The CyberWire Daily Podcast 10.26.16
Ep 213 | 10.26.16

Youth and cyber make a bad-news-good-news story (it's complicated). Mirai DDoS may be the work of skids. ISIS adjusts its messaging.

Transcript

Dave Bittner: [00:00:03:05] Friday's Dyn DDoS may have been the work of skids and script kiddies, not high-end Russian spies. A recall of vulnerable IoT devices proceeds. Utilities see the DDoS attacks as a warning shot. They should maybe start by getting rid of all those pagers. ISIS tweaks its online messaging to point out that the Caliphate is enduring a divinely ordained period of trial. CloudFanta malware harvests credentials via a cloud storage app. And fellow youths, there's some bad news and some good news.

Dave Bittner: [00:00:39:01] And I want to take a moment to tell you about our sponsor E8Security. You know, once an attacker is in your network, there's a good chance they'll use command and control traffic to do the damage they have in mind. Could you recognize it? E8's analytics can. Here's what malicious C2 traffic might look like. Newly visited sites, visits to a website that doesn't have the features a legitimate site usually does like a high number of pages, a fully qualified domain name or a distinct IP address or the association of a website with a limited number of user agents. That's tough for a busy security team but it's easy for E8's behavioral intelligence platform. For more on this and other use cases visit e8security.com/dhr and download the white paper, “E8Security, Detect, Hunt, Respond.” And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:33:21] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday October 26th 2016.

Dave Bittner: [00:01:40:13] Last Friday's wave of DDoS attacks that took down the servers at DNS provider Dyn (on which so much Internet traffic depends, especially in the United States) now looks more like the work of skids doing it for the lulz than a nation-state security service. US Director of National Intelligence James Clapper said yesterday that it appeared to be the work of criminals and not, as many experts and non-experts speculated over the weekend, Russian intelligence. Clapper did indicate that it appeared the hackers were a "multinational group," but beyond that, well, the investigation is proceeding.

Dave Bittner: [00:02:15:07] Flashpoint has published a study that suggests the attackers were, as CSO calls them, "a bunch of amateurs," "script kiddies," and dark web lurkers without specific political or criminal motivation. If correct, this assessment is not reassuring, since it implies such attacks are well within the reach of many. Other reports that the nations contributing the multi-national hoods were Russia and China are also disturbing, if correct, in that both of those countries have exhibited a degree of willingness to either co-opt, use, or hire criminal hacking elements.

Dave Bittner: [00:02:48:12] The distributed denial-of-service attacks were mounted using Internet-of-things botnets controlled by the Mirai Trojan. Security cameras and home routers were particularly implicated in the attacks—DVRs not so much, but these and most other consumer-grade IoT devices are comparably vulnerable. One major manufacturer, Hangzhou Xiongmai Technology, is recalling devices sold in the United States before April 2015. It says its current firmware is no longer vulnerable to Mirai-style exploitation. The company is also threatening to sue journalists blaming it for the DDoS outbreak—that's defamation, they say. (Note to Hangzhou Xiongmai Technology: we're not blaming you, OK?)

Dave Bittner: [00:03:31:08] Utilities, especially electrical utilities, were spooked by Friday's attacks. As Imperva told EnergyWire, "What the attack lacks for in sophistication, it makes up for in pure volume." It's also been noted that the Ukraine grid hack began with low-grade criminals and was co-opted by a capable nation-state—Russia, of course, by most accounts—and the same could happen with IoT vulnerabilities. Trend Micro points out one problem with the electrical power sector: too many of its personnel still use pagers. Pagers don't encrypt their traffic, and researchers find it "relatively trivial" to access that traffic. Such interception is useful during pre-attack reconnaissance, and attackers can also relatively easily interject spoofed messages into the network. Given the role social engineering played in the Western Ukraine grid hack, utility-watchers find this unsettling.

Dave Bittner: [00:04:26:09] There are also some direct risks in the industrial IoT. Security firm Indegy has found a remote code vulnerability in the Schneider Electric software widely used in programmable logic controllers.

Dave Bittner: [00:04:38:24] Why might criminals be interested in DDoS? Well, someone is renting 100,000 Mirai-infected bots on the black market for just $7500, so the attack could serve as a marketing demonstration. And, of course, there's always the lulz.

