The CyberWire Daily Podcast 10.27.16
Ep 214 | 10.27.16

DDoS concerns mount—not just Mirai botnets, but LDAP exploitation. Ukrainian hacktivists release emails they say belong to one of Putin's closest advisors. (Moscow says they're fake. Moscow's on its own.)


Dave Bittner: [00:00:04:22] IoT worries encompass both industrial systems and consumer grade products. And IOT device recalls continue. Analysts expect there's more to come. Cyber espionage in the Middle East and what's good for the goose is good for the gander.

Dave Bittner: [00:00:24:08] Time for a message from our sponsor, E8 Security. You know the old perimeter approach to security no longer protects against today's rapidly shifting cyber threats. You've got to address the threats to your network. Once they're in you networks, E8 Securities behavioral intelligence platform enables you to do just that. It's self learning security analytics give you early warning when your critical resources are being targeted. The E8 security platform automatically prioritizes alerts based on risk and let's your security team uncover hidden attack patterns. To detect, hunt and respond you need a clear view of the real risks in your business environment. That's what E8 gives you. Visit E8 and download the free white paper to learn more. E8 transforming security operations. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:19:20] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, October 27th 2016.

Dave Bittner: [00:01:27:22] Last week's Mirai botnet distributed denial-of-service attacks have focused attention on the Internet-of-things. Observers of utilities, especially electrical power generation, are warning that the attack on Dyn should serve as an indication of what could become extremely disruptive attacks on our central services. Schneider Electric warned by responsible disclosure from Israeli Security shop Indegy has patched it's Unity Pro Software which is widely used with programmable logic controllers or PLCs. Schneider Electric warned by responsible disclosure from Israeli Security shop Indegy has patched it's Unity PRO Software which is widely used with programmable logic controllers or PLCs.

Dave Bittner: [00:01:58:06] The vulnerabilities Schneider fixed could have been exploited to achieve remote code execution. We heard from Rod Schultz Rubicon Labs' Vice President of Products, who had this to say about the vulnerability Schneider Electric patched. "Remote code execution is one of many vulnerabilities for a digital system that has been connected to a network. While they are sophisticated attacks once discovered they are incredibly easy to reproduce. And an example of a type of attack that will be seen in the IoT." It's tough to secure IoT devices because as Schultz, put it "The world will not stop connecting devices to a network." And attackers are going to continue to go after them in increasingly creative ways. For predictable Willie Sutton-esque reasons. That's where the metaphorical money is.

Dave Bittner: [00:02:45:20] Schneider closed it's patch notice with what it calls an important note. It is up to user responsibilities say Schneider to protect his application by a proper password. And that's good advice for anyone. The consumer great IoT devices exploited in the Mirai botnet also need some attention to password hygiene. The US Department of Homeland Security has advised everyone to disconnect their routers, security cameras and similar devices and then change the device's name and passwords before re-connecting them. This is good advice to be sure, but as a matter of general Internet hygiene it's as unlikely to have effect as asking random people on the street to stop littering. Throw their used gum into a trash receptacle instead of ejecting it from mouth to sidewalk and so on. A couple of them will listen to you.

Dave Bittner: [00:03:33:11] One of our stringers is particularly troubled by the advice. He's not sure how many devices he has in his house or how he'd go about making those changes. And do femtocell's count, probably.

Dave Bittner: [00:03:46:19] DNS provider Dyn has offered more results of investigation into the distributor denial-of-service attack it sustained last week. Sources in the US Intelligence community have been quoted as saying that those responsible were simply criminals, not state actors. But, investigation of these attacks is ongoing and so Dyn won't speculate about either the identity of the attackers or their motives.

Dave Bittner: [00:04:09:20] The company has, however, confirmed that the attack was mounted using a Mirai botnet. About one hundred thousand devices were implicated which is significantly fewer than earlier estimates had placed the number. The attackers used masked TCP and UDP traffic across Port 53. They also employed recursive DNS retry traffic. Device manufacturer Xiongmai is continuing it's recall of the web cams said to have been compromised and used in the attacks.

Dave Bittner: [00:04:38:14] Thomas Poor is director of IT and Services at Plixer. They took a look at the Mirai botnet source code and offered some observations about what they found.

Thomas Poor: [00:04:48:06] When Arthur pushed the source code out it took a peek through it and it was actually incredibly simple. While it's interesting that a botnet of that size and caliber could be built in such an easy simplistic way. And so, what happened is the original malware would scan and it would locate a DVR with default credentials. It would then compromise install itself and essentially it was running in memory. So if the DVR were re-booted at any time then the malware would be erased and that DVR would again be public facing and ready to be compromised again. Now, what is interesting is when the malware installed itself it went through it's own C2 behavior and then it started performing its own scanning. And when the scanning occurred it was trying to locate and increase the size of the botnet.

Dave Bittner: [00:05:56:04] Is the fact that the source code wasn't terribly sophisticated, does that mean that the attack wasn't sophisticated?

Thomas Poor: [00:06:02:00] No, that's not necessarily true. In fact the concept is rather genius. So, traditionally botnet's comprise of compromised PC's achieved through phishing attempts and people downloading malware. Now, what's great about this concept is the author doesn't have to pay for those spamming services. And, we don't need to have user interaction for these to get infected. So, while simple it's actually very genius and, it can be set up by most security professionals probably within thirty minutes.

Dave Bittner: [00:06:37:15] And does the person who was using the DVR or the person who was using the video camera, would they even notice that anything was amiss?

Thomas Poor: [00:06:46:03] So, they probably wouldn't unless, of course, the dos attack exhausted their entire outbound connection. But, again not many people sit there and continually watch their DVRs or their cameras. They're more set up for recording purposes in case they need to go and review an incident. So, it's likely that, you know, the owners had no idea.

