Guccifer 2.0 claims (to general skepticism) a Clinton Foundation hack. Information operations versus voting. Yahoo! and surveillance of customers. Insulin pump vulnerability reported.

Dave Bittner: [00:00:03:18] Guccifer 2.0 is back, but few are buying what they're selling. Experts continue to warn of Russian information operations directed against the perceived legitimacy of US elections. International norms of cyber conflict. IoT-based DDoS concerns rise with wide distribution of Mirai source code. Flashpoint finds Floki Bot for sale in the underground. More trouble for Yahoo!. M&A news. And a dating site is breached.

Dave Bittner: [00:00:34:16] Time to take a moment to tell you about our sponsor ClearedJobs.Net. If you're a cyber security professional and you're looking for a career opportunity, check out the free Cyber Job Fair on the first day of CyberMaryland, Thursday, October 20th, at the Baltimore Hilton hosted by ClearedJobs.Net, a veteran owned specialist at matching security professionals with rewarding careers. The Cyber Job Fair is open to all cyber security professionals, both cleared and non-cleared. It's open to college students and cyber security programs too. You'll connect face-to-face with over 30 employers like SWIFT, DISA, and the Los Alamos National Laboratory. You can also tune up your resume and get some career coaching (all of it free) from career expert and air force veteran, Patra Frame. To learn more visit ClearedJobs.Net and click job fairs in the main menu. Remember that's ClearedJobs.Net. We'll see you in Baltimore and we thank ClearedJobs.Net for sponsoring our show.

Dave Bittner: [00:01:38:24] I'm Dave Bittner, back in Baltimore with your CyberWire summary for Wednesday, October 5th, 2016.

Dave Bittner: [00:01:45:23] The news today is heavier on hacking in its information operational guise that it is on cybercrime, hacktivism, or espionage. The big éclat, of course, is again provided by Guccifer 2.0, who has resurfaced with some material he, she, or they, claim to have hacked from the Clinton Foundation. The release is surrounded by clouds of muckraking shock, but on closer inspection it appears to be recycled stuff, purloined from the Democratic Party.

Dave Bittner: [00:02:12:12] Longtime Guccifer 2.0 observer, Motherboard, offers the most direct, demotically expressed assessment, which we'll bowdlerize to "hogwash." Guccifer 2.0, if you're keeping score at home, is widely believed, on circumstantial but compelling evidence, to be a sockpuppet of Russian intelligence services. This particular mode of information warfare has attracted considerable comment at the AUSA meetings; we'll have more on that later this week.

Dave Bittner: [00:02:39:06] Guccifer 2.0's communique includes a collegial shout-out to WikiLeaks and Julian Assange. WikiLeaks reiterates its plans for weekly data dumps through the US elections. And US fears of election hacking are now centered on the possibility that confidence in the vote's legitimacy could be eroded.

Dave Bittner: [00:02:56:24] In some quick notes on more traditional cybercrime, it's clear that the Internet of Things botnets are, by general consensus, the new normal in attacks on businesses. The gaming industry, dependent as it is on high levels of access, is particularly concerned, but the worries extend to businesses generally. Too much commerce is transacted online for anyone to be blasé about the DDoS threat.

Dave Bittner: [00:03:19:23] Flashpoint warns that a new exploit kit, "Floki Bot" is out in the wild. An evolution of Zeus, with a noticeably improved dropper, Floki Bot is available for $1000 a pop on what Flashpoint characterizes as a high-end Russian criminal forum.

Dave Bittner: [00:03:36:10] In what is believed to be the first warning of its kind by a medical device manufacturer, Johnson & Johnson alerts users to the possibility that its insulin pumps are vulnerable to cyberattack.

Dave Bittner: [00:03:47:19] In more bad news for Yahoo!, Reuters reports that the company engineered surveillance of its users' emails by US intelligence or law enforcement agencies. With the sense of this being a last straw, advice on how to unsubscribe from Yahoo! Services is being widely offered across the Internet. How this will further affect the company's acquisition agreement with Verizon is undetermined.

Dave Bittner: [00:04:09:16] Not all industry news is bad. Akamai has announced its acquisition of Soha Systems in an all-cash deal. Soha is a provider of enterprise secure access-as-a-service. Carbon Black seems to be progressing toward an IPO. And congratulations are in order for the companies being honored as this year's SINET 16: they'll be receiving their awards at SINET's Innovation Showcase in Washington, November 2nd and 3rd. The CyberWire will be there to cover the proceedings.

