson's classic "Paranoid Abroad." You know, the old cartoon series where the paranoid orders the national dish in some foreign land and is served rats in white cream sauce, or where rude stevedores defile the paranoid's luggage.

Dave Bittner: [00:03:02] Anywho, vacation season approaches, and so people are reading the X-Force piece and considering where they might safely travel. Forbes takes away the lesson that you'd have to be out of your mind to use an airport USB charging station, and also the lesson that criminals are in avid pursuit of your travel reward points - airline miles, hotel loyalty points - any of that stuff. So where might you safely travel? Well, the joke's on you, traveler - apparently, nowhere. Thanks, IBM. We'll take a staycation this year.

Dave Bittner: [00:03:35] But actually, Big Blue does have some practical tips for both businesses and holiday travelers. First, keep an eye on your loyalty rewards. They're easy for criminals to monetize, so watch for any use that you can't quite account for. Second, do choose your Wi-Fi with caution. Setting up a Wi-Fi network in a public place is easy for criminals to accomplish, and even legitimate Wi-Fi services are easy enough to compromise for eavesdropping. Consider using a VPN. Third, those helpful USB charging stations around airports and similar transit points - they can be easily finagled to download your data or install malware on a device. IBM suggests carrying your own spare battery pack. And if you must charge, use a traditional wall plug. Fourth, turn off any connectivity you don't need. If you don't need Bluetooth, for example, turn it off. Fifth, remember that your physical spore can also be useful to bad actors, so shred tickets, boarding passes, luggage tags and so forth. Don't just chuck them in the trash intact. Finally, don't use debit cards in dodgy places. That is, don't use them at establishments that may not have good point-of-sale protections. Mom and Pop may be as honest as the day is long, but who knows what's lurking in their card reader? And if you use an ATM, find one in a relatively well-observed location, like a bank or the interior of an airport, not one out back of Leon's House of Tire Chains.

Dave Bittner: [00:05:05] Cyber risk analytics and vulnerability assessment firm Risk Based Security recently published their Q1 data breach report. Inga Goddijn is executive vice president at Risk Based Security, and she joins us to share their findings.

Inga Goddijn: [00:05:20] One of my biggest takeaways is that despite all of the effort and all of the resources that have been dedicated to protecting our systems, protecting our most valuable data, we're still losing the fight, I think. You know, we're still losing a lot of sensitive information, really at an alarming rate. You know, we hit a new high for Q1 of 2019, the most disclosed breach events for a first quarter since we've been tracking such events. So it's a little unsettling to see that we continuously have more and more breaches happening.

Inga Goddijn: [00:06:00] What I'd like to also share is that, you know, one of my other observations that I take away from the report is that, you know, as much as we like to focus on things like, you know, the ever-changing threat landscape, which is important because, you know, hackers do change their methods quite a bit, I think what I see quarter after quarter, year after year is that, really, the tried-and-true methods for getting at sensitive information just keep happening over and over again, right? You know, if we can phish a user, if we can get him to give up some credentials, that's going to get us access into his system. And we can poke around, maneuver around, escalate from there, see what we can get. And we just - we see these same patterns repeating, you know, month after month, year after year. So you know, I think the fundamentals still apply (laughter) is one of my biggest takeaways.

Dave Bittner: [00:06:58] Yeah.

Inga Goddijn: [00:06:58] You know, from our perspective, when we look at, you know, the broad strokes of what's happening breach-wise and security-wise, really, taking a step back from the weeds and really thinking about, what are my most likely threats to the risks that I have, where am I vulnerable and what's most likely to cause me pain, and working your processes around what's really, truly your highest risks - that's what's going to produce the best results for you in the long run, the best security outcomes for you in the long run.

Dave Bittner: [00:07:34] Do you find that there are some common misperceptions or things that folks don't think to ask about?