Dave Bittner: [00:04:55:06] While apparently not so far implicated in the Mirai DDoS stampede, Russia does not appear to be idle in cyber conflict. As is usually the case, it's alleged activities are deniably conducted through a third-party. The Syrian Electronic Army "with Russian backing," says the victim, has defaced sites of the Belgian newspaper Nieuwsblad to protest Belgian participation in airstrikes against Syrian targets.

Dave Bittner: [00:05:22:10] WikiLeaks continues to release discreditable stuff purloined from the emails of those in or close to the Clinton presidential campaign. Researchers at SecureWorks have found evidence of how the Gmail accounts were compromised: spearphishing with bogus Bit.ly links in bogus security warnings.

Dave Bittner: [00:05:39:24] US officials continue to be more worried about information operations than direct, let alone global, hacking of voting machines. State authorities are being asked to be on their guard against attempts to influence turnout or confidence in election results. What success any such vigilance with have remains to be seen—there's more than enough suspicion and ill-will to go around.

Dave Bittner: [00:06:01:08] Netskope has released a report on the CloudFanta credential harvesting malware. It uses the Sugarsync cloud storage app for distribution, and it tends to go undetected by most network security solutions because it cloaks its malicious Dynamic Linked Library (DLL) files as pngs. CloudFanta has been most active against Brazilian targets, but it's not confined to that country.

Dave Bittner: [00:06:25:22] As foreseen, ISIS is now attempting to adjust its messaging to deal with loss of key territories. It's doing so by looking for scriptural evidence that such setbacks are foreordained, and in no way compromise its legitimacy. Current setbacks are part of the period of "preparation, tribulation, and difficulty" that always figure in the divine plan. Expect this trope to become a leitmotif in the Caliphate's ongoing information campaign.

Dave Bittner: [00:06:56:00] Wrapping up our coverage with some of the people we met last week at CyberMaryland, Edward Hammersley is Chief Strategy Officer for Forcepoint and President of their Federal Division. Forcepoint just released a study called Millennial Rising where they look at the growing number of millennials in the federal workforce and how that affects security and culture.

Edward Hammersley: [00:07:17:07] So we started thinking about this trend where roughly 7% of the current federal IT workforce is consisted of millennials and the projections are that that group known as millennials will be about 75% of the workforce in a few short years. So we started thinking what impact does that have both on hiring, training and all kinds of other issues, not only for our own company but for the government and our customers.

Edward Hammersley: [00:07:44:07] Typically there's a trend to trust technology more than perhaps the older generations did. There is a feeling of, you know, "gee I clicked the privacy button on Facebook so I'm good, no worries about cyber right". That of course is changing and that's particularly daunting in the areas of the government where DoD and intel telecommunication practices where cyber security is such a serious issue and, you know, taken very seriously across the board.

Edward Hammersley: [00:08:11:01] To me what the finding drove home was how deep the sharing culture goes in the millennial community. Everything from Uber cars, anything else is just things are meant to be shared and when confronted with an environment where you're not supposed to share and you're supposed to do the opposite, it almost feels like it goes against core values, you know. And so that's gonna be an interesting challenge for especially those parts of the government that deal in sensitive information.

Edward Hammersley: [00:08:40:03] And I think, rather, of course some training is going to be interesting and required but rather than trying to change too much behavior I think we just need to think about our systems and our policies and how to adapt to those things.

Dave Bittner: [00:08:51:23] That's Edward Hammersley from Forcepoint.

Dave Bittner: [00:08:55:19] Finally, speaking of Forcepoint's study of millennials and cyber, here's the bad news, fellow youths: you're careless and you're all too willing to trade security for convenience. But the good news is a lot of you would like to get good enough about security to work in the industry, so we figure we've got that going for us, right? And if you'd like some encouraging news about us, fellow youths, look to Passcode, which at the end of last week announced the winners of its capture-the-flag competition and awarded the first Passcode Cup to a team from the University of Virginia. Congratulations to them. And congratulations also to the cyber prodigies Passcode found in their search for "Fifteen under Fifteen." One of the fifteen under fifteen is just eight years old, which ought to make you millennials feel like, well, almost baby boomers.

