The CyberWire Daily Podcast 9.22.16
Ep 190 | 9.22.16

Record breaking DDoS, record breaking account info theft.


Dave Bittner: [00:00:03:17] The Russian government is the prime suspect in German political hacks. Russia reorganizes its security services, apparently the KGB is back in everything but name. KrebsOnSecurity sustains a record-breaking DDoS attack. And ransomware may meet data manipulation.

Dave Bittner: [00:00:25:16] It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever.

Dave Bittner: [00:00:51:00] We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily and if it helps us, we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. That's and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:23:01] I'm Dave Bittner in Baltimore, with your CyberWire summary for Thursday, September 22nd 2016.

Dave Bittner: [00:01:29:20] Deutsche Welle has followed up yesterday's reports of a spearphishing campaign against German political organizations with more expert assessment that the compromise was probably accomplished on behalf of Russian intelligence services. The phishbait appears to have consisted largely of emails purporting to be from NATO.

Dave Bittner: [00:01:47:10] The evidence isn't dispositive, but observers think it points fairly clearly in the direction of Moscow. The Frankfurter Allgemeine quotes British expert Thomas Rid as saying there's "forensic evidence" that the hacks were linked to last year's intrusion into Bundestag networks.

Dave Bittner: [00:02:03:07] Many observers in Germany are comparing the incident to discovery in the US that Fancy Bear and Cozy Bear were deep into the Democratic National Committee's emails. The German incidents display no obvious ideological angle, as both the center-right CDU/CSU and the for the most part Moscow-aligned Left Party were affected, but either a deeper game or an unselective collector's passion seem to be at work here.

Dave Bittner: [00:02:27:06] In any case, there appears to be considerable Russian interest in electoral matters.

Dave Bittner: [00:02:32:21] As the US continues to mull the wisdom of a proposed separation of NSA from US Cyber Command, an idea favored by the current, dual-hatted leader of both organizations, and the separation of NSA itself from the Department of Defense, Russian intelligence services are undergoing their own reorganization. President Putin has announced the impending unification of the SVR, responsible for foreign intelligence, and the FSB, responsible for security, into a Ministry of State Security.

Dave Bittner: [00:03:03:09] Investigation of last weekend's bombings around New York suggest to many observers that the "lone wolf" metaphor for such attackers is inapt. The suspect shows signs of conscious connection to ISIS inspiration. Our analytic staff suggests that we take the metaphor seriously. A lone wolf is an aberration, since wolves are pack animals. If the wolves are within earshot of the howling, they're still in a pack, no matter how physically dispersed those wolves may be.

Dave Bittner: [00:03:31:21] Tuesday evening the well-known investigative security website KrebsOnSecurity suffered a major DDoS attack. DDoS defense provider Akamai has succeeded in mitigating the attack, but they're calling it one of the biggest distributed denial-of-service attacks on record, clocking the attack traffic at 620 gigabits per second. The largest attack Akamai had hitherto observed came in at 363 gigabits per second.

Dave Bittner: [00:03:57:07] That earlier attack, and other big attacks like it, were accomplished by botnets using DNS reflection or amplification. But the attack against KrebsOnSecurity was different in that it relied on no such amplification or reflection. Instead, Akamai says that the methods were "garbage" web attack techniques that "require a legitimate connection between the attacking host and the target." This suggests a very large botnet, possibly composed of IoT devices.

Dave Bittner: [00:04:23:04] An Akamai expert told Krebs that, quote, "Someone has a botnet with capabilities we haven't seen before. We looked at the traffic coming from the attacking systems, and they weren't just from one region of the world or from a small subset of networks. They were everywhere," end quote.

Dave Bittner: [00:04:39:15] Krebs thinks it's possible the attack is retaliation for his recent outing of the subsequently arrested proprietors of the DDoS-for-hire service vDOS. Some of the POST requests in the flood referenced "freeapplej4ck," the handle of one of the lads arrested.

Steve Durbin: [00:04:56:00] The ISF is a 26 year old not for profit organization, headquartered in London.

Dave Bittner: [00:05:01:04] That's Steve Durbin, managing director of the ISF, the Information Security Forum. We checked in with him to learn more about the ISF, and what non-profit member-based organizations have to offer.

Steve Durbin: [00:05:12:03] We provide a range of services to our members who are based all around the world from New Zealand across to South America and including of course the United States and the UK and Europe. But essentially we provide research services. We provide software tools and methodologies and we provide a sophisticated collaboration environment that is both digital and face to face and we do that from our analyst bases that are in London and New York and Chicago.

Dave Bittner: [00:05:39:16] And over the course of 26 years, I mean, certainly the landscape has changed. What are some of the, the developments that have been key to the evolution of the ISF?

Steve Durbin: [00:05:49:02] Yes, absolutely. I mean, it bears no resemblance today to, to what it did 26 years ago. I think, you know, back in those days it was all about focusing on the technology. It was about things like the firewalls and so on. Today of course it's very much more about the business of cybersecurity. It's about an increasingly more complex threat landscape. It's about how do you align some of the security services that you're providing both within an enterprise and indeed to an organization with the business requirements of those organizations too. So I think a very different focus today from what was prevalent all those years ago.

Steve Durbin: [00:06:28:18] I mean, really the bedrock of what we do is something called a standard of good practice. This provides some, some clear insight to our members, really around some of the controls that they ought to be putting in place across the security environment. That ranges from everything from physical, right the way through to mobile, cloud and so on.

Steve Durbin: [00:06:49:04] What we've also done with this is map it directly across to things like the NIST Cybersecurity Framework. That's very, very important for our American based members of course. But it doesn't stop there. It also goes across to ISO standards, to COBIT5, PCI DSS, a whole range of other standards. So, so really, if you're a multinational organization and you have to comply with these different standards or you wish to comply with these different standards, the standard of good practice is a good place to start.

