ISIS doubles down on info ops. Window shopping in crimeware souks.
Dave Bittner: [00:00:03:08] ISIS again celebrates murder online, using it as inspiration. Security experts approach consensus that Russia was behind the DNC hack. WikiLeaks’ Assange says he released the DNC files when he did to damage nominee Clinton. KeySniffer inhales strokes on Wi-Fi keyboards. Smart light bulbs shown to render IoT networks vulnerable. Ransomware and DDoS trends. A new US policy outlines agency responsibilities during cyber incidents. And Pokemon GO may get you to go places you shouldn't.
Dave Bittner: [00:00:39:18] Time to tell you about our sponsor, Cylance. Are you looking for something beyond legacy security approaches? If you are, and who isn't, you're probably interested in something that protects you at machine speed, and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources, and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence, but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. And, even better, if you're at Black Hat this year, do swing by booth 1124 and chat with the Cylance people. Cylance, Artificial intelligence, real threat prevention. We thank Cylance for sponsoring our show.
Dave Bittner: [00:01:42:02] I'm Dave Bittner, in Baltimore, with your CyberWire summary for Wednesday, July 27th, 2016.
Dave Bittner: [00:01:49:09] ISIS claims credit online for the horrific attack in a church just outside of Rouen, France. The Caliphate’s haste to associate itself with the murder suggests the sort of content the terrorist organization finds effective in information operations. The killers themselves spoke and acted in ways consistent with ISIS inspiration. A study finds evidence that such inspiration continues to reach a large enough audience to be worrisome. Some are ideologically committed, others appear to be simply disturbed individuals vulnerable to what the New York Times’ stable of academic experts is calling contagion.
Dave Bittner: [00:02:23:22] Most security experts have reached consensus that the DNC hack was a Russian job, and in all likelihood a Russian-government job, albeit in a deniable way. Evidence remains necessarily circumstantial, but a great deal has accumulated. Why the Russian government would be interested in hacking the DNC remains an open question. Some see the DNC hacks as part of President Putin’s long game to discredit post-Cold War international democracy and dismantle its sustaining institutions like NATO and the EU.
Dave Bittner: [00:02:54:17] Why WikiLeaks released the hacked documents is no mystery at all. Julian Assange says he timed the release to damage US Democratic Presidential nominee Hillary Clinton, whom he views as an inveterate opponent and the author of many of Assange troubles.
Dave Bittner: [00:03:09:13] STEALTHbits Technologies' Brad Bussie, sees encryption as the basic defensive tool enterprises ought to use. "The technology to encrypt emails is well known, but not commonly implemented. The main reason for this is complexity and infrastructure cost. Most weight the value of the information that is transmitted against what it would cost to protect it. If the protection cost outweighs the value of the information, then most do nothing, and let operations continue as normal." He suggests that enterprises might wish to take a hard look at such cost-benefit calculations.
Dave Bittner: [00:03:41:13] Lastline’s John Marshall reminded us of some of the other reasons enterprises decline to encrypt. “The use of web-based email that requires two-factor authentication does help in terms of encrypting access, but the usability and functional differences these have to corporate mail systems will lead users to prefer to use those, which typically rules encryption out.”
Dave Bittner: [00:04:04:12] The Democrats are holding their national convention this week in Philadelphia, and last week the Republicans held their convention in Cleveland. Keeping that convention safe, both physically and from cyberattacks, was the responsibility of the Cleveland Host Committee, a non-profit, non-partisan organization. On the cybersecurity front, one of the organizations they brought in to protect the convention was Dark Cubed. Vince Crisler is CEO at Dark Cubed, and he told us about the preparations during the run up to the convention.
Vince Crisler: [00:04:32:14] At the end of the day, the real force of the effort is only a couple weeks long at most. We deployed our product about eight or nine months earlier, so we could start getting a baseline of what does traffic look like on that network, and understand good versus bad, and start to triage and understand whether the level of attack is changing as we get closer to the convention or not? As we came closer to the convention, resources start spinning up, and you start looking at how exposed is this network? What are the exposed forts from the outside? What are the architecture and configuration of that network from the inside? Then you come up with a game plan. That's what was really exciting to me about the team that we worked with for the convention. It wasn't a huge team, but it was a team of people that had great experience and capability. So it's applying those creative tactics to securing that network.
