The CyberWire Daily Podcast 10.24.16
Ep 211 | 10.24.16

Recovering from Friday's IoT-botnet driven Internet outages. Industry notes and news of cyber conflict in East Asia and the Middle East. And US-Russian tension in cyberspace remains high.

Transcript

Dave Bittner: [00:00:03:19] The internet has recovered from Friday's DDoS attacks on DNS provider Dyn, but its users are suffering from a significant hangover. No attribution but the Jester thinks he's, she's or they're on the case. Observers see significant potential for more damaging IoT based attacks to come. And Hal Martin's lawyer foreshadows his clients' defense in the case of the top secret collector's collection of top secret documents.

Dave Bittner: [00:00:34:17] Time to take a moment to thank our sponsor E8 Security. You know to handle the unknown, unknown threats, you need the right analytics to see them coming. Consider the insider threat and remember that an insider threat isn't necessarily a malicious actor. Sometimes it's a well intentioned person who's careless, compromised or just poorly trained. Did you know you can learn user behavior and score user's risk? E8 can show you how. Did you know for example that multiple Kerberos tickets granted to a single user is a tip off to a compromise? E8 can show you why. Get the white paper at e8security.com/dhr and get started. Detect, hunt, respond. E8 Security. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:24:10] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, October 24th, 2016.

Dave Bittner: [00:01:28:05] The internet is largely recovered from Friday's very large denial-of-service attacks. But cyberspace and its inhabitants have clearly arrived at an inflection point as important as the revelation of Stuxnet or the defection of Edward Snowden.

Dave Bittner: [00:01:45:00] A botnet composed of hundreds of thousands of poorly secured devices, took out large sections of the internet in at least three continents with effects felt worldwide. Thus the Internet-of-things has been effectively weaponized. The Sunday Times put it this way, "Hackers smell blood after co-opting the Internet-of-things."

Dave Bittner: [00:02:04:03] Arriving in several waves throughout the day, the distributed denial-of-service attacks produced outages mostly in the United States, Western Europe and Australia. DNS provider Dyn was the central point of attack, although Dyn itself may not have been the ultimate target. The effect of the attacks cascaded through many popular sites, rendering services including PayPal, SoundCloud, Spotify, Reddit and Twitter temporarily inaccessible.

Dave Bittner: [00:02:30:10] The DDoS attack called by many the largest on record, follows the template established by the September 20th attacks against KrebsOnSecurity. In which the Mirai Trojan herded a large number of insecure Internet-of-things devices in to a botnet that flooded its target with more requests than the host could handle. The servers used as part of Dyn's enterprise offerings were especially targeted.

Dave Bittner: [00:02:52:19] The compromised devices include prominently security cameras and home routers, and it's thought that hundreds of thousands of these were used in the attack. Given that there are so many of these devices in the hands of small businesses, and private users, and given that they tend to be poorly patched and protected, it's expected that mopping up the vulnerabilities could take years.

Dave Bittner: [00:03:13:16] Level 3 estimated that Mirai has infected at least 500,000 devices. ESET has also studied the problem using a sample of 12,000 SOHO routers, whose owners voluntarily participated. The Bratislava based company found as it told Softpedia that 15% of the sample had weak passwords, and 20% had open telnet ports, both of which are to say the least, very bad practices indeed.

Dave Bittner: [00:03:41:12] One manufacturer of components used in DVR's and network security cameras says that its products were among those roped in to Mirai's botnet. Hangzhou Xiongmai technology said that vulnerabilities involving weak passwords in its devices were partially responsible for the disruption. It had issued firmware updates in 2015 and since then has asked customers to change default passwords. But the vulnerabilities persist in older, unpatched devices. And presumably also in those whose factory default passwords were left in place.

Dave Bittner: [00:04:14:13] No one yet knows who's responsible but there's plenty of suspicion to go around, most of it centering on either hacktivists or Russian intelligence services. The WikiLeaks-friendly New World Hackers Tweeted claims of responsibility for the attacks, but observers remain cautious about buying that attribution. It's possible this could have been hacktivism, given publication of Mirai's source code in the wake of September's attacks. But it's also possible as former NSA director Keith Alexander speculated Saturday at CyCon U.S, that the operation was a test run by hostile security services interested in establishing a disruptive capability. Alexander said, "I can't think of any reason for doing what happened yesterday, other than as a rehearsal."

Dave Bittner: [00:05:00:12] In any case there's been no official attribution yet and no overt response beyond the mitigation steps taken to restore normal functionality. There has however been an apparent hacktivist response, late Friday an older but still accessible version of the Russian foreign ministry's homepage was defaced, with the following text, in English, 'Comrades. We interrupt regular scheduled Russian foreign affairs website programming to bring you the following important message. It doesn't matter whether it's you and China, you and North Korea or you and some random group calling themselves New World Hacking. It's still a pathetic flex. Knock it off. You may be able to push around nations around you, but this is America. Nobody is impressed. Now get to your room, before I lose my temper'.

Dave Bittner: [00:05:47:22] This message was signed by an apparent hacktivist styling himself Jester. Jester if in fact that's him or her, or they, has hitherto been best known for defacing Jihadist sites and has also been name-checked on Mr Robot.

Dave Bittner: [00:06:03:12] The Russians aren't happy, even if it's an older site they say they no longer actively maintain and have commented on Facebook to that effect. Their specialists are working on the hacks as the foreign ministry and if the Americans are behind it, “that would be far from pleasant.” Vice President Biden is singled out for mentioning dispatches with the suggestion that even if this is mere patriotic hacktivism, the US government would bear responsibility for inciting it and putting in train a cyber machine of destruction.