Dave Bittner: [00:04:39:05] We've been spending this week at the Association of the United States Army's annual meeting and exposition. The experts and leaders speaking at the conference have expressed a very strong commitment to integrating cyber operations at all levels of conflict, from the tactical to the operational; when appropriate to the strategic. Several of the speakers have drawn a close connection among growing urbanization worldwide, the continued failure of states, and the coming pervasiveness of cyber threats and opportunities. Soldiers operating in urban areas, for example, can and should expect to operate under conditions of continuous electronic surveillance. This will shape the battlespace in challenging ways.

Dave Bittner: [00:05:18:08] The greatest uncertainties, speakers have said, cluster around the survival or failure of the institutions in which the US-led post-World War II security order has found expression: the United Nations, NATO, the European Union, the World Bank, the IMF, and others. These institutions are under stress, and their future is unclear. One area requiring clarity is the set of norms that will govern conduct in cyberspace. Professor Thomas C. Wingfield of the National Defense University was a principal author of NATO's Tallinn Manual, the most influential model for how such norms will look. He sat down with us in the Cyber Pavilion at the AUSA meeting to talk about emerging international norms for conflict in cyberspace.

Dave Bittner: [00:06:01:16] We've encountered an increased co-mingling of kinetic and cyber warfare, and we've heard a number of times that the norms of cyber conflict remain immature. Do you agree with that?

Professor Thomas C. Wingfield: [00:06:12:22] I agree with it up to a point. The norms of cyber conflict are immature, but the norms of conflict, in general, are very mature. Most countries agree on most norms, almost all of the time. And the trick is, in applying those near universal norms to these new cyber targets and these new cyber problems.

Dave Bittner: [00:06:34:04] You're one of the authors of the Tallinn Manual, which has acquired the reputation of being one of the more comprehensive and influential sources of the norms in conflict and cyberspace. So, how closely does the Tallinn Manual adhere to other earlier codifications of such international norms? The laws on armed conflict, the law of the sea, the just war tradition?

Professor Thomas C. Wingfield: [00:06:55:04] Very closely. The whole point of the Tallinn Manual was not to write new law, but rather just take the core of existing law, that almost all of the countries agreed on, and apply it to a new battlefield. Just as we had the San Remo Manual apply law of armed conflict to naval operations. And the Air and Missile Warfare Manual do that for that area. It was just meant to take the part we agree on and apply that to cyber operations.

Dave Bittner: [00:07:22:17] I wanna ask you about NATO's Article Five. Some of the newer members of the Atlantic Alliance have been on the receiving end of cyber offensive operations, and we're thinking of Estonia here. Would the Alliance be likely to invoke Article Five over a cyber incident?

Professor Thomas C. Wingfield: [00:07:37:08] If it were a sufficiently dangerous situation, if it caused sufficient damage, absolutely. We haven't seen anything in the purely cyber realm that would rise to what we call an armed attack, not even a mere use of force. So we're just at the very early stages. If it ever did get to the level of an armed attack, a smoking hole in the ground, a significant loss of life, then there's not a doubt in my mind that Article Five would be invoked.

Dave Bittner: [00:08:06:15] Is there any sense of any belief that a cyber attack should require a cyber response?

Professor Thomas C. Wingfield: [00:08:13:15] Under international law, there's absolutely no requirement to use a kinetic response for a kinetic attack, or a cyber response for a cyber attack. Once an attack gets to the level, whether it's kinetic, or cyber, or a mix, gets to the level of armed attack, the smoking hole, lives lost, then any mixture of cyber and kinetic in response is permitted, as long as it's proportionate and necessary and follows the other norms that, of course, we follow. There's a strong predisposition to not use kinetic if there's a way to avoid it, because it does result in a smoking hole in the other side. But there are also limitations the other way. Not using cyber weapons because, at least in our decade, they tend to be one off type of weapons, and by using a capability, we give up a certain architecture of weaponry, and we prefer not to use those silver bullets just yet. From a legal perspective, it doesn't make any difference and it's really more of an operational choice.