Dave Bittner: [00:05:29:12] There's that old saying that the best defense is a good offense. Crisler and his team used that strategy in Cleveland.
Vince Crisler: [00:05:36:10] My fundamental philosophy in cybersecurity is offense always wins, defense always loses, no matter what. So, if somebody wants to hack a network, and they have enough, time, money and commitment, they will be successful. What that informs, then, is a different approach to cybersecurity. It's broken out into a couple of different pieces. One, is how do I protect my network as best as possible given the resources I have? Two, is how do I find out sooner rather than later that something has happened? And three, is how do I respond as quickly as possible to minimize the damage once something does happen? And so, when we came at the security infrastructure for the convention, it was really coming at it with, okay, we've done our work on some of the basics, in terms of how do you minimize the exposure of the network? So, minimizing the number of connections, minimizing the number of open ports, having good awareness of all the devices that are on the network.
Vince Crisler: [00:06:24:19] But, then it's really focused on, how do you discover that something strange is happening within those networks? And that's where you start to see interesting things. Because we were very proactive, in terms of segmenting that network out - so your segmenting out the official users from the guest users, from the other infrastructure - you're able to watch activity in each of those segments independently. We certainly saw, on the guest wire list, as machines would come in and start instantly pinging out to botnets or malware command to control servers, those would spike in our systems. I remember one morning, I think it was Tuesday or Wednesday morning, that a machine connected to the guest Wi-Fi, and within two hours it had done 1000s of requests out to a foreign IP address. We saw that there was EDP traffic traveling overseas, and we were able to block that traffic, but we were able to continue to see it ping, and it pinged for about 5.5 hours until finally giving up.
Vince Crisler: [00:07:20:00] There were certainly lots of other malware, botnet sorts of activity. There was lots of external scanning, that you would expect to see, but we were watching that in real time and blocking those as they came in.
Dave Bittner: [00:07:32:10] That's Vince Crisler, he's the CEO at Dark Cubed.
Dave Bittner: [00:07:38:02] Two recently discovered vulnerabilities are worth noting, and they also involve encryption issues. In the first, Bastille Networks describes KeySniffer, a vulnerability in low-cost Wi-Fi keyboards that don’t encrypt keystrokes before sending them to the Wi-Fi dongle. Bluetooth devices aren't affected. An attacker could intercept those keystrokes from distances of more than 100m.
Dave Bittner: [00:08:00:09] In the second, Rapid7 has reported nine vulnerabilities in Osram’s Lightify smart lightbulbs, the most serious of which could permit attackers to capture authentication handshakes. Osram has patched four of the nine bugs. So, businesses, you may not be that interested in your lightbulbs, but those lightbulbs may be interested in you.
Dave Bittner: [00:08:20:23] Insignia Security reports finding UK telco O2 customers' credentials for sale on the dark net. The credential stuffing problem originates in password reuse. We heard from Tripwire’s Travis Smith, who pointed out that, “Password reuse can cripple even the most secure systems. Using authentic credentials, rather than attempting to leverage exploits, is less risky for the attacker, as security tools are more likely to detect an active exploit. Since passwords are commonly reused across websites, stolen credentials from one breach are often used across other sites.” Many observers of this breach recommend using a password manager. A good idea, to be sure, although such products aren't a panacea either. Google’s Project Zero Day has found a hole in password manager LastPass.
Dave Bittner: [00:09:06:20] Ransomware and denial-of-service attacks continue to be the leading forms of cybercrime affecting businesses and individuals. F-Secure is being quoted as saying a ransomware gang has admitted its connection to an unnamed Fortune 500 company that allegedly hired the crew to disrupt competitors.
Dave Bittner: [00:09:23:21] Mike Patterson, CEO of Plixer, commented on this to the CyberWire, saying, “I wouldn't be surprised if we hear about big companies launching ransomware attacks. The attacks however don’t mean they were approved by executive management. The best defense right now is to educate employees to be careful when clicking.”
