Dave Bittner: [00:00:07:20] Post mortems on the October IoT distributed denial-of-service attacks suggests there are bigger problems than just factory settings. Recalls of potentially compromised devices continue, and some think about hacking back. (A hint - think twice.) HackForums pulls down its network stressor offerings. South Korea says the North is up to more cyber badness. US election hacking concerns continue. And observers wonder, what do you have to do to lose a clearance?
Dave Bittner: [00:00:40:04] Time to take a moment to thank our sponsor E8 Security. You know, to handle the unknown, unknown threats you need the right analytics to see them coming. Consider the insider threat and remember that an insider threat isn't necessarily a malicious actor. Sometimes it's a well intentioned person who's careless, compromised, or just poorly trained. Did you know you can learn user behavior and score a user's risk? E8 can show you how. Did you know for example that multiple Kerberos tickets granted to a single user is a tip off to a compromise? E8 can show you why. Get the white paper at E8security.com/dhr and get started. Detect, hunt, respond. E8 Security. And we thank E8 for sponsoring our show.
Dave Bittner: [00:01:29:21] I'm Dave Bittner, in Baltimore, with your CyberWire summary for Monday, October 31st, 2016.
Dave Bittner: [00:01:36:13] Happy Halloween, all. Post mortems on the Dyn DDoS attacks of October 21st have focused properly enough, on users of common IoT devices leaving default factory passwords in place. But there are other issues of IoT security that fixing passwords won't touch - the ease with which such devices can be found through simple Shodan searches would be one; the economic forces driving enterprise users towards remote online management of IoT devices comprise another. The more easily such devices can be remotely provisioned, configured, updated and maintained, the larger the attack surface they present. Firmware is like tanna leaves, come to think of it. Three to give it life, nine to give it motivation.
Dave Bittner: [00:02:19:20] What to do about the security of the Internet-of-Things remains a matter of considerable discussion. Calls continue to avoid repeating the path taken at the dawn of the Internet itself, by which we mean the big Internet, son of ARPANET. The conventional, and correct, wisdom about the Internet is that its parents chose to optimize information exchange among trusted parties with little thought to the possibility, since realized, that the parties would soon be in the hundreds of millions, and that their trustworthiness would range all the way from Van Helsing, to say, Nosferatu.
Dave Bittner: [00:02:52:07] It's a little late in the day to think one could design security into the IoT. It's well past the initial design stages by now, but there are hopes that in the future the various security cameras, DVRs, baby monitors, burglar alarms, thermostats, and coffeemakers might be stitched together better than Dr. Victor von Frankenstein might have managed. So we're left with the prospect of mopping up after the rush to declare, "It's alive." We recently heard former NSA Director, Keith Alexander suggest at CyCon 2016 that, given resources enabling legislation, and general cooperative goodwill, we might be able to secure the IoT within say, two years. But, of course, technology solutions won't fully address the polyvalent challenges of security.
Dave Bittner: [00:03:39:04] We will know doubt continue to see recalls, and future devices will no doubt incorporate better security and better set-up defaults. Unfortunately, the older devices will continue their zombie-like course through the networks.
Dave Bittner: [00:03:52:17] Researchers at security company Invincea have discovered flaws in the Mirai IoT botnet forming Trojan implicated in those recent distributed denial-of service attacks. It's a stack buffer overflow flaw that could be exploited to crash the attack process, and Invincia has the exploit to do it. But, before you take up the torches and pitchforks, fellow villagers, and set out to drive a stake into Mirai's heart, know this. You probably can't do it legally. We know, we know, nobody ever lawyered up in Borgo Pass, but hey, this is still America, last time we looked anyway. And getting all those baby monitors back from the grip of the undead would involve, like, infecting them, and that would run afoul of the Computer Fraud and Abuse Act, so don't. And Invincea especially agrees with you, they're not necessarily recommending it either, but perhaps some sort of cooperative effort, with permission on all sides, could rescue the Mina Harkers from the IoT from enslavement to their bot masters.
Dave Bittner: [00:04:53:06] Shame or perhaps fear in the gray market has led the dabblers in the dark arts over at Hack Forums to remove server stress testing from among its offerings. Server stress testing is generally regarded as a euphemism for fifty shades of DDoS for hire. Some observers have connected Hack Forums with the attacks sustained by Dyn, but this is unclear and probably unlikely. With Mirai wandering the world seeking the ruin of DNS providers, it's not clear crime-ware as a service was necessary.
Dave Bittner: [00:05:25:04] South Korean sources report an increased tempo of North Korean cyberattacks. The targets are said to be largely defectors in human rights groups anathema to what many in East Asia consider the gargoyles of Pyongyang. South Korean authorities say they're doing what they can for the human rights groups, but there are apparently limits to the number of strands of garlic available to be extended to the defectors.
Dave Bittner: [00:05:48:02] US election hacking fears persist; states seem ambivalent about accepting help from the Department of Homeland Security, a little like Jabez Stone thinking about accepting help from that cloven-hoofed feller who showed up at his New Hampshire farm. What's behind the ambivalence we can't imagine, probably you can get a Senator to advocate for you when payment comes due.