Professor Thomas C. Wingfield: [00:09:21:19] I think that there are two things that are very important, at least in the legal world, one is the need to have an overlap between what the lawyers understand and what operators do. That's why we're hoping, as the next Tallinn Manual 3.0 is going to be an operational law handbook (we hope), that would look at these problems, not from a law professor's perspective, but rather from the questions and problems that operators have now in this immature field. And we hope to be able to build the legal advice in cyber, as the US Army does a great job of doing for the Operational Law handbook for broad spectrum operations. The second thing, perhaps more interesting, is the rise of lethal artificial intelligence. We're legally responsible for what those agents do at cyber speed. And if they start causing serious damage, or perhaps even loss of life in the not too distant future, the last human in the loop, the operator, the commander, we would be on the hook for what those things did in our name. So we would have to train them to know the cyber legal outer limits of what they could do, so we wouldn't end up as war criminals for releasing them into the wild.

Dave Bittner: [00:10:43:07] It reminds me of, you know, Asimov's Rules for Robotics.

Professor Thomas C. Wingfield: [00:10:46:05] Absolutely. We would start there and then add on the rules we give to frightened 19 year olds that we send into combat. The same rules would have to be taught and burned into our AI agents, so that whatever else they did while they're fighting at cyber speed, they would not go afield of the rules that define us as us.

Dave Bittner: [00:11:10:04] Thomas Wingfield, thanks for joining us.

Professor Thomas C. Wingfield: [00:11:11:24] It's been my pleasure. Thanks for having me.

Dave Bittner: [00:11:15:10] And finally, there's another breach in an online dating and adultery facilitation service. This one's centered in New Zealand, and may have affected around a million-and-a-half users of the mobile apps "Have a Fling," "Have an Affair," and "Hook-Up Dating." Who knew the Kiwis were so frisky? You know, if Kiwis weren't flightless birds, we'd advise "straighten up and fly right," but we think we'll have to settle for "walk the line."

Dave Bittner: [00:11:45:05] Time for a quick break to tell you about our sponsor Netsparker. Are your security teams dealing with 100s of vulnerability scan results? Netsparker, not only automates scanning, but it verifies the exploits it finds too. Reduce alert fatigue, and improve security with Netsparker. Not only will your protection improve, but your costs will drop, and that's a good deal in anyone's book. Netsparker's automated approach to web application scanning lets your security team concentrate on the things best left to the human beings. Find out more about Netsparker Desktop and Netsparker Cloud. Whether you're pen testing or securing your enterprise online, you'll find what you need at netsparker.com. Like to try it out free with no strings attached? Go to netsparker.com/cyberwire for a free 30 day, fully functional trial version of Netsparker Desktop. And by fully functional, Netsparker means, yes, really, really, fully functional. Scan your websites with no obligation. Check it out at Netsparker.com/cyberwire. And we thank Netsparker for sponsoring our show.

Dave Bittner: [00:12:50:11] And I'm pleased to be joined by Emily Wilson. She's the director of analysis at Terbium Labs. Emily, you at Terbium spend a good amount of time monitoring the Dark Web. Help us understand what is the difference between the Dark Web and the Deep Web?

Emily Wilson: [00:13:03:20] So, first kind of by way of definition, we think of the Dark Web as anywhere our clients wouldn't want to see their information appear online, whether for sale or for vandalism. And so that can include Tor hidden services, these password protected forums, even some technically clear websites, actually where a lot of fraud lives. You have top level domains, based in countries that don't care as much, you know, Western Samoa probably isn't going to shut down your carting forum. And then the Deep Web really isn't as scary as it tends to be presented as. It's kind of anywhere, a crawler kind of, if you think of Google's web spider out indexing web pages, it can't really reach. So anytime you log in and you're in a place that you can only access with your credentials, that's the Deep Web. It's nothing scary or illegal about it by nature.

Dave Bittner: [00:13:49:07] So, are there legitimate activities going on on the Dark Web? Or is the Dark Web pretty much all bad stuff?

Emily Wilson: [00:13:55:16] Well, not to tease out too much of a research paper we have coming out soon, but actually a fair amount of the Dark Web is legal activity. This can range from standard clear websites that happen to have, you know, a version of their site up on a hidden service, Facebook, for example. Or whistleblower sites, where people can provide information. Even just offbeat news sites, talking about, you know, what the government doesn't want you to know, or the UFO in my backyard - all perfectly legal activity.

Dave Bittner: [00:14:24:08] Alright, Emily Wilson, thanks for joining us.

Dave Bittner: [00:14:29:06] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors, who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.