The CyberWire Daily Podcast 9.29.16
Ep 195 | 9.29.16

Yahoo! hackers seem to have been crooks (who sold to other crooks, and to government(s)). Toxic data and credential problems. Election hacking.


Dave Bittner: [00:00:03:10] Terabit-per-second DDoS may become the new normal. The real threat in the IoT? A hint: security cameras are to the Internet what squirrels are to the power grid. InfoArmor looks into the Yahoo! Breach and finds more crooks than spies. But the crooks may be fencing data to the spies. Toxic data, sockpuppets, security questions, and even Major League Baseball.

Dave Bittner: [00:00:30:17] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web. To develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever.

Dave Bittner: [00:00:56:11] We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily and, if it helps us, we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. That's And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:28:07] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday September 29th, 2016.

Dave Bittner: [00:01:34:22] The very large distributed denial-of-service attacks sustained by investigative journalism site KrebsOnSecurity and French hosting service OVH seem to have abated, but they've shaken confidence in Internet users' ability to ride out such attacks. When these DDoS attacks are described as "very large," that's perhaps an understatement. KrebsOnSecurity received 620 gigabits-per-second of attack traffic, which dwarfed what DDoS mitigation specialists at Akamai believe was the former record, set in June 2015, that was 363 gigabits-per-second. But the the OVH attack makes what KrebsOnSecurity suffered look puny. OVH says it was hit with 1.1 terabits-per-second.

Dave Bittner: [00:02:18:07] Both attacks were conducted through Internet-of-things botnets, which is itself very troubling. Many of the devices herded into the botnets were routers and security cameras. Ars Technica says that 145,000 cameras were involved in the attack against OVH. That such devices can be exploited isn't news, nor is it surprising. Security arrived relatively late to the IoTdesign party, and many of the devices themselves are computationally impoverished, difficult to patch, owned by poorly resourced users, and themselves near, at, or beyond their own end-of-life. And thus often unpatchable even if the users were willing and able to do so.

Dave Bittner: [00:02:56:14] Consider security cameras. We still tend to call them "closed circuit," but that hasn't been true for a long time. They're networked. And many of them are securing mom-and-pop businesses. And remember, Mom and Pop work hard, have low margins, no IT staff, beyond maybe a kid or a grandkid, and probably can't quite recall how long ago they set that camera up. Mom and Pop aren't negligent, stupid or lazy, probably quite the opposite. But you've got to have reasonable expectations about their security awareness and, above all, about their resources.

Dave Bittner: [00:03:28:09] Akamai told Ars Technica that terabit-per-second attacks may become the new normal. There's been much sensationalist fear, uncertainty and doubt talked up around the Internet-of-things, much of it the, "Beware, your refrigerator may be out to kill you" or "Your coffee pot may have murder in its semiconducting heart." But here's the real near-term issue, poorly secured but well networked IoT devices can be herded into DDoS botnets that can take down significant portions of the grid.

Dave Bittner: [00:03:57:09] There's an analogy here to vulnerabilities in other kinds of networks. We hear much, for example, of the risk that the electrical power grid could be hacked. And the disparate nature of the power grid, which we've heard people from NERC describe as a "hodgepodge" and they mean that in a good, resilient way. A hodgepodge is difficult to take down across a country or a continent. So, an ice storm, a failed transformer, or even a misplaced squirrel or snake won't take out a continental grid. But storms, squirrels and snakes can still have major local or even regional effect. So can attackers.

Dave Bittner: [00:04:31:11] The other network people in the United States at any rate are worrying about, is the network or more properly networks used to conduct voting. This one really is too disparate to count as a single grid or anything remotely resembling a system-of-systems. It's a mix of online, airgapped electric and manual systems, all run by each of the 50 states. The FBI has warned Congress this week that there may have been more, presumably Russian, attempts to access state voter registration databases.

Dave Bittner: [00:04:59:09] The FBI is also investigating an apparent Russian attempt on Democratic Party politicians' phones. Thomas Pore, of Plixar, commented to the CyberWire that we need to remember how much we've come to depend upon our phones for our connection to work. "Campaign staffers and party officials are no different," he observed. Embarrassing leaks are one thing, but there is even more sensitive information on the phones than that. "Phones of staffers also contain real-time information sources such as GPS coordinates, microphones, and cameras for surveillance opportunities."

Dave Bittner: [00:05:32:10] Content delivery networks are an effective way of increasing the performance of your website, but they're not without risks. We checked in with Ferruh Mavituna from Netsparker about the security of CDNs and protecting them with subresource integrity checks.

Ferruh Mavituna: [00:05:46:16] Well CDN, as a concept, became quite popular recently. We had Amazon delivery networks and we had so many other delivery networks, people use them either for performance or just simply include a javascript format for a then open content delivery network to hope that their visitors have that content in their cache and, therefore, their website will get passed it.

Dave Bittner: [00:06:13:14] So what are some of the security issues when it comes to content delivery networks?

Ferruh Mavituna: [00:06:18:04] The problem with content delivery networks is that you are effectively to us a third party. We talk about vulnerabilities such as cross-site scripting. When an attacker can execute javascript on your website, that effectively means, when you trust a third party to deliver you javascript, you can't really trust it because if this third party, by themselves, or if they got hacked, changed the content of this file they can start executing javascript on your website and that means that now there is a cross-site scripting.