Inga Goddijn: [00:07:40] The first question that I think most buyers ask is, what does this cover? And I would almost flip that on its head and ask, all right, I see that you're covering X, Y and Z. Under what circumstances does that not apply? When might that insurance policy not respond to a specific situation? So I think that can shed a little more light on the pros and cons of the individual policies being evaluated.

Dave Bittner: [00:08:08] Yeah. It's interesting 'cause it strikes me that, you know, insurance is part of the spectrum of defenses that you have for your organization of managing risk and dialing it in. You know, you have technical solutions. You have things with personnel, with training and so forth. But, you know, this is another tool that you have at your disposal to make sure you're protecting your assets.

Inga Goddijn: [00:08:32] Oh, absolutely. And it is a phenomenal tool. I am a big believer in working an insurance policy, a cyber insurance policy, into that whole risk management mix because it really does bring a lot of value to offsetting the financial losses that can come along with a data security event.

Inga Goddijn: [00:08:55] And it covers - the policies can cover everything from that immediate out-of-pocket expense about, oh, gosh, I need to pay for a forensic investigator. I need to set up credit monitoring for the impacted individuals. I need to, you know, comply with all these different state reporting requirements. You know, the insurance policy can step in immediately and start to help pay for the hard costs of that immediate response. And it can travel with you throughout the life cycle of that breach event, all the way through to its resolution, even, you know, ending up with - if you have lost income, it's a key component of managing the financial downside.

Inga Goddijn: [00:09:38] I do think it's important to put it in perspective, though. And what the insurance policy does is manage that financial downside. There's a lot of other downside that can come along with a breach event that the insurance policy is really not equipped or there to handle or respond to. And, you know, that's going to be things like your reputation in the industry, you know, shaken customer confidence. Maybe your revenues fall because new customers aren't coming on board or new clients aren't signing up with your service. So there are boundaries there for what a policy can do for you, but what it provides is much greater than what it doesn't.

Dave Bittner: [00:10:18] That's Inga Goddijn from Risk Based Security. They just published their Q1 data breach report.

Dave Bittner: [00:10:27] SecurityScorecard has a review of major U.S. and European political parties' cybersecurity posture. There's room for improvement across the board, but for some reason, the U.S. Democrats continue to present hackers with low-hanging fruit. In any case, they lag the Republicans in security preparation. But at least they score higher than the Libertarians, which might surprise some.

Dave Bittner: [00:10:49] Considered nation by nation, French political parties came with the lowest overall scores and also led the race to the bottom in application security and DNS health. Poland ranked at the bottom in network security. And Spain brought up the rear in patching cadence. Who did well? Swedish political parties did - tops overall and best in show for application security, DNS health and patching cadence.

Dave Bittner: [00:11:15] Huawei has a temporary, 90-day reprieve from some of the consequences of its placement on the U.S. Entity List. But U.S. officials suggest that neither the company nor the Chinese government should misread this as a sign of softening. Commerce Secretary Ross says it's just breathing space to give U.S. firms an opportunity to make alternative arrangements.

Dave Bittner: [00:11:36] Other Chinese companies may be in line for the Huawei treatment. The Verge suggests drone-maker DJI is likely to come under a lot of scrutiny for the way its flying machines report back to China. The New York Times thinks surveillance vendor Hikvision could be next. In Hikvision's case, the primary issues involve concerns about human rights. The Chinese government is believed to be making heavy use of Hikvision cameras for surveillance and attendant repression of the country's Muslim Uighur minority. Hikvision has said it takes U.S. rights concerns very seriously.

Dave Bittner: [00:12:11] And finally, in dog-bites-man news, a Google-Harris Poll survey shows that Americans think they know a lot more about online security than, in fact, they do. We'll refrain from saying that our brothers and sisters over here in the Great Republic think that about roughly any topic you might name. And we'll just leave it at dog bites man. Bad dog.


