The Mirai botnet DDoS attack, its consequences and attribution, with commentary from various observers.
Dave Bittner: [00:00:03:19] IoT botnets may best be considered an instance of a more general problem with poorly secured endpoints. Good digital hygiene can be good digital citizenship. IoT device recalls follow the DDoS against Dyn. Attribution of the attacks remains up in the air. Clapper looks at multinational hackers, Jester looks at Russia (and Russia looks at Jester and sees vice-president Biden). And yes, John McAfee is looking at North Korea. Stay tuned.
Dave Bittner: [00:00:36:21] Time for a timely message from our sponsors at E8 Security, putting your data together with E8's analytics for security that can handle the unknown unknowns. Consider what might warn you off to malware on your system, listening or running programs on a rare or never seen before open port is one of them, it's easy to say that but could you say what counted as rare or never seen before? Or would that information jump out at you as you review logs? If you had time to review your logs and by the time the logs reached you, the news would be old. But E8's analytical tools recognize and flag the threat at once. Enabling you to detect, hunt and respond. Get the white paper at e8security.com/dhr and get started. E8Security, your trusted partner. And we thank E8 for sponsoring our show.
Dave Bittner: [00:01:27:24] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, October 25th 2016.
Dave Bittner: [00:01:34:19] Security cameras and SOHO routers formed the better part of the Mirai botnet herd that stampeded through Dyn at the end of last week. One IoT vendor, Will Price, founder of Simple Control, told CEPro that it's misleading to call this DDoS incident an Internet-of-things problem. He would rather understand it as a problem with vendors releasing products that aren't properly secured. An issue that's certainly not confined to the IoT. As he put it, 'The budding Internet-of-things has no more to do with this than the advent of the internet caused Windows XP security problems'.
Dave Bittner: [00:02:10:17] He's got a point but the combination of widespread deployment, weak security and user inattention do seem to make the IoT particularly vulnerable to this sort of exploitation.
Dave Bittner: [00:02:21:20] Ray Rothrock, CEO and chairman of cyber security analytics company RedSeal, told the CyberWire that, 'The reality is, that the millions of systems and things connected to networks and each other create unprecedented capabilities for both good and harm'. He thinks the problem is a species of the genus endpoint insecurity, and that the proper response should involve putting network security controls in place to limit the effects of such attacks.
Dave Bittner: [00:02:48:03] We also heard from Eldon Sprickerhoff, founder and chief security strategist of cyber security firm eSentire, who offered some advice to users of the kinds of devices implicated in the attacks. Because so many basic devices are now internet-enabled and connected, it's too easy for their users and that means most of us, to overestimate their default security. No one wants their devices herded into a botnet. It's poor digital hygiene and citizenship, the virtual equivalent of spitting on the sidewalk. And it can also affect your own systems in unpleasant ways. Sprickerhoff recommends taking at least the following measures with your security system, your router, your baby monitor, with all those things at home that quietly and routinely touch the internet.
Dave Bittner: [00:03:34:05] First, change device passwords and use different complex passwords for each different system. Next, ensure you've upgraded to the newest firmware available. And finally, restrict external access to home devices. With fire-walling, disabling remote access capabilities and things like that.
Dave Bittner: [00:03:51:01] One manufacturer, Hangzhou Xiongmai Technology, which produces components widely used in digital video recorders, and network security cameras, has acknowledged that vulnerabilities in its products were exploited in the DDoS attacks on Dyn. They're recalling thousands of devices to aid remediation of the vulnerability.
Dave Bittner: [00:04:10:04] Attribution of the Dyn attacks still remains unclear, we heard a lot of speculation Saturday, at the US Army and NATO sponsored CyCon event in Washington, that a nation state was behind the attacks and pretty much everyone was looking at you Russia. But in truth not only is it difficult to disentangle state sponsored activity from organized crime, but the Mirai code has been freely available for some time. The Washington Free Beacon said that US Director of National Intelligence Clapper told it the incident was the work of a multinational hacker group. He didn't elaborate but other sources suggested to the Free Beacon and others, that this was more a case of vandalism than it was a nation state attack.
