The CyberWire Daily Podcast 11.18.19
Ep 972 | 11.18.19

Disney+ credentials hacked. Kudankulam reassurance. Chinese, Iranian documents leak. Iran and Venezuela restrict Internet access. Russia proposes Internet control treaty. Hacktivist notes.


Dave Bittner: [00:00:00] Hey, everybody. Dave here with a quick favor to ask. I would love it if you would help spread the word about our podcast. You can tell a friend. Share with your colleagues at work. Put a note out on Twitter or Facebook or LinkedIn and recommend our show. It's a virtuous circle. The more people enjoy our show, the happier our advertisers are. We get to pay the bills and provide for everyone who works hard every day to bring you the cybersecurity news you rely on. So please don't be shy. Help spread the word about the CyberWire today. Thanks. 

Dave Bittner: [00:00:34]  Disney Plus credentials are already on sale in the black market. India reassures nuclear power partners that the Kudankulam incident didn't compromise safety. Documents pertaining to Chinese and Iranian security operations leak. Internet restrictions go into force in Iran and Venezuela. Russia offers an internet control treaty at the U.N. The Lizard Squad might be back, and Phineas Fisher has also resurfaced. And happy birthday, CISA. 

Dave Bittner: [00:01:07]  And now a word from our sponsor ExtraHop, delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) Cloud today at That's And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to 

Dave Bittner: [00:02:24]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, November 18, 2019. We open with some depressing but foreseeable news from the cybercriminal underworld. Disney launched its Disney Plus video streaming service last Tuesday. Hours after the debut, hackers were already offering compromised user account credentials in various dark web markets. They're said to be selling for just $3 to $11, a ZDNet investigation reports. 

Dave Bittner: [00:02:58]  India has reassured its Russian partners that the cyber incident at the Kudankulam nuclear power station did not affect safety or operations, the Hindustan Times reports. Atomstroyexport is assisting with construction at Kudankulam, which when complete will have six Russian-supplied VVER-1000 reactors. The two countries have also cooperated on the installation's security. 

Dave Bittner: [00:03:24]  The New York Times has published a large set of leaked classified documents outlining Chinese surveillance and detention of its Muslim Uighur minority. The repression has been particularly severe in the Xinjiang province. This was a conventional leak, apparently from within the Chinese government, and that there was a leak at all suggests that party discipline may be shakier than it's often thought to be. Many of the measures the government is taking are directed at Uighur university students and aim to persuade them that detained relatives are safe and that they, the students, should be grateful for the detentions. 

Dave Bittner: [00:04:00]  Foreign Policy says that much of the surveillance technology used in Xinjiang is being built into the smart cities component of the Belt and Road Initiative. Authorities in Kazakhstan, Kyrgyzstan and Uzbekistan are said to be particularly interested in cooperating with Beijing. 

Dave Bittner: [00:04:18]  The second set of leaked material exposes Iran's role in fomenting domestic unrest in Iraq. Much of Tehran's activity has taken the form of long-term, patient cultivation of agents and deployment of influence of a kind long practiced in espionage. The Revolutionary Guard's Quds Force is said to have taken a leading role in Iraqi operations. Facing its own domestic unrest, Tehran has also begun restricting access to the internet within Iran, WIRED, TechCrunch and other outlets say. The proximate cause of the problems the regime is facing in the streets is Tehran's decision to increase the price of gasoline by 50%. The NGO NetBlocks, which maps government-produced outages, calls the blackout near total, with connectivity down to between 5% and 7% of normal levels. The AP reports that the government's principal aim of cutting off internet access has been to inhibit street violence by depriving protesters of their customary means of communication and organization. 

Dave Bittner: [00:05:20]  NetBlocks also reports that Venezuela's government restricted access to Twitter, Facebook, Instagram and YouTube on Saturday. The targeted restrictions were also intended to prevent protesters from organizing and communicating before anticipated demonstrations advocating democratic elections and the replacement of the Chavista regime in Caracas. 

Dave Bittner: [00:05:42]  The U.S. opposes a Russian-led cybercrime treaty proposed in the U.N. on the grounds that the pact would solidify authoritarian control over the internet, The Washington Post reports. The measure is expected to come up for a vote today. A European diplomat, speaking to the Post on condition of anonymity, offers what the Post characterizes as a representative take on the measure - quote, "the big picture is that Russia and China are seeking to establish a set of global norms that support their view of how the internet and information should be controlled. They're using every means they can in the U.N. and elsewhere to promote that. This is not about cybercrime. This is about who controls the internet," quote. 

Dave Bittner: [00:06:23]  Russia is offering the treaty, which has the name Countering the Use of Information and Communications Technologies for Criminal Purposes, as an alternative to the Budapest Convention, which since 2001 has been ratified by 64 countries, including the U.S., Japan and all but two of the EU's member states. The draft contains a good deal of what the Post calls unobjectionable statements about the rise in digital crimes and their impact on the stability of critical infrastructure, but it's clearly aimed at building out internet sovereignty in ways that would criminalize much ordinary online activity. The resolution's sponsors include, beside Russia, China, North Korea, Myanmar, Nicaragua, Syria, Cambodia, Venezuela and Belarus. Where's Iran, one asks? If the techno-libertarians of Tehran aren't co-sponsoring, what does that say about the likely effect of the treaty? 

Dave Bittner: [00:07:20]  Two names from the quasi-hacktivist fringes have resurfaced. The first is the Lizard Squad. Remember them? Someone claiming to represent the squad told The Independent that his group was behind the failed DDoS attack on the U.K.'s Labour Party. The Lizard Squad, which said it had disbanded in 2014 but whose name has surfaced episodically since, is best known for low-grade distributed denial-of-service attacks against online games and a failed extortion attempt involving a search for nonexistent intimate photographs of singer Taylor Swift. These are a fair representation of the group's seriousness of purpose. 

