The CyberWire Daily Podcast 4.18.18
Ep 580 | 4.18.18

More cyber battlespace preparation. Hacking as the continuation of war by other means. Ongoing social media privacy concerns. Tech glitch extends tax deadline. Notes from RSA.


Dave Bittner: [00:00:03:23] Reconnaissance and staging in cyberspace with Five Eyes warnings to Russia. A privacy class action suit complains of Facebook facial recognition. Australia joins the ranks of ZTE skeptics. Cyberwarfare is discussed at RSA: retaliation, deterrence, renunciation, and a private sector push for international norms. And attention tax procrastinators: the IRS says it was hit by a glitch and not hacked.

Dave Bittner: [00:00:36:18] Time to share some words from our sponsor, Cylance. Are you headed to RSA? Don't forget to look up Cylance while you're there. Drop by booth 3911 in the north hall and meet up with their expert professional services staff, or attend one of their featured conference sessions. If you're in a festive mood, you can connect with them at the digital shadow security leader's party. Wherever you make your connection, they look forward to talking with you. You can ask them about AI and machine learning or ask about their industry leading research into thread actors who threaten our power grid.

Dave Bittner: [00:01:07:17] You can learn more about their presence at RSA by searching: joincylance@rsaconference2018. Be sure to connect with the company that's making a difference in security. We thank Cylance for sponsoring the CyberWire.

Dave Bittner: [00:01:34:21] Major funding for the CyberWire podcast is provided by Cylance. Coming to you from San Francisco, I'm Dave Bittner with your CyberWire summary for Wednesday, April 18th, 2018.

Dave Bittner: [00:01:47:04] The US and UK continue to warn that Russian cyber operators (associated in most reports with "Grizzly Steppe") continue the reconnaissance phase and possibly the staging phase of their ongoing battle space preparation. US-CERT's warning contained a good deal of actionable advice on how to reduce vulnerability to such probes.

Dave Bittner: [00:02:07:22] Observers note that the intelligence offered in justification of the air strikes against targets in Syria, associated with the Assad regimes use of chemical agents against restive civilians, was based to a great extent on open sources. Comments by both the US and French governments indicate that social media were a particularly important source of information. Drone policies and tactics appear to be informing allied cyber action.

Dave Bittner: [00:02:36:13] A US Federal judge in California has ruled that a class action suit complaining of Facebook's facial recognition technology can go forward. The judge noted that damages could be very high. Indeed, concerns about social media and privacy continue to run high. Forbes reports that an Israel-based surveillance firm, Terrogence, has used facial recognition features in Facebook and other platforms to build a very large database of biometric profiles.

Dave Bittner: [00:03:06:02] Australian intelligence services are joining their counterparts in the UK and the US in regarding Chinese device manufacturer ZTE with suspicion.

Dave Bittner: [00:03:16:18] Our coverage of the RSA conference continues. If you'll be at San Francisco's Moscone Center this week, stop by and say hello to the CyberWire team. We'll be at the Akamai booth 3625 in the North Hall. We hope to see you there and we thank Akamai for their hospitality.

Dave Bittner: [00:03:32:13] The conference's formal opening was noteworthy for its discussions of cyber conflict. The US has a full spectrum of response options available to it and she suggested that some of those options might well be exercised.

Dave Bittner: [00:03:47:10] Microsoft's President, Brad Smith led the announcement of an industry undertaking to refuse to conduct offensive cyber operations on behalf of any government. 34 companies have signed the Cybersecurity Tech Accord. The company's concern is commendably irenic, but one notes that the signatories are unlikely to have offensive cyber capabilities, as part of their offerings. Some of the companies on board With Redmond are: Facebook, Cisco, Avast, Nokia, Dell, RSA, FireEye, LinkedIn, Symantec and Juniper Networks. Microsoft has long pushed for adoption of a "cyber Geneva Convention" the Accord represents a private sector move in that direction.

[00:04:30:24] Kevin McNamee is head of the Threat Intelligence Lab at Nokia. He was also a presenter at the RSA conference discussing the security of mobile devices. We caught up with him on the show floor.

Kevin McNamee: [00:04:41:12] I think in the past three or four years threat intelligence has become one of the key aspects in cybersecurity. People have had security information management systems, they've had firewalls intrusion detection. And you now realize that in order to make these systems work properly you have to feed them with information. That information is what we call threat intelligence. So, it's a key aspect of today's security landscape.