Dave Bittner: [00:04:51:16] One apparent patriotic hacktivists, Jester, is convinced the Russians are coming. He, she or they sent Russia a message by defacing an old foreign ministry site, and the Russian foreign ministry was not amused. Suggesting darkly that one might well perceive the hidden hand of vice-president Biden behind Jester.
Dave Bittner: [00:05:11:01] Last week at Cyber Maryland we sat down with Malcolm Harkins, Chief Security and Trust Officer at Cylance to get his opinions, strong ones it turns out, on the state of the cyber security industry, particularly when it comes to taking risks.
Malcolm Harkins: [00:05:25:18] I believe that losers quit when they're tired, winners quit when they've won. I think we've quit on the attempt to win this stuff and capitulated to I think a broad industry notion that compromise is inevitable. Versus the notion that attempt to compromise is inevitable and I don't think you can fully eliminate the risk, but I do think many people have given up on the ability to prevention and that's a shame.
Dave Bittner: [00:05:55:24] Where do you think this attitude of surrender comes from?
Malcolm Harkins: [00:05:59:21] Well a couple of things, one is for years and years and years the degradation of the effectiveness for security solutions has been occurring. And we've all experienced it, I've experienced it. And so I think there's a confirmation bias, so to speak, that because that's happened for a long time we have to accept that that's the only solution or the only approach in which case we default to detection and response. And I'm a former business guy and got a background in economics and when you think about it, the security industry itself profits from the insecurity of computing. And one could argue then logically, for profit motives, the vast majority of the industry. Not all of it. But a substantial portion of it, grows, because of the insecurity of computing and the problems that occur. So economically what do we think has happened? Well the vast majority of the industry has come out with detections and response capabilities because that's where people are anchored in, and that's where they would like you to continue to believe you have to be.
Malcolm Harkins: [00:07:11:20] And I don't think you as I said before, you can fully eliminate risk, but I think we can do a far better job of preventing a substantial portion of the risks that we're experiencing. We should absolutely constantly pursue perfection, it's okay to win ugly, and sometimes you know having been in the security industry a long time, I've won ugly a lot. And some of that is being more of a risk taker so again, if you're in the security role and you're information risk roll, how often are you taking risks? Your job is to, in many ways, manage people from taking risks and sometimes you have to take a risk, on a newer technology, a new approach, a newer thought, in order so you kind of have to run to the risky thing in order to manage the risks.
Dave Bittner: [00:07:57:24] But is risk taking rewarded in this industry?
Malcolm Harkins: [00:08:00:17] In some ways, unfortunately no. And it's again a cultural underpinning. Right? But in many ways and again part of the dialogs that we had even on the panel I was on today, on C-suite concerns, businesses are in the job of managing risk. When you launch a new product, when you build a new building, when you go and enter a new market, that's risk taking. It's financial risk taking. And so businesses are in the business of taking risk and those that manage those risks the best, are generally the ones who win.
Dave Bittner: [00:08:37:13] That's Malcolm Harkins from Cylance.
Dave Bittner: [00:08:40:19] And finally antivirus pioneer, security gadfly, and sometimes, we think, presidential candidate John McAfee, says he knows whodunit. North Korea dunit. He bases this attribution on what he describes as dark web chatter. But commenters on the web have taken a tell-it-to-the-Marines attitude toward this. John can sometimes pop off like the much-beloved but eccentric uncle at the Thanksgiving table. Like the time he said he had a team of digital ninjas who could unlock an iPhone even if the FBI couldn't. Maybe yes and maybe no. But in the case of attributing the Mirai attacks, the story is still, as they say, developing.
Dave Bittner: [00:09:25:09] Time for a word from our sponsor, Delta Risk. You've heard of course that those who fail to plan plan to fail. Sure that's a bit of a cliché but it's true nonetheless. Delta Risk is here to help you plan. Companies focus on preventing cyber incidents and they should, but they also need to realize that all prevention will in all likelihood at some point fail. And when that happens you don't want to be improvising on an incident response. Delta Risk a Chertoff Group company, has been in the business of helping enterprises improve their cyber security and protect their business operations since 2007. If you don't have an incident response plan, or if you're not sure you've got a good one, test yourself against the challenges Delta Risk outlines in their white paper, 'Top 10 Cyber Incident Pain Points - Are you Prepared?' You can download it at delta-risk.net/topten. That's delta-risk.net/topten. Download the white paper and check it out. And we thank Delta Risk for sponsoring the CyberWire.