Dave Bittner: [00:09:42:18] Locky and CryptXXX, of course, remain among the leading strains of ransomware circulating in the wild. Healthcare organizations continue to be preferred but not exclusive targets.
Dave Bittner: [00:09:53:02] DDoS is also on the rise, with targets in Russia prominently affected. DDoS can be conducted with straightforwardly criminal motives, but it’s also a common hacktivist tactic. Terbium Labs researchers are watching an actor calling himself, herself, or themselves, The Israeli Falcon, who’s involved in DDoS attacks against various Palestinian targets. The nominal motive is retaliation for Anonymous’s OpIsrael, although the Falcon also uses a Guy Fawkes mask, as anyone could.
Dave Bittner: [00:10:23:00] In the US, President Obama yesterday issued PPD-41, Cyber Incident Coordination, establishing a much commented on color system for the severity of cyber incidents. Many industry observers wonder where the last few years high-profile attacks would fall on the scale. The policy also fixes roles and missions for cyber attack response. The FBI leads threat response, DHS leads asset response, and the ODNI leads intelligence blocking and tackling.
Dave Bittner: [00:10:52:13] Finally, unscrupulous Pokémon GO players have cooked up geospoofing bots that enable them to cheat. We’re shocked, shocked, that there’s cheating going on in an online game. And Pokémon have turned up inside another denied area, the hot zone of Japan’s breached and broken Fukushima nuclear reactor. A tip, if you’re in Japan, don’t go into Fukushima, even for a Magmar, Venusaur, or Gardevoir. Okay, well, a Gardevoir, but wear your full protective gear, kids, or maybe a geospoofing bot. And then, trainers, as you look back, you can say, “We’ll always have Fukushima.”
Dave Bittner: [00:11:32:06] Time to take a moment and tell you about sponsor, Netsparker. Are your security teams dealing with 100s of vulnerability scan results? Netsparker not only automates scanning, but it verifies the exploits it finds too. Reduce alert fatigue and improve security with Netsparker. Not only will your protection improve, but your costs will drop, and that's a good deal in anybody's book. Netsparker's automated approach to web application scanning lets your security team concentrate on the things best left to the human beings. Find out more about Netsparker Desktop and Netsparker Cloud. Whether you're pen testing or securing your enterprise online, you'll find what you need at netsparker.com.
[00:12:06:10] You can try it out for free with no strings attached. Go to netsparker.com/cyberwire for a 30 day fully functional version of Netsparker Desktop. And by fully functional, Netsparker means, yes, really fully functional - scan those websites with no obligation. Check it out at netsparker.com/cyberwire. We thank Netsparker for sponsoring The CyberWire.
Dave Bittner: [00:12:33:23] I'm joined once again by Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, you mentioned that you've been seeing an uptick in DDoS attacks lately?
Dale Drew: [00:12:44:16] We really have. Not only have we been seeing an uptick in DDoS attacks from a volumetric perspective - our average DDoS attack is between ten to 15 gigs. We've seen that increase quite exponentially. We've been seeing DDoS attacks in the 75 to 100 gig range a little bit more common here lately. We're also seeing an increase in in-application attack DDoS's, where bad guys are getting much more creative and much more direct, and being able to pretend to be millions of legitimate users gaining access to an application and consuming the resources of that application, which makes it very difficult to stop a DDoS attack.
Dale Drew: [00:13:29:00] And then we're also seeing a very large uptick in what we believe to be fake DDoS ransomware hoaxes. We've seen a number of ransomware attempts going out to customers, that appear to represent well-known DDoS hacking groups, like the Armada Collective and the Lizard Squad, but they're not the same sort of MO. They're using much different sort of tactics in getting ransomware for them. So, we believe that people are pretending to be these collectives to make a quick buck.
Dave Bittner: [00:14:02:15] Dale Drew, thanks for joining us.
Dave Bittner: [00:14:05:17] That's The CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com.
Dave Bittner: [00:14:15:08] Thanks to all of our sponsors who make the CyberWire possible. The CyberWire Podcast is produced by Pratt Street Media. Our editor is John Petrik. Our Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.