In today's podcast we follow the continuing story of election hacks, and the varying but convergent motives behind them. We get a side helping of good government advice from Mr. Putin. (Thanks, Vlad!) Al Qaeda tries to reach the Millennial jihadist market with ISIS-like information operations. The Internet-of-Things enhances its reputation as an Internet-of-Trouble. Cyber stocks see turbulence as downbeat guidance spooks speculators. Pork Explosion isn't a movie from the Seventies—it's an Android backdoor. The Johns Hopkins University's Joe Carrigan responds to a listener inquiry about Amazon's recent password resets. DDoS expert Dave Larson from Corero Network Security shares his perspective on recent attacks. And please don't use a misspelled app to take selfies.
Dave Bittner: [00:00:03:16] Election hacks continue with a side helping of good government advice from, of all people, Mr. Putin. Al-Qaeda tries to reach the Millennial jihadist market with ISIS-like information operations. The Internet-of-Things enhances its reputation as the Internet-of-Trouble. Cyber stocks see turbulence as downbeat guidance spooks speculators. "Pork Explosion" isn't a movie from the 70s, it's an Android backdoor. And if you really must take selfies, at least try not to do so using a misspelled app. You've been warned.
Dave Bittner: [00:00:39:24] It's time to thank our sponsor, E8 Security. You know, the old perimeter approach to security no longer protects against today's rapidly shifting cyber threats. You've got to address the threats to your network once they're in your networks, and E8 Security's behavioral intelligence platform enables you to do just that. Its self-learning security analytics give you early warning when your critical resources are being targeted. The E8 Security platform automatically prioritizes alerts based on risk and lets your security team uncover hidden attack patterns. To detect, hunt and respond, you need a clear view of the real risks in your business environment. That's what E8 gives you. Visit e8security.com/dhr and download the free white paper to learn more. E8, transforming security operations. And we thank E8 for sponsoring our show.
Dave Bittner: [00:01:36:11] I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, October 14th, 2016.
Dave Bittner: [00:01:44:12] The week closes as it began with the continuing story of election related hacks in the US. Wednesday evening, Clinton campaign chairman John Podesta's Twitter account was hijacked to tweet "Vote Trump". We shouldn't have to say this, but we do, it was a hack. Mr. Podesta hasn't jumped ship to Team Trump. It's since emerged that more than his Twitter account was compromised. Apparently, his iCloud account was also hacked and then wiped. This occurred some 12 hours after the latest WikiLeaks dump of predictably low-sounding emails. We repeat, no one's email has, in our experience, ever served as much of a letter of recommendation. Among the leaked emails were some that contained Mr. Podesta's password. We won't repeat it here, but we hope he's changed it by now.
Dave Bittner: [00:02:30:21] The FBI is said to be investigating the compromise of Podesta's accounts along with other Democratic Party hacking incidents. Russian intelligence services remain the prime suspects.
Dave Bittner: [00:02:41:03] Russian President Putin shrugs continued denial but then goes on to say that the whodunnit's not important, rather, it's the whatsinnit. Coming across like the good-government bluestocking few would have suspected him of being, Mr. Putin suggests that people should worry more about the dumped emails' contents than they worry about how WikiLeaks got them. The unstated conclusion is that said contents ought to shock, shock us.
Dave Bittner: [00:03:06:11] With all due apologies to Mr. Putin, observers are fairly well convinced that the who in this particular whodunit, resides in Moscow. WikiLeaks is a convenient conduit but unlikely to be the hackers. The Russian interest is said to lie in discrediting the US political system. The White House has promised to "protect" US interests in cyberspace, but how the US will actually respond to Russian hacking remains up in the air. At week's end more foreign policy experts and defense intellectuals are calling for that response to be vigorous. If the policy mavens have their way, the US will err on the side of toughness, but sanctions still seem the likeliest response.
Dave Bittner: [00:03:45:05] Al-Qaeda, now clearly the junior varsity in jihad, is receiving much the same military pressure as the ISIS varsity and Al-Qaeda is also turning to an ISIS-like campaign of online inspiration in the hopes of recouping its millennial jihadist mind-share.
Dave Bittner: [00:04:01:04] DDoS protection specialists at security firm Akamai continue their exploration of the IoT botnets that have been driving recent denial-of-service campaigns. They found the SSHowDowN crypto vulnerability in at least two million devices. Observers express frustration that this vulnerability persists. It ought, many think, to have been dealt with long ago since it amounts to a poor implementation of Secure Shell. Akamai has also reported on the other uses criminals are finding for compromised Internet-of-Things devices. Principal among these uses are tests of stolen credentials.
