The CyberWire Daily Podcast 6.27.19
Ep 874 | 6.27.19

Washington and Tehran confront one another in cyberspace. Dominion National investigates data incident. Facebook on info ops (and identity). Labor market notes. Skids on skids.


Dave Bittner: [00:00:03] The U.S. cyberattack against Iranian targets remains hazy in the information fog of cyberwar. Iran's APT33 seems to have altered its tactics after its operations against Saudi targets were described by Symantec at the end of March. An insurer and provider of vision and dental benefits investigates a data incident. Skids on skids, kids. Facebook talks information operations and teases plans concerning identity. And notes on the labor market.

Dave Bittner: [00:00:38]  And now a few words from our sponsor KnowBe4. Everyone knows that multi-factor authentication, or MFA, is more secure than a simple log-in name and password. But too many people think that MFA is a perfect, unhackable solution - it isn't. Learn from Roger Grimes, KnowBe4's data-driven defense evangelist in an on-demand webinar where he'll explore 12 ways hackers can and do get around your favorite MFA solution. The webinar includes a hacking demo by KnowBe4's chief hacking officer Kevin Mitnick and real-life successful examples of every attack type. It will end by telling you how to better defend your MFA solution so that you get maximum benefit and security. Go to to watch the webinar. That's And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:01:38]  Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at 

Dave Bittner: [00:01:53]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 27, 2019. Military Times says the U.S. cyber operations against Iran last week remain obscured by the fog of war, as Iran denies the attacks had any effect. And some U.S. officials say - anonymously, on background - that on the contrary, the attacks did have effect. The Iranians would be in a position to know. But it's unlikely that they'd complain about the effects unless they were both costly and discreditable to the U.S. 

Dave Bittner: [00:02:29]  Refined Kitten, also known as Elfin or APT33, appears to have shifted its tactics after Symantec reported on the Iranian threat group's operations against Saudi targets. Recorded Future has observed the group's shelving most of the domains it had used and registering some 1,200 new ones. About half of the newly established domains are connected with StoneDrill, an upgraded Shamoon wiper. The concentration on Saudi targets isn't novel. The kingdom of Saudi Arabia has long represented not only a regional political rival of Iran, but a religious rival as well. Refined Kitten has shown an increased preference for commodity malware tools, especially remote access Trojans. This is a sign of sophistication, not frugality or desperation. Among other advantages, using commodity malware can render attribution murkier. APT33 also uses organizations outside the scope of their declared purpose. And the Nasr Institute, which Ars Technica describes as an organization that oversees Iran's computing and networking, seems to be one of Tehran's cyberattack crews. 

Dave Bittner: [00:03:39]  Should Iran undertake the broader offensive against the U.S., what form might that take? The Washington Post reviewed the track record going back to 2012, when Tehran responded to the imposition of sanctions by conducting a range of distributed-denial-of-service attacks against American financial institutions, including the Bank of America, JP Morgan Chase and Wells Fargo. 2012 was also the year of the Shamoon wiper attacks against Saudi Aramco. In 2014, Iran conducted a data destruction attack against the Sands Casino in Las Vegas, whose pro-Israel owner, Sheldon Adelson, had made intemperate remarks about Iran deserving a nuclear strike. 

Dave Bittner: [00:04:21]  The Post doesn’t mention the U.S. indictment of Iranian hackers in March of 2016 for an attack against the Bowman Avenue Dam in downstate Rye, N.Y. That one was interesting and, to many, baffling, the Bowman Avenue Dam being nothing more than a small flood control dam that keeps a brook from flooding a couple of residential basements and a Little League baseball field. This is neither a high-value nor a high-payoff target. Speculation is that either the Iranian operators were interested in testing their technique - they did succeed in getting into the dam’s controls, which in this case would not have been much more difficult than hacking a casually installed home security system - or that they’d mistaken their target. It would have made more sense had they attacked the Arthur R. Bowman Dam on the Crooked River in Oregon. Hitting that irrigation dam wouldn’t have caused widespread devastation, either, but it would have been more noticeable than whatever they were up to on Bowman Avenue. In any case, Iran has shown a strong disposition and ability to learn, so it would be unwise to simply project past actions into the future. 