Dave Bittner: [00:07:59]  But, of course, while the action against Labour did show the imperfect execution of the old Lizard Squad, it's entirely possible that the act was the work of some other individual or group. Anarchist collectives have no very rigorous forms of organization, modes of operation or intellectual property, and the Lizard Squad's name and logo may easily have been appropriated by some other threat actor. It's simple enough to tweet with an emblem of a high-living lizard dressed vaguely the way Eustace Twilley appears on The New Yorker's masthead, only with more of a stoner aspect to the lizard's demeanor than we ever saw in Mr. Twilley. But maybe that's just the way lizards look, because the living's hard out there among the reptiles. In any case, the Labour Party has reassured its members and others that the attack failed, there was no breach, and the party lost no data in the incident. 

Dave Bittner: [00:08:52]  The other blast from the past came in the form of an announcement from Phineas Fisher, who is offering a bounty of a hundred grand - that's US$100,000, but payable, naturally, in Bitcoin or Monero - in exchange for hacks of capitalist expropriators. The social-change-minded cybercriminal calls his initiative the Hacktivist Bug Hunting Program. He offers as examples of worthy targets South American mining and livestock companies and that activist they particularly dislike, the oil services company Halliburton. Vice notes that the purse was apparently filled by cyber robbery. Mr. Fisher's whereabouts are unknown, but they're of interest to any number of law enforcement organizations worldwide. While there was at one time suspicion that Phineas Fisher was a sock puppet for Russian intelligence, consensus, in the U.S. at least, is that he probably is the hacktivist he represents himself to be. 

Dave Bittner: [00:09:51]  And, finally, CISA, the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, marked the first anniversary of its formation on Saturday. Many happy returns to Director Krebs and his crew. 

Dave Bittner: [00:10:10]  It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats, and when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We here at the CyberWire have long been subscribers to Recorded Future's Cyber Daily, and if it helps us, we're confident it will help you, too. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. That's, and we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:11:12]  And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, and he is also my co-host on the "Hacking Humans" podcast. Joe, it's great to have you back. 

Joe Carrigan: [00:11:22]  Hi, Dave. 

Dave Bittner: [00:11:23]  Through the magic of pre-recording, as we air this segment, you are actually attending the NICE Conference. 

Joe Carrigan: [00:11:30]  Right. 

Dave Bittner: [00:11:31]  Give us a rundown. First of all, what is that conference? 

Joe Carrigan: [00:11:34]  Well, it's a nice conference. 

Dave Bittner: [00:11:35]  It sounds like it. It's in the name. 

Joe Carrigan: [00:11:37]  Right. NICE is actually the National Initiative for Cybersecurity Education, and it's a program out of the National Institute of Standards and Technology, NIST. 

Dave Bittner: [00:11:46]  Yeah. 

Joe Carrigan: [00:11:47]  So NICE was started in 2009 by President Obama based on some previous work by President Bush called the Comprehensive National Cybersecurity Initiative, and it focuses on educating people to get them into the cybersecurity workforce. That's really what the purpose of the NICE program is. 

Dave Bittner: [00:12:04]  I see. And so you head out there representing Johns Hopkins. 

Joe Carrigan: [00:12:09]  Yep. 

Dave Bittner: [00:12:09]  And so what is in it for Hopkins as an organization to participate? 

Joe Carrigan: [00:12:15]  We are actually there to contribute our input there. You know, we have a Master's of Science in security informatics. It's a 20-year-old program. So we're there representing education or being part of the educational voice in the room. 

Dave Bittner: [00:12:26]  Can you give us a sense for the organization of the event itself? What - if someone attends there, what can they expect to find? 

Joe Carrigan: [00:12:33]  Well, it's typical conference fare, right? It's got keynote speakers, usually pretty good keynote speakers. Last year the closing keynote was from - I can't remember the guy's name, but he was from McAfee, talking about the things I've talked about here before, about how the cybersecurity skills gap is in part a courage gap on the part of companies. 

Dave Bittner: [00:12:51]  Yeah. 

Joe Carrigan: [00:12:52]  This year there will be a keynote from somebody from NIST. Of course, during the keynotes, there are breakout sessions where you can go to individual talks and things, and in fact, this is where I first picked up on some ideas on how to run our CTF programs at the Information Security Institute. So we have our students participate in these programs, and it's actually pretty important for their skills - to build their skills for it. And this semester we've had students participate in three of these, and one team has actually made it to the finals in the Maryland Cyber Challenge. We're happy with that. So that's one of the things we get out of it, but there - they talk about a whole mess of different things here that are relevant to industry, academia and government. 

Dave Bittner: [00:13:34]  So really, an opportunity for folks who are on the educational side of things to get together, exchange... 

Joe Carrigan: [00:13:41]  Ideas. 

Dave Bittner: [00:13:41]  ...Best practices, ideas and so forth. 

Joe Carrigan: [00:13:43]  Yep, and then to talk to other people across different sectors like industry and government. 

Dave Bittner: [00:13:49]  All right. Well, it is the NICE Conference. Safe travels. 

Joe Carrigan: [00:13:53]  Thank you. 

Dave Bittner: [00:13:53]  I hope you get a lot out of it, and we'll see you back here when you get back. 

Joe Carrigan: [00:13:57]  Yep. 

Dave Bittner: [00:13:57]  Joe Carrigan, thanks for joining us. 

Joe Carrigan: [00:13:58]  My pleasure. 

Dave Bittner: [00:14:04]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week, we talk to interesting people about timely cybersecurity topics. That's at 

Dave Bittner: [00:14:45]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.