Dave Bittner: [00:06:36:04] IoT driven DDoS campaigns make for a depressing view of the near future. Someone had evidently devoted some thought about how to accomplish this on a large scale. Security expert Bruce Schneier warned last month that, “Somebody is learning how to take down the internet.” As he put it in a September 13th blog post, “Over the past year or two someone has been probing the defenses of the companies that run critical pieces of the internet. These probes take the form of precisely calibrated attacks, designed to determine exactly how well these companies can defend themselves and what would be required to take them down. We don't know whose doing this, but it feels like a large nation state. China or Russia would be my first guesses.”

Dave Bittner: [00:07:19:23] The economic consequences of the interruptions were far from trivial even over this relatively short span of time. For small businesses who in a normal day might make half a dozen online sales, using PayPal, the outage hurts. The Sydney Morning Herald notes several of the businesses who lost revenue in Australia during the disruption. They included Ticketmaster, Woolworths and several banks. Many observers note the potential for far more serious harm.

Dave Bittner: [00:07:47:18] And finally turning from Mirai to legal matters closer to home, Hal Martin the former NSA contractor accused of removing classified material to his house in the Baltimore suburb, foreshadowed one aspect of his defense Friday. There is nothing to indicate that Hal Martin is a traitor, his lawyer told the magistrate who ruled that Mr Martin would be held in jail pending trial. Instead he's a “Voracious learner, committed to being excellent at his work.” Which efforts had self betterment and professional advancement led him to bring stuff home to get better at his job. 'What we see is an individual who is a collector'. That's certainly one way of looking at it. But kids and we know there are kids out there, since Admiral Rodgers told us during CyberMaryland last week that he had a bunch of you interning for him at NSA, please don't try this at home.

Dave Bittner: [00:08:43:22] Time to take a moment to thank our sponsor Delta Risk, this Chertoff Group company provides managed security services and risk management consulting to clients worldwide. Since 2007, Delta Risk has offered expert knowledge on technical security, policy, governance and infrastructure protection, to help organizations improve their cybersecurity and protect their business operations. And here's some advice they're sharing now, it's great to focus on prevention, but the reality is that prevention will at some point fail. So it's essential to have a comprehensive incident response plan to mitigate the impact of an attack when it happens. But most organizations don't have a proper cyber security incident response plan in place. So here's a step any organization can take. Test your plan against the challenges outlined in Delta Risk's white paper, Top 10 Cyber Incident Pain Points. Are you prepared? Find out more at delta-risk.net/topten. That's delta-risk.com/topten. And we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:09:52:00] Joining me once again is Dr Charles Clancy. He's the director of The Hume Center for National Security and Technology at Virginia Tech. Dr Clancy there seems like there's some progress being made when it comes to quantum computing and that could lead to some troubles with encryption?

Dr Charles Clancy: [00:10:07:09] Certainly. With the introduction of Shor's algorithm several years ago, there was the path such that if a quantum computer were fully realized that encryption standards such as RSA that are based on the difficulty of factoring a large composite number in to the product of two primes, could be exploited in a faster than exponential complexity. This means that many of the encryption algorithms that we rely on today, on the Internet, would be vulnerable to exploitation and the keys could be cracked and data could be decrypted. So this is then sort of a concern that's been on the back burner for the last I don't know, probably 15 years? Ever since IBM first demonstrated an implementation of Shor's algorithm that factored the number 15 in to the primes three and five.

Dr Charles Clancy: [00:11:00:03] But given the sort of slow progress made it quantum it hasn't really been a primary issue. But in the last two or three years the whole area of quantum has really begun to pick up steam and so it sort of renewed the concerns.

Dave Bittner: [00:11:12:06] So have we seen a shift of people moving towards post-quantum encryption now?

Dr Charles Clancy: [00:11:16:15] Indeed there are a number of post-quantum encryption algorithms that are being developed, we have the notion of quan key distribution, but there are deployment challenges there particularly you need to pass individual photons of light between the source and a destination. And the current telecommunications infrastructure of much of the world, it isn't well suited for doing things like that. But I think we've got a little bit of time before we need to worry too much about it. IBM has recently come out saying that they believe they could build a 50 to 100 qubit quantum computer that operates at a general purpose capacity, in the next decade. And in order to really have a chance at implementing Shor's algorithm we need something that's got more in the four to five thousand cubit stage. Which is probably still quite a ways away, in terms of actual physical realization. Another important distinction to understand is there is another product on the market, the D wave platform.

Dr Charles Clancy: [00:12:15:02] Which is a quantum and kneeling machine that will be coming out with their 2000 cubit system this next year. And that has lots of really interesting applications in the machine learning domain among others, but it's really not designed to do Shor's algorithm. In fact the researchers have shown that implementation of Shor's algorithm on the D wave platform do not achieve a quantum speed up, they still exist in this exponential ravine and therefore algorithms such as RSA will not be affected. So while there are these new machines coming out that appear to have lots of cubits, that are not designed to tackle problems such as encryption, and the ones that would be capable of, that are still pretty far out in terms of their viability.

Dave Bittner: [00:13:00:19] Dr Charles Clancy, thanks for joining us.

Dave Bittner: [00:13:05:18] And that's the CyberWire. National Cyber Security Awareness month has entered its final full week with the theme, Our Continuously Connected Lives - What's Your Apptitude? That's “aptitude” spelled like “app,” because you should be thinking about your apps.

Dave Bittner: [00:13:20:23] For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. And if you're interested in reaching a global audience of security influencers and decision makers, well you've come to the right shop. Visit thecyberwire.com/sponsors to learn more.

Dave Bittner: [00:13:38:20] The CyberWire podcast is produced by Pratt Street Media, our editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.