Dave Bittner: [00:06:09:22] WikiLeaks continues to leak, mostly to the detriment of the Democratic Party. But, the biggest election-related cyber news came late Friday, as such news often does. An ambiguously worded letter from FBI Director Comey to Congress suggested the Bureau had found some things in an unrelated inquiry that's led it to re-open their investigation of former Secretary of State Clinton's emails. That unrelated inquiry, reports say, may have been into illicit online contacts engaged in by former Representative Anthony Weiner. Are there more surprises to come in they week and a half before the election? Who knows? But, cross the right palm with silver and, well, even one who is pure at heart, you know, can become a wolf when the autumn moon is bright.
Dave Bittner: [00:06:56:07] Observers wonder how former NSA contractor Martin, alleged to have accumulated large quantities of classified material at Borgo West, by which we mean Glen Burnie, Maryland, kept his top secret clearance as long as he did. Clearances seem to be tougher to lose than to get. I mean, if you were the county clerk and Renfield showed up to renew his real estate license, you wouldn't say, "Sure, here you go." Would you?
Dave Bittner: [00:07:27:04] Time to take a moment to thank our sponsor Delta Risk. This shirt-off group company provides managed security services and risk management consulting to clients worldwide. Since 2007, Delta Risk has offered expert knowledge on technical security, policy, governance and infrastructure protection to help organizations improve their cybersecurity and protect their business operations. And here's some advice they're sharing now. It's great to focus on prevention, but the reality is that prevention will at some point fail. So, it's essential to have a comprehensive incident response plan to mitigate the impact of an attack when it happens. But, most organizations don't have a proper cybersecurity incident response plan in place. So, here's a step any organization can take. Test your plan against the challenges outlined in Delta Risk's white paper, top ten cyber incident pain points. Are you prepared? Find out more at delta-risk.net/topten. That's delta-risk.net/top ten. And we thank Delta Risk for sponsoring our show.
Dave Bittner: [00:08:36:02] Joining me is Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, you know, we're seeing these large scale attacks, I'm thinking of the Mirai botnet attacks, things like that. And, what's an appropriate level of concern when it comes to thinking about these new waves of large scale attacks?
Dale Drew: [00:08:53:13] You know, I will say that you're absolutely right. The size of the DDoS attacks that are occurring are getting larger, faster. They're evolving at a much more rapid rate. The resources they're bringing to bear are significant. Their use of the Internet of Things is helping them to involve their capabilities. So, it's something that we definitely worry about. I would say that the great thing about the Internet is the fact of how diverse it is. The fact that it is comprised of so many different independent operators that a single failure of the single operator will not cause a catastrophic harm to the rest of the global Internet.
Dale Drew: [00:09:38:05] But at the same time, these attacks are definitely worrying. When you throw things like consumer devices into the mix. You know, you have carriers that are building networks for businesses and making sure they have carrying capacity for business. Then you have carriers that are building networks for consumers. And now those consumer networks are having significant contributions to this overall larger attack. So, yes, it is something that I'd say carriers worry about quite a bit. We evolve our capability to filter, to stop, mitigate, and detect these sorts of bad activities. And we're having to get much better at it. We are being forced to, being much more equipped at being able to detect and pro-actively stop these sorts of attacks because of the nature of the amount of volume and the amount of capability that they're bringing to bear.
Dave Bittner: [00:10:31:11] Is there a little bit of Catch 22 here, as providers make bandwidth available then that bandwidth is also available to the bad guys?
Dale Drew: [00:10:40:09] Yes. I mean, it is a little bit of a cat and mouse game. It is from the standpoint of the more bandwidth that we add, especially to the consumer space as an example, which tends to be a bit easier to compromise in the business space, then the more attractive that overall capability is to the bad guy. The more the bad guys wants to be able to compromise those classes of devices that have access to that processing power and that bandwidth to be able to launch attacks. So the more we evolve the network, the more that network is being used against us to calculate attacks. So, Internet providers like Global Three have to spend a lot of their time going a little bit further. You know, digging into the makeup of the ecosystem of the bad guys and how they operate and being able to provide capabilities in network, not just to carry traffic, but to be able to prevent, block and correct that traffic when it comes from the bad guy.
Dave Bittner: [00:11:41:19] Dale Drew, thanks for joining us.
Dave Bittner: [00:11:45:17] And that's the CyberWire. Today is not only Halloween, it's also the final day of National Cyber Security Awareness month, and the last day's theme is "Building resilience into critical systems."
Dave Bittner: [00:11:56:15] For links to all of today's stories, along with interviews our glossary and more, visit the CyberWire.com. Thanks to all of our sponsors who make the CyberWire possible.
Dave Bittner: [00:12:05:04] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. Our Social Media Editor is Jennifer Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.
Voice: [00:12:22:11] DDoS falls across the land. With PayPal no more close in hand. Shodan crawls your DVR to terrorize you all into CPR. And whatsoever shall be found with default passwords not yet down. Must stand and face the 401's and watch your systems turn to drones. The urgent message on the screen, from ransomware that's oh so mean. And pinging bots from round the globe are drowning out your sense of hope. And though you fight to stay online, your interests starts to tire. Your Podcast app cannot resist the daily CyberWire.