Dave Bittner: [00:05:06:24] How does the transformation work from pure information to actionable intelligence?

Kevin McNamee: [00:05:13:11] Well I can give you an example from what we do in my lab. What we have to do is we have to feed malware detection rules to Nokia's network based malware detection systems. In order to do that, we have to know how the malware communicates on the network. What we do is we take malware samples and we bring them into our lab, we run them in a sandbox environment and we actually let them generate network traffic. A security analysis will look at that network traffic and build the detection rules that we then deploy in our products. So that's an example of threat intelligence being directly applied to a product in the field in real time.

Dave Bittner: [00:05:56:11] You gave a talk here at RSA about ransomware on mobile devices. Can you give us an overview on what you were talking about?

Kevin McNamee: [00:06:05:10] Ransomware has been a huge topic in the past year with WannaCry, NotPetya, and all the rest of that. They gave a day long seminar on ransomware here at RSA. Being from Nokia, and being an expert in mobile security, I was asked to present the section on mobile ransomware. So we talked a little bit about ransomware that you see on the Android phone, on the iPhone platform, and explained to the group at the meeting, how the malware worked, how it got paid, and what type of techniques it used on the platform to make sure it could lock and encrypt those files.

Dave Bittner: [00:06:43:02] What are you seeing in terms of trends? Are we seeing a growth in malware on the mobile platforms?

Kevin McNamee: [00:06:49:20] Certainly over the years we've noticed an increase in the trend. Typically in the mobile, like in the smartphone, we're looking at about a 1% infection rate across the board. That's been pretty steady for the past few years. What we are seeing more of now is IoT sector is becoming more of a factor. So, in the mobile networks where we monitor we see a lot of IoT devices are being hacked, they're being compromised and they're being used in denial of service attacks. You're probably familiar with Mirai, and a host of other IoT malware botnets. So we're seeing huge increase in that recently.

Dave Bittner: [00:07:29:18] What are the things that you think people are going to have their eye on in the next year?

Kevin McNamee: [00:07:42:14] Well I certainly see the trend we've been talking about today which is the increase in threat intelligence and making the whole thing work. Certainly there are a lot of people talking about ransomware. The main thing that we're focused at from Nokia, is security orchestration, automation and response. We've got a very large scale program, R&D program at Nokia to bring that to the fore. That's what we're working on.

Dave Bittner: [00:08:09:03] That's Kevin McNamee from Nokia.

Dave Bittner: [00:08:12:15] Last night we heard an interesting panel discussion at an event organized by Recorded Future. Three well-informed panelists, Matt Tait, Robert M. Lee, and Juan Andrés Guerrero-Saade, discussed cyber warfare in a session moderated by Recorded Future's CEO Christopher Ahlberg. The panel agreed that cyber warfare was undoubtedly real, but also thought it made little sense to talk in terms of a "cyber war" as a mode of conflict that could be confined and contained within that single, fifth operational domain. This doesn't reflect reality any more than "space war" or "sea war" do. Instead, nations use cyberattack tools in the course of larger conflicts.

Dave Bittner: [00:08:52:03] We are, the panel thought, effectively in a state of continuing cyber conflict, which is to say, simply in a state of continuing conflict. This is a sharper version of Clausewitz's famous dictum that war is the continuation of policy by other means. Consider, panelist Lee said, speaking more-or-less hypothetically, a hellfire strike against an ISIS cyber operator in the Levant. That sort of clearly kinetic, and lethal action might itself be understood in the context of cyber warfare: ISIS operators could not be placed on notice more forcefully that their activities, even if conducted from a keyboard, makes them combatants. This observation clearly has implications for considerations of cyber deterrence.

Dave Bittner: [00:09:36:18] The panel's other operations included thoughts on recognized false-flag operations. Russia's Olympic Destroyer that presented itself as a DPRK operation was the first such false flag recognized and unmasked, on officialdom's unrealistic squeamishness about attribution, Russia's two attacks on Ukraine's power grid were not only obvious, but were intended by the Russians to be seen and interpreted as their work, and a need for clarity when drawing red lines. If NATO intends to invoke Article 5 in response to a cyberattack, the Alliance might in the interest of deterrence say where an attack would rise to the level of an act of war. And there was much skepticism expressed concerning the effect of US indictments of foreign individuals carrying out attacks on behalf of their governments.