Dave Bittner: [00:07:11:08] That's Thomas Poor from Plixer.

Dave Bittner: [00:07:15:00] Analysts warn that more attacks like this can be expected. And in fact they've already occurred. Singapore's StarHub experienced waves of attacks on Saturday and again on Monday.

Dave Bittner: [00:07:25:22] There are, unfortunate opportunities for synergy among various approaches to distributed denial-of-service. Correro reports observing exploitation of Lightweight Directory Access Protocol (LDAP) to amplify DDoS attack traffic over the weekend. The company warns that LDAP exploitation combined with the Mirai botnet could prove extremely serious surpassing even the very large effects seen last week.

Dave Bittner: [00:07:50:20] Internationally the French Government looks at ongoing US experience with online political meddling which the US has ascribed to Moscow, and candidates in French elections that they should expect to be on the receiving end of similar administrations.

Dave Bittner: [00:08:05:24] US intelligence sources say ISIS under intense physical pressure though it may be continues to seek to inspire attacks on line from it's Syrian headquarters in Raqqa.

Dave Bittner: [00:08:17:02] Elsewhere in the Middle East Vectra Networks says it's found an extensive cyber espionage campaign, “Moonlight,” operated by Hamas against unnamed targets in the region.

Dave Bittner: [00:08:28:11] In industry news network security company Tenable has made its first acquisition. San Francisco based container security shop FlawCheck. And Adobe yesterday issued an emergency patch for Flash closing a vulnerability that has been under active exploitation in the wild.

Dave Bittner: [00:08:46:00] And finally in the source for the gander department, CyberHunta thought to be a Ukrainian hacktivist group has doxed Putin adviser Vladislav Surkov, releasing emails that indicate Surkov's connections with Russian separatists fighting inside Ukraine. The Russian government has long denied such support but vanishingly few observers believe those denials as there's a great deal of evidence to the contrary both online and on the ground. President Putin says the emails are fabricated. "Surkov doesn't use electronic mail," he said. Well, okay, Vlad, if you say so.

Dave Bittner: [00:09:28:24] Time for a message from our sponsor Delta Risk, a Chertoff group company. Since 2007 Delta Risk has been helping organizations manage cyber risk to protect their business operations. Today they're offering a distillation of some of their expertise in technical security, policy, governance and infrastructure protection in the form of a white paper. Top ten cyber incident pain points. Are you prepared? Download it today at conventional wisdom is that every organization will eventually have to deal with a cyber incident. And in this case the conventional wisdom is right. Delta Risk can help you prepare for that incident with some sound planning. So thanks Delta Risk for explaining those incident response pain points. Once again, visit and start planning. That's And we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:10:29:19] Joining me once again is Israel Mirsky. He's PhD candidate researcher and project manager at the Cyber Security Research Center at Ben-Gurion University. I know one of the strengths of your lab there at cybersecurity research center is machine learning. Tell us about some of the work that you're doing with that?

Israel Mirsky: [00:10:45:14] Sure there's a great synergy between cybersecurity and machine learning. And that's for several reasons. First of wall what is machine learning? Machine learning is any process by which a system improves performance from experience. So, that means the more data you give, whatever code of algorithm you've developed that improves its performance in deciding things for example. That's machine learning. And that could be applied to many different applications. And, in the domain of security you can talk about whether the intrusion detection in a network, you can talk about spam detection for emails and credit card fraud, or user authentication for a smartphone. And, we do acquire a lot of different research in many different aspects. For example, in the project that I'm managing for data leakage prevention for smart phones we take a look at all sorts of simple sensors such as accelerometer or CPU usage, things that don't require high level privileges. And, we try to infer whether an application is doing something that is malicious or not. So, we can build a general model, for example, [INAUDIBLE] and trying to determine when it's doing something malicious.

Israel Mirsky: [00:11:59:21] Now, I'll give you an example where our project really comes into play is where we take into account the context of the user. So, for example, if we understand that the user never sends SMS while he's running then it's obvious that if an SMS is sent and we can tell by the motion of the device that he's running, is possibly some sort of premium SMS malware is trying to get money from the user. And we try to build a general model that learns this all automatically. And, going back to why machine learning is important to security is because basically three reasons. One is availability. We have lots of data, lots of logs for example. We want to, uh, form acquisition. We have to utilize this data for some purpose. And we want to perform automation, when do it automatically.

Israel Mirsky: [00:12:45:24] One last thing to mention though, there is the aspect of the security of machine learning. Now, many cases you can build this sort of machine learning model quite easily on data to try and predict perhaps a malicious spam email for example. And what happens is that the attacker also knows that you're using machine learning. You can try and attack your model whether it be in some sort of causative attack or exploratory attack. Causative he'll try and perhaps send specific emails that will poison your model and try and mislead it in thinking certain things are malicious or not. And, exploratory will try and find those holes that you're not really looking at. And, this a whole nother new domain of machine learning that's growing quite fast because security machine learning or using machine learning for security is very advantageous but also you have to be cautious because there's always this case of kind of, uh, arms race, who's going to get there first, the attacker or the defender.

Dave Bittner: [00:13:44:23] Israel Mirsky thanks for joining us. And that's the CyberWire. You know hardly a day goes by that someone doesn't come up to me on the street and say, Dave I love the podcast, what can I do to help grow your audience. And I'm glad they ask. Well, good citizen, I say. The best thing you can do is write a review and give us a positive rating on iTunes. That helps us move up the charts and more people check us out. And, of course, we always appreciate it when you spread the word about our show to your friends and co-workers. So thanks.

Dave Bittner: [00:14:16:23] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our Social Media Editor is Jennifer Eiben. Our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.