Dave Bittner: [00:09:48:24] Time for a message from our sponsor Delta Risk, they're experts in managed security services and risk management consultation. You have, we hope, an incident response plan. Be honest, we know from studies that about two thirds of you don't but you know you'll need one because even the best defenses are unlikely to hold everywhere and forever. Delta Risk a Chertoff Group company has thought about the pain points an incident brings. One of the first ones involves just knowing who is in charge. Delta Risk knows the important of deciding this in advance and can help you think through the appointment of a cross-functional incident commander to coordinate response across your organization. So whether you're just building your incident response plan or would like to test the one you've got, you owe it to yourself and your organization to check out Delta Risk's white paper top ten cyber incident pain points. Are you prepared? You can check it out at delta-risk.net/topten. That's delta-risk.net/topten and we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:10:56:11] Joining me once again is Emily Wilson, she's the Director of Analysis at Terbium Labs. Emily all the work that you do in the dark web, you see a lot of things, you see a lot of questionable stuff going on in there. I wanted to use credit card fraud as an example to sort of give our listeners a window into that world. What goes on when it comes to trading both for buyers and for sellers of credit card information.

Emily Wilson: [00:11:20:07] Sure, great question and we do see a lot of credit card fraud. That's one of the things that I think besides drugs the dark web is best known for. What you can think about for credit card fraud are kind of fundamentally two places where it will appear.

Emily Wilson: [00:11:31:22] There are these large dark web markets Alpha Bay is one good example that trade on any number of items. Whether it's drugs or fraud or occasionally weapons, you know, counterfeit goods. And then there are sites that are entirely designed to focus on credit card fraud. Trading industry secrets, what banks are the best, advertising new cards for sale. This is one of the interesting things about the dark web is that a lot of vendor success is based on reputation. So you have vendors who have been around for a while, they're known to be trustworthy and they're known to have a good stash of cards on a regular basis. And then you have new people who are trying to break into that and they're offering up samples or freebies, trying to get people to vouch for them to build, build credibility.

Emily Wilson: [00:12:15:03] The interesting thing about kind of credit card fraud for example, is say the price differential between a credit card and a debit card. So credit cards are on average more expensive. They range sway from $30 to $35 a card whereas debit cards are more in the $10 to $15 range and this makes sense for a few reasons.

Emily Wilson: [00:12:35:12] Of you have a debit card then you one, need to have someone's pin which you may or may not have and two, you are limited by the funds available on that account. With a credit card however really all you need is the number and the other card information perhaps and then you are facing down someone's credit limit which, depending on the person maybe substantially higher than what they have in their bank account.

Dave Bittner: [00:12:56:11] That's interesting. That's counter-intuitive to me, I would have thought that, I guess I just would have thought that with the actual money in a debit account that you're somehow getting, it's less likely that that money will be pulled back, you know, but I guess the bad guys have ways around all that stuff. [LAUGHS]

Emily Wilson: [00:13:10:20] It's interesting, there's a lot of trade craft involved and people kind of trading, trading tips and tricks. You know one popular way to test the validity of cards is actually a toy store, an online toy store. It's funny how these things shake out. And then, you know, within a card you have things like, you know, kind of your average credit card versus Platinum, versus Gold, you know, and different credit card assures and different banks and different kinds of cards go for different prices. We see credit cards ranging up to two, three, four hundred dollars in some cases and those are real outliers but they do exist.

Dave Bittner: [00:13:45:08] And how do they verify a buyer so that they, you know, for example, do they know it's not law enforcement?

Emily Wilson: [00:13:50:12] That's interesting. Credit card vendors tend to be less concerned about that than drug vendors because it's a digital good. In the case of drugs you're shipping a physical product and so then you're a bit more concerned about it. In the case of a credit card vendor, really it's just an exchange of bitcoin. And so there's less of a concern there.

Dave Bittner: [00:14:13:02] Alright interesting stuff. Emily Wilson thanks for joining us.

Dave Bittner: [00:14:17:23] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible and if you're interested in reaching a global audience of security influencers and decision makers, well you've come to the right shop. Visit the cyberwire.com/sponsors to learn more.

Dave Bittner: [00:14:38:06] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, our Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.