Dave Bittner: [00:04:35:13] The CyberWire heard from Rod Schultz, Vice President of Product at Rubicon Labs. He thinks the biological metaphor of a "virus" is an apt one and useful to understanding what's going on with IoT security. "Connect a device to a network and you must model that device as a biological entity. History has shown that certain biological viruses have catastrophic impact on society, and now that we are connecting billions of devices to a network, it’s time everyone understands that the same thing is going to happen to digital things". Schultz thinks giving devices unique credentials and identities could do against computer viruses what vaccines did against the biological pathogens.
Dave Bittner: [00:05:15:11] It's been an up-and-down week in industry news as downbeat projections concerning security spending from Fortinet drag down share prices around the sector. There have been exceptions, like Barracuda, but in general traders have punished cyber stocks this week. Investors, however, see more promising fundamentals and so regard many cyber stocks and their Exchange Traded Funds as offering buying opportunities.
Dave Bittner: [00:05:39:04] Verizon says it finds the Yahoo! Breach "material", hinting that Yahoo!'s bad news will affect Verizon's planned acquisition of the troubled Internet giant's core assets. Most analysts expect the effects to be a deep discount in price not a cancellation of the deal altogether. Yahoo! says it stands by its valuation.
Dave Bittner: [00:05:59:21] Finally, several new Android vulnerabilities surfaced late this week including "Pork Explosion", a Foxconn factory debugger left behind in shipped devices - Pork Explosion can serve as a backdoor. We read that the backdoor was named by the researcher who discovered it, he's said to be a "barbecue enthusiast". The popular Nine Android app, used to access Microsoft Exchange resources, has also been found vulnerable to man-in-the-middle exploitation, but there appears to be a fix for this one being pushed out.
Dave Bittner: [00:06:31:04] And selfie enthusiasts beware. A bogus video app promises great selfies but actually delivers identity theft. Don't be taken in by it. It masquerades as an Adobe Flash Player app, but those of you who proofread your screens carefully won't be deceived. As often as not, it announces itself as "Adobe Flash Player." So keep it out of your digital abode and use a reputable app if you really must shoot yourself making duck lips.
Dave Bittner: [00:07:02:15] Time for a quick message from our sponsor, ClearedJobs.net. If you're a cyber security professional and you're looking for a career opportunity, check out the free cyber job fair on the first day of Cyber Maryland. Thursday, October 20th at the Baltimore Hilton hosted by ClearedJobs.net. A veteran-known specialist at matching security professionals with rewarding careers. The cyber job fair is open to all cyber security professionals, both cleared and non-cleared. It's open to college students and cyber security programs too. You'll connect face to face with over 30 employers like Swift, DISA and the Los Alamos National Laboratory. You can also tune up your resume and get some career coaching, all of it free, from career expert and air force veteran, Patra Frame. To learn more visit ClearedJobs.net and click job fairs in the main menu. That's ClearedJobs.net. We'll see you in Downtown Baltimore. And we thank ClearedJobs.net for sponsoring our show.
Dave Bittner: [00:08:03:11] Joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, we got a message from a listener who heard a reporting recently about Amazon's proactive approach to requiring people to change their passwords. Amazon went through and compared passwords against known databases of passwords that have been in big breaches and this listener said, 'So does that mean that Amazon has access to our passwords?'
Joe Carrigan: [00:08:33:03] I would say no and the reason I say no is because Amazon strikes me as a company that does security right. They have a huge business from Amazon Web Services. So the way passwords are managed or stored rather is they're stored in what's called a hash and you can think of a hash as a one way encryption algorithm.
Joe Carrigan: [00:08:57:03] So I am going to encrypt something with the hope of never decrypting it again. There are properties of a good hashing algorithm, and one of them is that, given the output from a hashing algorithm, it's very difficult to determine the input.
Joe Carrigan: [00:09:12:21] Alright, now that doesn't seem like a very good encryption scheme because now I can't recover the data and, traditionally, you think I'm going to encrypt this data because I'm going to need it later, but it works perfectly for encrypting passwords. If I enter my password, and let's say my password is password123, because I like to pick passwords that are going to get me hacked immediately. I pick password123, that password goes into the hashing algorithm and the algorithm outputs what looks like a random string of characters. If I enter that same password again, it will output that same string of characters.