Dave Bittner: [00:10:30:11] And I'm pleased to be joined once again by Joe Carrigan, he's from the Johns Hopkins University Information Security Institute. Joe we've been seeing these stories about IoT botnets. I thought it might be interesting for you and I to just kind of go through sort of inventory, what are the typical IoT types of devices that people have in their homes, in their offices? Because some of them are surprising, let's start with the obvious one, the cameras. That's the one that gets all the press.
Joe Carrigan: [00:10:58:23] The security cameras or the doorbell cameras that people I see ads on TV for now. You think about them as proving a video stream out to the world. If you haven't taken the time to go through and change the default password then it's probably open to everybody to see and as we've seen with the recent botnet that took down Krebs site, to even exploit and make your camera part of a botnet.
Dave Bittner: [00:11:25:02] I think a point to make with the Krebs botnet attack was that that was all done with default passwords.
Joe Carrigan: [00:11:31:15] Default passwords. That's right.
Dave Bittner: [00:11:32:24] Every device on that botnet according to the people we've spoken to was all default passwords so job one, when you get any IoT device or any device in general, change the default password.
Joe Carrigan: [00:11:47:07] Change the password.
Dave Bittner: [00:11:47:07] But there were other devices involved with that, that I hadn't really thought of and the main one for me was DVRs.
Joe Carrigan: [00:11:53:05] Right, you and I were talking before the show and I was thinking about smugly saying well I don't have very many Internet-of-things devices in my house, but I do have a DVR. Not only do I have a DVR, but I have another cable box in my house that I think also runs a Linux operating system that can access the DVR. They're networked together, they're inside my house, they have obvious ways to get outside to get the content that gets downloaded, those are Internet-of-things devices.
Dave Bittner: [00:12:20:21] Again with this Krebs thing, the code that they would put in the DVR lived in the DVR's ram, so if you rebooted the DVR it would get wiped out. But how often do you reboot your DVR? When the power goes out in the house, that's when my DVR gets rebooted.
Joe Carrigan: [00:12:36:13] Exactly. I think the only way I know how to reboot my DVR is by yanking the power cord out of the back of it and letting its it there for a minute and then plugging it back in, just like when you have a technical support call, that's the first thing they tell you to do with all the hardware in the house right?
Dave Bittner: [00:12:50:18] Other devices though, the ones that make me scratch my head, I see Samsung has an internet-enabled stove.
Joe Carrigan: [00:12:59:17] Right, what could go wrong?
Dave Bittner: [00:13:01:12] Yes what could go wrong with a high-temperature unmonitored device, connected to the internet?
Joe Carrigan: [00:13:07:15] That's an excellent question. I was at the Financial Crypto conference in February and one of the keynote speakers was Adi Shamir who's the S in RSA. One of his statements was that this Internet-of-things phenomenon is really going to present the hugest security problem that we've seen in a long time. He says it's just gonna blow up in our faces. How many devices were involved in that KrebsOnSecurity botnet?
Dave Bittner: [00:13:38:10] Bordering on millions.
Joe Carrigan: [00:13:38:10] Bordering on millions of devices. And these devices were all cheap, readily available and they come with essentially commodity operating systems running on hardware, that is significantly more powerful than was available 20 years ago.
Dave Bittner: [00:13:53:22] Even if your device was taking part in this botnet you might not notice. The functionality of the device may not be interrupted at all.
Joe Carrigan: [00:14:02:14] Right, the device keeps running, so you may not ever even notice that you've got a problem.
Dave Bittner: [00:14:10:03] Alright Joe, get a new device, change that password.
Joe Carrigan: [00:14:13:16] That's right.
Dave Bittner: [00:14:14:15] Alright good talking to you.
Joe Carrigan: [00:14:15:12] My pleasure.
Dave Bittner: [00:14:17:09] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. And if you're interested in reaching a global audience of security influencers and decision makers well you've come to the right shop. Visit thecyberwire.com/sponsors to learn more. The CyberWire podcast is produced by Pratt Street Media, our editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I am Dave Bittner. Thanks for listening.