Dave Bittner: [00:05:29]  Have you ever come back to your parked car and found you accidentally left the doors unlocked? It happens to most of us from time to time. You get distracted from your regular routine and somehow just miss it. It's an inadvertent lapse in security, right? Our own Tamika Smith takes a closer look at the online version of this - data exposure from misconfigured files. 

Tamika Smith: [00:05:52]  During the past year, billions of files were exposed globally across commonly used file storage technologies. A recent annual report from the Digital Shadows Photon Research Team shows misconfiguration is one of the main contributors of this data exposure. Here to talk more about the report is Harrison Van Riper. He's the strategy and research analyst at Digital Shadows. At DS, he provides analysis into technology and digital risk. Hi, Harrison. Thanks for joining us. 

Harrison Van Riper: [00:06:21]  Hi. Yeah, thanks for having me. 

Tamika Smith: [00:06:23]  So let's start with some of the various technologies that are being exposed. 

Harrison Van Riper: [00:06:27]  Sure. So it's things like network-attached storage devices, FTP servers, rsync servers and SMB file shares are actually a pretty big chunk of kind of the overall exposure that we've been seeing, as well as Amazon S3 buckets. 

Tamika Smith: [00:06:42]  So what makes these sources so vulnerable to exposure? 

Harrison Van Riper: [00:06:46]  Very basically, it's that they don't have any authentication measures on them. There really is no password login or anything like that. They're just kind of there, existing on the open internet, which is obviously pretty troubling. 

Tamika Smith: [00:06:59]  The United States had one of the largest numbers of exposed files, to the tune of about 330 million. Why are we seeing this in the U.S. and how does it compare to other countries? 

Harrison Van Riper: [00:07:10]  It's a little bit difficult to say why in the U.S. specifically. You know, I had a couple of ideas, as we were putting the paper together, as to why the geography would be so different. But, you know, in the U.S., if we look at the data privacy regulations and security policies that are in place, there really isn't one that kind of broadly applies to the entire country, like a GDPR does to the EU. I would say that definitely has something to do with it. You know, the less likelihood of a consequence typically goes hand in hand with that action sort of playing out. 

Tamika Smith: [00:07:41]  So the GDPR, you think, has a role to play in it? 

Harrison Van Riper: [00:07:46]  I think it does overall. I think, you know, we're still within the first year - or I guess now we're beyond one year. We passed the one-year anniversary around the release of this paper, actually. And you know, that's kind of one reason why we wanted to look back, to see what the effect of GDPR was. Currently, you know, there is still a whole lot of exposure out there. I think there were a couple of instances within the report with Luxembourg and the Netherlands. They actually have reduced their overall exposure, and it's hard to say specifically if GDPR was the cause of that, but I definitely think that it helped overall having that sort of policy and regulation in place to say, here's how we can actually curb some of this exposure. That's definitely going to help, you know, in the long run. 

Tamika Smith: [00:08:33]  So when you look at some of the files that are being misconfigured or stored in a place where they're easily accessible - there's passport information, bank records, medical information - I mean, this feels and seems so troubling. 

Harrison Van Riper: [00:08:49]  You know, especially when we look at something like the medical records, that's definitely one of the things that stood out for me, and I think it hits home for a lot of consumers, anybody who's ever been to a hospital, which is, you know, kind of anybody. You know, we look at the imaging files that we found - 4.4 million DICOM medical imaging files, so these would be things like X-rays. Those are also considered to be protected health information, so within the U.S., it falls under HIPAA regulations. So, yeah, I think it's something that is troubling, and I think it's something that, you know, continues to expand, as we've seen since this is our - this is now our second report, following up from last year's report. And you know, obviously, we saw a great increase. But the thing that I kind of like to hammer home about it is that it's not an impossible problem to solve; there are ways that we can kind of curb this exposure and reduce it overall. And I think that there are - there's a lot of really good work that's going on sort of behind the scenes that we can really take note of and start to implement some of these mitigation measures. 