Ferruh Mavituna: [00:06:53:20] Even though your website is completely secure and you have done everything in your power, because your content delivery network got hacked, you get hacked automatically and the nature of these trust relationships, obviously, also makes content delivery networks a prime target for attackers because, if you can hack a content delivery network, you can hack thousands of websites, by design. Your console here, you can put something in there and it will get executed in thousands of websites.

Dave Bittner: [00:07:33:04] So describe to me what subresource integrity is, SRI?

Ferruh Mavituna: [00:07:37:20] So subresource integrity, the way it works is it supports the browsers. So it's a crime site protection. So with subresource integrity, while including a reference such as a javascript file, such as a j-crypt library, you say, here is the content of this library, here is the hash of it, which is like a signature of this file, and if any part of it, even if it's one character off that content is changed, that signature will be changed. So you create that signature by hashing it, and then in your website you say, get j-crypt library from this content delivery network and the signature must be this. Now when your browser calls that javascript library, it checks the signature. If the signature of that file doesn't match to what you're expecting, what you are declaring while calling that file, browser will not load that file. But, by doing so, by providing this signature, you will make your website secure against these threats.

Dave Bittner: [00:08:44:06] That's Ferruh Mavituna from Netsparker.

Dave Bittner: [00:08:47:22] InfoArmor has published an extensive report on the Yahoo! Breach. They conclude that two distinct criminal hacking groups were involved, along with a third black market reseller. The groups that stole the data, InfoArmor says, sold them at least three times: once to a "state-sponsored actor." It's worth noting that "state-sponsored" can include a wide variety of groups in addition to government agencies and services themselves. Sympathizers, activists, terrorist organizations, crime syndicates and an array of hired guns can all, under the right circumstances, legitimately be considered "state-sponsored." Thus, "criminal" and "state-sponsored" are far from mutually exclusive, and states are using more fronts and cut-outs in cyberspace in an updated form of traditional information operations and espionage tradecraft.

Dave Bittner: [00:09:35:09] Finally, we turn to one more lesson being drawn from the Yahoo! Breach. If an organization can avoid collecting names, addresses, mothers' maiden names, first pets, the middle school you attended and the name of your favorite baseball player when you were a kid, that would be all the good. Observing the way security questions were compromised in the Yahoo! Breach, Wired suggests it's time to start telling lies. So we recommend that our Editor change his answer from "Ron Swoboda" to "Ed Kranepool." As any old Mets fan would know, both Kranepool and Swoboda were amazin'. Besides, probably "Marvelous Marv Throneberry" is already taken.

Dave Bittner: [00:10:11:24] So as the Major League Baseball wild card race comes down to the wire, we'll just say, "Let's go Mets." But even more so, "How ‘bout them O's, hon?" We're predicting a rematch of 1969.

Dave Bittner: [00:10:30:17] Time to take a moment to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the Internet by yourself, no matter how many analysts you might have on staff. And we're betting that, however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to to subscribe for free threat intelligence updates from Recorded Future. That's and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:11:35:09] And I'm joined once again by Doctor Charles Clancy, he's the Director of the Hume Center for National Security and Technology at Virginia Tech. Doctor Clancy, I know an area of research for you is software defined networking, when we're talking about that, well what do we mean?

Charles Clancy: [00:11:49:14] Software defined networking is a relatively new concept. It's come out over the last five years, but it's this notion of decoupling the control plane of a network from the data plane of a network. So right now, in a typical enterprise network and even in the core of it Internet itself, you have things like routing packets that are co-mingled with user traffic. This has created sort of a fundamental property of the Internet and networks that we know today. Software defined networking decouples these two and creates a separate control plane, isolated from the data plane, which allows the control plane to actually reconfigure the data plane, because it's no longer dependent upon it. This enables a lot of different applications such as load balancing and traffic engineering.

Charles Clancy: [00:12:33:09] But also fundamental changes in the network topology as a function of real-time traffic that's been observed. So lots of exciting things going on in this community. One particular protocol, OpenFlow, is most commonly associated with software defined networking and is generally being embraced as at least one standard in this emerging ecosystem.

Dave Bittner: [00:12:51:22] And so what are some of the security opportunities and challenges that we'll face with this technology?

Charles Clancy: [00:12:56:21] Well, first, I'll talk about the opportunities. By being able to rapidly reconfigure the data plane of your network, there's lots of opportunity for new active defense countermeasures in both enterprise networks and core Internet itself. So this gets to this notion of moving target defense where the topology of the network and the structure of the network can be constantly changing. So, for example, you may be able to more quickly react to attacks, you may be able to identify a particular distributed denial of service attack that's attacking your network and reconfigure your network to block that traffic at the source rather than at the destination. Or you may be able to identify botnets at scale and be able to block commander control channels for botnets.

Charles Clancy: [00:13:39:05] So it gives you one more tool in terms of building an active network defense. On the downside though, obviously there are new protocols being developed. With regard to the control plane, there's not really best practices around how to protect it. In particular, the OpenFlow standard itself. The original standard had A TLS that's required for security but the newer versions have made TLS optional, which makes it easier to deploy and easier to provision but at the expense of potential security. So far I haven't seen any major intrusions into OpenFlow networks, but if you're able to get access to the OpenFlow controller then you really have the crown jewels of the network at that point because that's where all the control for the entire network is happening.

Dave Bittner: [00:14:23:17] Alright, Doctor Charles Clancy, thank you for joining us.

Dave Bittner: [00:14:28:04] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. The Editor is John Petrik. Our Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thank you for listening.