Dave Bittner: [00:09:50:20] I see.
Joe Carrigan: [00:09:51:16] So there's another factor that makes that much more difficult to guess, called salting the passwords, which is where I pick a random series of characters to either append or prepend to my password. That way now, if you and I both have password123 as our passwords, our hashes are different.
Dave Bittner: [00:10:08:10] Right.
Joe Carrigan: [00:10:09:03] So I cannot just go through the database and look it up. Your reader asks, 'Does that mean that Amazon has our passwords stored?' I'm going to go ahead and say no, Amazon is storing their passwords salted and hashed and what they're doing is they're getting access - and anybody can do this, just go out on the Internet and look for it, you can find lists of known passwords and these are passwords that have been found through social engineering of passwords, people are predictable, they repeat the same process over and over again.
Dave Bittner: [00:10:38:21] Right.
Joe Carrigan: [00:10:39:03] Passwords are actually fairly predictable unless you use a random string of characters, and what they're doing is they're essentially cracking the passwords that they have in their database and, if they're finding a match, they are notifying the user that they have to change their password.
Dave Bittner: [00:10:53:13] What do you mean when you say 'cracking the passwords in their database'?
Joe Carrigan: [00:10:55:17] If I have a list of hashed passwords, imagine any of these breaches where you hear that somebody's leaked out hashed passwords.
Dave Bittner: [00:11:05:03] Right.
Joe Carrigan: [00:11:05:24] There's a program out there called Hashcat which runs on GPUs, on the graphics processing unit. That is incredibly good at parallel processing for hashing algorithms, and it works really well on these graphics cards. If I'm running MD5 - nobody should be storing their passwords in MD5, but chances are there are a lot of websites out there that you have accounts on that are storing their passwords in MD5 - I can hash those passwords from a dictionary. I can guess passwords at a rate of something like millions a second, take millions of guesses a second.
Joe Carrigan: [00:11:44:01] Amazon has their web services, their cloud and their elastic computing cloud, all those different products, they have all this processing power so it seems to me - and I haven't talked to anybody from Amazon - but if I was going to guess at what they were doing, is they're using some of that processing power to go ahead and run a program that then hashes the passwords against users' accounts and see if they get a hit. And if they get a hit then they notify the user, a hit being a matching password.
Dave Bittner: [00:12:14:07] A match to a known password from one of the publicly available databases.
Joe Carrigan: [00:12:17:10] Exactly.
Dave Bittner: [00:12:18:09] So, basically, there's a technical way that they can compare the passwords to the known passwords without them actually knowing what that password is.
Joe Carrigan: [00:12:27:17] That's right. Let me go on record here and say that I think this is an incredibly smart thing that Amazon's doing, because what they're doing is they're taking a database that they have, that they've gleaned from these sources. That means that other people have that list as well and they are saying that your password shows up in this list, you need to change your password because it's too weak.
Dave Bittner: [00:12:49:20] Thanks, Joe, for explaining it. It's good stuff. I'll talk to you again soon.
Joe Carrigan: [00:12:54:02] Yes, it's my pleasure.
Dave Bittner: [00:13:00:20] My guest today is Dave Larson. He's the COO and CTO at Corero Network Security, a provider of inline DDoS mitigation technology. With record breaking DDoS attacks in the news, we ask Mr. Larson for his perspective on how we got here and what can be done to protect against what seems to be a growing threat.
Dave Larson: [00:13:20:09] All these new large scale attacks have the same persona if you will. They are being orchestrated and operated out of IoT botnets with many thousands, hundreds of thousands of devices in order to get to the scale that was seen in the last week and a half.
Dave Bittner: [00:13:36:09] So what do you make of this? The reports are that the scale of these attacks doubled what had been seen previously. Is this a game changer?
Dave Larson: [00:13:48:00] Yeas, I think it is. I think it's not surprising. In fact, I actually believe that that terabyte attack was not the first one. I think one of the funny things about this industry is that people claim the sizes but, if you know any about DDoS attacks, often times there is tremendous overflow of these attacks as you get closer and closer to the origin of the attack. I think these attacks have been well over a terabyte in scale and I think we've seen several of them occur, whether it's against organizations like Krebs or whether it's against Playstation or Xbox over the Christmas holidays.