Dave Bittner: [00:07:18:14] Do you think being a not-for-profit that that gives you the ability to approach things from a different perspective than, than a company that has to make money?

Steve Durbin: [00:07:27:18] I think it has a number of benefits, Dave, certainly. I mean, you know, we do always have to be focused on delivering member value clearly in everything that we do. But it does mean that we're able to be very cost effective in terms of the way that we deliver that value back to the membership. It also means that we are very focused on remaining independent and objective, so we don't go out of our way to promote vendor products and services and so on.

Steve Durbin: [00:07:55:04] And I think the other unique thing about the ISF is that our shareholders effectively are our members. So there is a very clear line of sight between an organization that joins as a member, the research and deliverables that they receive that is in response to their request, and also our governance structure. So it's a, it's quite a unique way of going forward, but it's certainly served us well over the last 26 years.

Dave Bittner: [00:08:20:24] That's Steve Durbin, managing director of the ISF, the Information Security Forum.

Dave Bittner: [00:08:27:08] Some late breaking news, Yahoo! has confirmed that information on at least 500,000,000 user accounts has been stolen. The Wall Street Journal reports that Yahoo! says the hack occurred in 2014, and that Yahoo! thinks a "state sponsored actor" was responsible. Observers note this is the largest ever publicly disclosed data breach.

Dave Bittner: [00:08:47:13] And, finally, ransomware continues to afflict enterprises around the world. Academic institutions appear to have surpassed healthcare as the sector most targeted by criminals. What those sectors have in common is their collection and retention of large quantities of personal data.

Dave Bittner: [00:09:02:17] Yesterday we were at the third annual Senior Executive Cyber Security Conference, organized by the Johns Hopkins University's Information Security Institute. We heard Johns Hopkins Professor Avi Rubin, who blocked out a new and disturbing future for ransomware. "Why," he asked rhetorically, "simply encrypt files? Why not manipulate data instead? Suppose you were able to establish persistence in a hospital's network and systematically alter patient medical records for a few months. Then you could approach the hospital, point out that their data was corrupt, and that you can prove it, but don't worry, you could offer to restore the integrity of their data, for a fee. And don't call it a shakedown, call it a "subscription"." Professor Rubin, you've got a dark imagination.

Dave Bittner: [00:09:51:15] We've got another message from our sponsor Recorded Future. What are you doing the first week in October? If you're a threat intelligence enthusiast consider joining Recorded Future for RFUN 2016 in Washington DC, on October 5th and 6th. This year's annual conference promises to be at least as good as the last four, after all it's organized by Recorded Future, the people who know a thing or two about collection and analysis of the information out there on the web.

Dave Bittner: [00:10:15:00] Recorded Future customers, partners and threat intelligence enthusiasts are all invited to RFUN 2016. Meet others like you, people who understand that cybersecurity depends on actionable intelligence. Network with your information security peers to learn how others apply threat intelligence. RFUN is the place to be if you're a threat intelligence enthusiast. Register now, it's free, at That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:10:52:08] Joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, we're coming up on the end of President Obama's second term in office and that is a time when the President considers who they may grant presidential pardons to and I think certainly at the top of many people's minds is Edward Snowden and we're seeing compelling arguments, I'd say from both sides, for and against a presidential pardon. Can you walk us through those arguments?

Ben Yelin: [00:11:18:21] Yes, I think there are compelling arguments on both sides, and I know this topic has come to a head recently because of the release of the new Oliver Stone film about Edward Snowden's life. And in fact we've seen compelling arguments within institutions themselves. First we saw it within the NSA, there was a 60 Minute segment several months after the Snowden disclosures in 2013, where there was a divide between the director of the NSA, Keith Alexander, who argued that Snowden should not be pardoned. A pardon would be a moral hazard and that it would encourage other contractors or employees within the National Security apparatus to leak documents knowing that there would not be any adverse consequences.

Ben Yelin: [00:11:59:21] Whereas the deputy director, a man by the name of Richard Ledgett,actually entertained the possibility of a presidential pardon saying that because Snowden possessed hundreds of thousands of pages of classified material, it may be in the government's interest to try and deal with him, to try and get him to forfeit the material in exchange for some sort of immunity including a presidential pardon.

Ben Yelin: [00:12:22:06] And we've also seen this argument play out in the Washington Post interestingly over the last week. The Washington Post received a Pulitzer Prize for their coverage of the Snowden disclosures back in 2013, yet their op-ed board this past weekend wrote an editorial saying it would be improper to pardon Snowden, much for the same reasons that General Alexander illustrated in his 60 Minute segments.

Ben Yelin: [00:12:50:06] But then today we saw an op-ed from one of the media specialists who work at the Washington Post who took a different view and said the disclosures were extremely valuable for our public policy debate and it's hard to understate the policy effects of the, of the disclosure. We had a national conversation specifically about bulk metadata of phone records, that led to the enactment of the USA Freedom Act which basically ended that bulk metadata program.

Ben Yelin: [00:13:19:24] So it's hard to argue that the disclosures haven't had an enormous public policy impact and that without the disclosures we wouldn't have been able to have this, this national conversation. So again, I think these are very compelling arguments. It's something where we see the typical divide between civil libertarians who, who prize the concepts of transparency and openness and allowing the public to have full knowledge of some of these clandestine programs, against the security apparatus who understands the threats posed by divulging classified information and in many cases may be privy to other secret information indicating the damage done by some whether it's cost the lives of US soldiers on the battlefield or otherwise. So I think you're absolutely right that both sides have compelling cases.

Dave Bittner: [00:14:08:04] Alright. Time will tell. Ben Yelin, thanks for joining us.

Dave Bittner: [00:14:14:05] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik, our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.