Dave Bittner: [00:12:39] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. According to a recent CA Technologies research report, 53% of organizations confirmed insider attacks within the last 12 months. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data. But to stop insider threats, you need to track a combination of user and data activity. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT free - no installation required - at That's And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:13:51] And joining me once again is Johannes Ullrich. He's the dean of research for the SANS Institute. He's also the host of the ISC "StormCast" podcast.

Dave Bittner: [00:13:58] Johannes, it's always great to have you back. You know, we've seen so many stories about things like Magecart, people's websites being vulnerable, being compromised. How do folks keep track of what is on their websites?

Johannes Ullrich: [00:14:14] Yeah. The problem we had is, in particular with groups like Magecart and such, is they actually not so much attack your specific website. They attack these libraries and such that you're using in your website and that you may include in your site, but, actually, you don't host these libraries. They're hosted at some vendor. So the vendor gets compromised. The library gets altered on the vendor's system. And then you're just blindly including the code.

Johannes Ullrich: [00:14:41] And if you go to your average website and, you know, pull up sort of the developer view in your browser, you often can see that there is, like, dozens of different websites that your browser connects to in order to load all these libraries. So if you ask the owner - and I've done this in some cases when we're teaching - how many libraries do you actually include, they often have no idea that they're including that many. They may be able to tell you that they're using something like jQuery and such. They sort of usually get the top three or four right. But anything beyond that, they often don't even remember that they included that code.

Dave Bittner: [00:15:20] And so how do you go about auditing those things that are being run by third parties?

Johannes Ullrich: [00:15:27] So that's a - very first step, you should get the list of what's there and why it's there. What I've sometimes seen is that there's sort of this thing with developers. And you put the particular feature on; some marketing person asked for it to count visitors better. A year later, you see that code. You don't remember what it does, but you leave it there just because it may break something if you remove it. So you know, first, inventory what you have. And make sure it's actually still required.

Johannes Ullrich: [00:15:56] Now, the second thing you should do is host as much of it as you can in-house, so host it on your servers. That way, it becomes your responsibility to keep it secure. And all the other things that you do with your own source code sort of - source code - pick in. And, you know, you can use that to protect this particular code that doesn't get altered.

Johannes Ullrich: [00:16:16] Now, there will be a small handful of libraries and such that you cannot host themself. There are sometimes these marketing libraries and so, where the vendor actually makes some custom modifications for each user for better user tracking. Now, again, you can decide, do I really want to do this? Is it worth the risk to track my users a little bit better than I already do?

Johannes Ullrich: [00:16:41] But then what you can do is - there's a little trick that may help, and it doesn't always work. But browsers include a feature called SRI, or subresource integrity. What this does is in the script tag that you're using to load this library from this vendor, you actually also include a hash, a checksum for this particular library. So if it now gets altered, then the browser will refuse to load it. This is a great trick if you don't want to host it yourself. But be aware if now the vendor modifies the library, they have to coordinate that with you.

Johannes Ullrich: [00:17:21] Now, one thing, of course, you can do is have some script that keeps downloading these libraries - let's say once an hour - and makes sure that these checksums are still right. If they're not right, then, you know, contact the vendor. Check if it's a legitimate change, or maybe you may help out your vendor here by notifying them that they just got breached.

Dave Bittner: [00:17:40] Yeah. I mean, it's - I guess as always, I mean, it's sort of - constant vigilance is in your best interest.

Johannes Ullrich: [00:17:47] Yes. And it's really hard to sort of come up with good signatures for this malicious JavaScript. It keeps changing all the time, so I wouldn't want to rely too much on antivirus and the like. Probably good change management is really important here, vetting your vendors. And I think in the end, you really have to look carefully at, is it worth the trouble to include all that code, or is it maybe just better not to do business with companies that don't allow you to host the code yourself?

Dave Bittner: [00:18:16] All right. Well, it's a good insight, as always. Johannes Ullrich, thanks for joining us.

Johannes Ullrich: [00:18:22] Thank you.

Dave Bittner: [00:18:27] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at

Dave Bittner: [00:18:39] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at

Dave Bittner: [00:19:08] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.