Dave Larson: [00:14:23:08] These attacks have been with us, but I think they are going to get worse. I would argue that the Krebs' attack at 665 gig, the only entities that can meaningfully stop these kinds of attacks are the Tier 1 service providers that are transiting all this traffic anyway. There is no reason for them to carry the attack. The mitigating equipment and solutions are available, they are effective and they are economical. They can be used to stop this kind of activity before it even impacts anybody downstream, but only the operators themselves have the capacity and bandwidth scale to deal with the threat at this level.
Dave Bittner: [00:15:03:07] What are the motivations for why someone launches a DDoS attack?
Dave Larson: [00:15:07:10] In the Krebs case, it was retribution, oddly enough, because he outed them as a DDoS syndicate. So that was simply retribution. In reality though, there are a host of motivations and they're very wide ranging and it depends on the business that you're in.
Dave Larson: [00:15:23:11] If you are a carrier of large scale credit card transactions like TalkTalk, you might be attacked with DDos for the purpose of distracting you for other forms of breach activity that are going on in your environment. If you're a media property or news property, you might be attacked for ideological reasons along the lines of political leanings. If you're a gaming site, you will be attacked as, frankly, an accepted part of gaming activity. So the large entertainment gaming operators, massively multiplayer gaming, the users of the games, the players of the games, are actually viewed as legitimate to DDoS each other and the game platform as part of the rules and engagement and strategies of the game.
Dave Larson: [00:16:14:00] So you can see there's a host of different reasons why, but the fact is that the tools are virtually free and so anybody with a reason, there's very little barrier to actually acting out your motivations by launching a DDoS attack.
Dave Bittner: [00:16:28:14] So, in this arms race between those doing the DDoS's and those defending against it, what is our current state? Is there an upper limit, a practical limit for where this can go?
Dave Larson: [00:16:41:01] Yes. Unfortunately we have arrived at a situation through what I would call undisciplined network architecture or, not even that, just things that we allow to ingress into our network. People have had the sense that you can always just out capacity anything. So when in doubt, add capacity. The problem with that is that the big operators have added capacity and now there is tremendous capacity and there's virtually no limit to downsize an attack with IoT as a backdrop.
Dave Larson: [00:17:11:10] If there are billions of devices that can be incorporated into bots, then the scale is literally limitless in terms of the attack size. But there is a bright side to this. There are very, very simple things that people can do from a network operator perspective that, if implemented, would take care of much of the problem. So there is a best common practice that is defined by the Internet engineering task force, the IETF, called BCP38. BCP38 is a best practice for ingress filtering that gets rid of spoofed IP addresses at the ingress to the operator networks.
Dave Larson: [00:17:50:07] If I just got rid of that problem alone, which is rampant on the internet, allowing spoofed IP addresses, there's no reason to allow it. It would cut down the amount of DDoS by at least a factor of ten if not higher. So there are silver linings here. These large scale attacks are starting to wreck businesses. They're starting to cause real problems for the operators and it is my expectation that they are now going to act.
Dave Larson: [00:18:17:18] So while the attackers have the upper hand now, I expect that the operators are going to start to take at least the obvious common sense measures like BCP38 to start getting rid of much of the spoof IP attacks that takes place in DDoS. If you're an end user, and you're connecting to a carrier, ask them what their DDoS SLA is, because I think what you'll find is that most of the time the DDoS SLA is, well, if you come under attack we promise that we'll start to do something in 20 or 30 minutes. In the modern internet, that's not acceptable. Many of the Tier 2 and 3 operators are now adopting capability. Google clearly has the capability of dealing with instantaneous mitigation, automatic mitigation. There is no reason to suffer DDoS. The technology exists, the capability exists and certainly the bandwidth capacity is there. You just need to choose providers that are willing to give you a solution that will protect you from the problem.
Dave Bittner: [00:19:11:12] That's Dave Larson from Corero Network Security.
Dave Bittner: [00:19:19:07] And that's the CyberWire. Thanks to our sponsors who make the CyberWire possible. I want to remind you all to check out the Grumpy Old Geeks podcast where I join Jason and Brian for what is quite often a colorful review of the week's Cyber security news. We do have ourselves a good time. You can find Grumpy Old Geeks wherever the finest podcasts are available.
Dave Bittner: [00:19:38:06] The CyberWire podcast is produced by Pratt Street Media. The Editor is John Petrik. Our Social Media Editor is Jen Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe. I'm Dave Bittner. Have a great weekend, everybody.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
DETECT. HUNT. RESPOND. Your data + security analytics will help you prevent your next security incident. Find out how. E8 Security.