Tamika Smith: [00:09:49]  If I'm an organization - a hospital, bank - you know, these people have a responsibility to protect information, and to their best knowledge, they're doing so. So how would you advise them on being able to protect this information, being able to make sure that they're staying aware of how to protect that information? 

Harrison Van Riper: [00:10:11]  So I think a lot of it, you know - like you say - a lot of it, it's a lot of inadvertent data exposure. When you're dealing with things like remote servers that you may need to log into, like, you know, especially in the hospital scenario where - as we have e-doctors and kind of remote care going on - there's a fairly large, you know, sort of exposure point there. From the research that we found, we found over 17 million different files that are existing on these online file repositories that have been encrypted by ransomware. So I think that's one thing to note, is that there's also a lot of these files that have been potentially encrypted - slash-attacked, if that's how you want to describe it - by ransomware that organizations may not even really know about. I think when you look at that overall, the 17 million files that have been encrypted, you know, the common mitigation for ransomware is to have backups - right? - have backups for your files, have backups for your systems. 

Harrison Van Riper: [00:11:05]  And a lot of times people will put those backups on network-attached storage devices, on FTP servers, things like that. You know, what happens then if those files are then encrypted? What happens when your backups become encrypted? What do you do then? I think in that case, you know, it's obviously a - it's always a good idea to have a ransomware playbook. Backing up your data is not going to be the only thing that you should do. You should be doing more than that, and I think this kind of highlights that point. 

Tamika Smith: [00:11:33]  Harrison Van Riper - he's the strategy and research analyst at Digital Shadows. And at DS, he provides analysis into technology and digital risk. 

Dave Bittner: [00:11:43]  That's the CyberWire's Tamika Smith reporting. 

Dave Bittner: [00:11:47]  Dominion National has disclosed a data security incident, in effect a data breach. The company, which offers insurance and administers dental and vision benefits, is investigating unauthorized access to its servers that may have taken place as early as August 25, 2010. The data on those servers include personally identifiable information. The company says it has no evidence yet that the data were accessed, manipulated or stolen, but investigation is in progress. Silex malware, which bricked large numbers of IoT devices until its command-and-control server went down yesterday afternoon, seems to be the work of three teenagers, Bleeping Computer reports. The three European kids glory in the names Light The Leafon - or Light The Sylveon - Alx, and Skiddy. Akamai looked at Silex and found that it worked against default passwords. The motive seems to have been a form of snobbery. The hackers wanted to preempt tiresome skids from exploiting poorly protected IoT devices for cash and bragging rights. As Mr. Leafon said, quote, "I am only here to prevent skids to flex their skidded botnet," end quote, which is one way of looking at vandalism. 

Dave Bittner: [00:13:04]  Facebook has been back in the news, with CEO and founder Mark Zuckerberg appearing at Aspen to call upon the government to help businesses like his fight election influence operations. He seemed more censorship-averse than much of big tech has appeared lately, saying that it didn’t seem to him that a private company should be in the business of telling individuals that they can’t say false things to people. He did suggest that there was a line to be drawn somewhere around deep fakes but saw even difficulties there. And Facebook’s white paper on its projected Libra cryptocurrency contains a brief remark that’s prompted much comment - quote, “an additional goal of the association is to develop and promote an open identity standard. We believe that decentralized and portable digital identity is a prerequisite to financial inclusion and competition," quote. That’s all it says, but the social media watchers who devote themselves to the close reading of texts emanating from Menlo Park see it as a sure sign that Facebook is out to dominate identity. 

Dave Bittner: [00:14:07]  Burning Glass Technologies has published a comprehensive report on the cybersecurity job market. There are still more positions open than can be readily filled. One thing hasn't changed - cybersecurity remains to a significant extent an additional duty for IT personnel. But there have been changes. Enterprises increasingly look for security personal with automation and cloud skills. 