Dave Bittner: [00:10:25:16] Finally, hello American taxpayers. Have you heard that the IRS is giving you an additional day to file your 2017 returns? That's right, and it's not because the boss is on vacation and they've all gone crazy, or because their secret is volume. No - the Internal Revenue Service's online systems failed as eleventh-hour taxpayers attempted to file yesterday. The IRS has said it's a "hardware issue," which is generally being interpreted as a veiled way of saying "We weren't hacked." And also a veiled weight of saying, "See, Congress? We told you we needed a bigger IT budget."

Dave Bittner: [00:11:05:00] Now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can for you with micro segmentation and analytics. VMware's white paper on a comprehensive approach to security across the digital workspace, will take through the details and more. You'll find it at See what Workspace ONE can do for your enterprise security. We thank vmware for sponsoring the CyberWire.

Dave Bittner: [00:12:05:21] Joining me once again is Zulfikar Ramzan from RSA. We are at RSA, it's good to see you again.

Zulfikar Ramzan: [00:12:10:22] You too. In person this time.

Dave Bittner: [00:12:12:17] I know it's nice meeting all these folks face to face. So here we are at the conference another big year as always. What's your take on the show so far? What do you sense in terms of the tone of people out on the show floor this year?

Zulfikar Ramzan: [00:12:27:04] It's hyper exciting, just seeing 50,000 plus people, coming together to think about cybersecurity issues is something we've never seen before in this industry. It's our biggest turn out yet, and to me it's a sign of the times. When I first came to RSA conference it was significantly smaller. In fact, last night I was having dinner with our security scholars - people we've basically given funding to attend the conference for the first time. They're students, they're the future of our industry. And one of them asked me about the history of the RSA conference, and I said, "You know what? I think the first RSA conference, the entire conference could have fit in the room we're having dinner in." Which was not much bigger than the room we're in now. And to see the conference grow over so much time is probably the most exciting and optimistic thing I can think of our industry.

Zulfikar Ramzan: [00:13:10:24] To me the biggest trend in addition to that has been this turning point where seeing more and more people talk about and accentuate the positive aspects of what's happening in our field. It's so easy to become negative about the different threats out there and the challenges, and those are not going to go away. There definitely are some serious clouds we have to deal with. But, on the flip side there are some important silver linings that we can't forget about, and we have to celebrate as a community when we are successful and continue to do so, because if we're not going to celebrate I guarantee the hackers aren't going to celebrate for us.

Dave Bittner: [00:13:40:20] I do sense that people are starting to feel as though equilibrium is on the horizon. It's not right around the corner, but we may be heading towards a time where we're able to manage this. It's not going to be year after year exponential growth on our budgets and our efforts.

Zulfikar Ramzan: [00:13:58:07] I agree wholeheartedly. I think the key elements to that are that, number one we're converging more and more into some of the most critical problems we have to work on, as an industry, and we're taking advantage of the fact that we understand, what's most relevant. Knowing even what to work on is in enough itself a fundamental issue and an issue that requires a lot of thought and investigation. The second element is that we're seeing the application of more and more advanced techniques to the problems we're trying to attack. Certainly, areas like artificial intelligence, machine learning and what-not.

Zulfikar Ramzan: [00:14:29:12] Now I say that with a slight chagrin because the reality is that we've been using these techniques for a long time in our environments. At least RSA, as far as I can tell, I think started at least a dozen plus years ago applying machine learning in production environments. But we're talking about it more publicly more recently because the community is more interested in knowing how things work - not just why they work, or what they do. And so we're trying to move past that point in our industry, and so I think the combination of focusing on the right kinds of problems, putting more advanced techniques towards those problems, and having more and more people just looking at these problems all generally bodes well.

Zulfikar Ramzan: [00:15:03:06] Now whether we're going to be in equilibrium now, or in five years or ten years, to me, the most important part is that we continue to make progress. That's the one thing we have control over - we don't have control over whether we're going to get to the right state and how far it's going to take because thread actors aren't predictable, they do what they what they want to do. But if we can just continue to make marginal improvements every day and build on those improvements, and take that philosophy of marginal gains to heart, we can make so much progress and I'm excited about the road ahead in that regard.

Dave Bittner: [00:15:30:21] Zulfikar Ramzan, thanks for joining us.

Zulfikar Ramzan: [00:15:33:10] All good. Always a pleasure.

Dave Bittner: [00:15:37:08] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsors, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit, and thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:15:58:18] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media, with editor John Petrik. Social media editor, Jennifer Eiben. Technical editor, Chris Russell. Executive editor, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.