Dave Bittner: [00:14:31]  And finally, as the Fourth of July approaches - that annual celebration of the Amexit of 1776 - Unisys offers up some advice on all the unfortunate things that can happen during the festivities. Some of the advice involves common-sense cautions about personal physical security, like telling people where you're going, not travelling alone, travelling light and, in an emergency, moving to the edge of the crowd. But others involve online safety because scammers observe holidays, too - don't buy event tickets from dodgy sites, don't use unsecured Wi-Fi and update your mobile device. Also, watch out for wasps in the lemonade. 

Dave Bittner: [00:15:16]  And now a few words from our sponsor Dragos, the leaders in industrial cybersecurity technology. Threats to industrial organizations are proliferating, as Dragos recently identified the most dangerous threat to ICS. Xenotime, the activity group behind Trisis, has expanded its targeting beyond oil and gas, illustrating a trend that will likely continue for other ICS-targeting adversaries. Learn more about the eight public threat activity groups Dragos tracks at and how taking an intelligence-driven approach to ICS security is the most comprehensive defensive strategy to combat industrial adversaries. To register for a free 30-day trial of Dragos' ICS threat intelligence, visit And we thank Dragos for sponsoring our show. 

Dave Bittner: [00:16:18]  And joining me once again is Johannes Ullrich. He's the dean of research at the SANS Technology Institute and also host of the "ISC StormCast" podcast. Johannes, always great to have you back. You had some stuff you wanted to discuss with us today about malware command and control channels making use of TLS and some of the issues there. Before we dig into that, can you just give us a brief overview and describe to us what is TLS? 

Johannes Ullrich: [00:16:42]  TLS - well, it's short for transport layer security. It's a protocol that's commonly used to protect network connections. For example, if you are using HTTPS, then what you're really doing is you're sending your HTTP, your web requests over a secure channel that's implemented using TLS. 

Dave Bittner: [00:17:05]  And so in terms of malware command and control channels using it, what are the implications there? 

Johannes Ullrich: [00:17:11]  Well, malware likes to use TLS because it does hide the actual content after command and control channel. So as a system administrator monitoring my network, the only thing I'm seeing is a TLS connection, but I have no idea what's inside. It could be just the user browsing a harmless website, or it could be malware exfiltrating all my secrets. 

Dave Bittner: [00:17:38]  And so what options do you have then? 

Johannes Ullrich: [00:17:41]  Well, one option you do have is to do something called TLS fingerprinting. TLS has a large number of different options available, like what exact encryption mechanisms, what ciphers are being used. There are things, like, for example, the hostname can be transmitted in the clear as an option. And malware often uses slightly different options compared to a normal browser. So what an system administrator can now do is they can look for anomalies in this initial handshake with TLS connections, established to see if something in your network is using options that are somewhat anomalous for your particular network. 

Dave Bittner: [00:18:30]  So you can't actually see what the specific data that's being sent and received, but you can sort of monitor the patterns that are forming? 

Johannes Ullrich: [00:18:40]  Correct. You can monitor patterns, and you can monitor what encryption algorithms are being used. You can also monitor this hostname that's usually sent in the clear. And for example, malware often doesn't do that; malware doesn't send the hostname in the clear. Normal browsers do because it's actually a fairly important feature to connect to a lot of HTTPS websites. 

Dave Bittner: [00:19:04]  And so suppose you do find an anomaly, what's your next step? 

Johannes Ullrich: [00:19:07]  Once you find anomaly, the next step would - try to figure out, first of all, where does this connection originate from? What's the software that's establishing this connection? And then hopefully it's just yet another piece of normal software that you don't have to worry about. But if not, then by all means, you know, block the connection, and you have some new interesting malware to analyze. 

Dave Bittner: [00:19:31]  Yeah, better safe than sorry, I suppose. All right, Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: [00:19:36]  Thank you. 

Dave Bittner: [00:19:41]  And that's the CyberWire. 

Dave Bittner: [00:19:42]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at 

Dave Bittner: [00:19:54]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.