The CyberWire Daily Podcast 11.4.16
Ep 220 | 11.4.16

Mirai, "Botnet #14," hits Liberian networks. Anonymous doesn't much care for either jihad or the Man. A new security company forms with acquisition of Cryptzone, Catbird, Easy Solutions, and Brainspace. Election hacking updates.


Dave Bittner: [00:00:03:19] Liberia sustains a commerce-clogging DDoS attack, and Mirai is behind it. Linux/Moose is on the loose. Hospitals in the UK continue to recover from ransomware attacks. Anonymous doesn't like ISIS, but it also doesn't like the governments who are fighting the Caliphate. Exaspy malware targets business leaders Android phones. A new joint venture is poised to become a mid-major in the cyber security sector. And an update on election hacking - it's more of the same, with more coming.

Dave Bittner: [00:00:37:17] Time to take a moment to thank our sponsor E8 Security. You know, to handle the unknown unknown threats you need the right analytics to see them coming. Consider the insider threat, and remember that an insider threat isn't necessarily a malicious actor. Sometimes it's a well-intentioned person who's careless, compromised, or just poorly trained. Did you know you can learn user behavior and score a user's risk? E8 can show you how. Did you know, for example, that multiple Kerberos tickets granted to a single user is a tip off to a compromise? E8 can show you why. Get the White Paper at and get started. Detect, Hunt, Respond, E8 Security. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:27:12] I'm Dave Bittner, in Baltimore, with your CyberWire summary and weekend review for Friday, November 4th, 2016.

Dave Bittner: [00:01:34:12] Liberia is sustaining a massive, nationwide distributed denial-of-service attack, and e-commerce in the country is described as having ground to a halt. The Mirai Internet of Things botnet, which some in the security industry are calling Botnet #14, is again implicated. Attribution remains unclear, although it's worth recalling that the US Intelligence Community attributed Dyn's takedown by Mirai to some unspecified non-state actor.

Dave Bittner: [00:02:01:15] Whoever's behind the attacks, some fear that it, and other recent Mirai activity, constitutes a test and rehearsal of a cyber warfare operation. Thomas Pore, Plixer's Director of IT and Services, told the CyberWire that testing weapons historically has two main purposes. It can serve as a scare tactic to dissuade a potential enemy, and it can also, obviously, be undertaken to reveal and help correct design flaws in a weapon or its operational concept. He thinks the Liberian attack was designed to prove a concept, and not frighten. "Issuing large-scale volumetric attacks for short durations against Liberia could indicate that it is weapon testing." The attacks were conducted in brief bursts, and affected a smaller country whose troubles, populations in larger, more powerful nations might be expected to overlook. "An attack of that size could definitely take a small country down and perhaps Liberia is just the testing ground for something larger." Pore went on to say that if he's right, he says the US might expect to see some major sustained Internet outages before the end of 2016.

Dave Bittner: [00:03:08:17] IoT botnets can be used for more than DDoS. ESET and GoSecure describe Linux/Moose, malware that herds IoT bots for social media fraud, specifically on Instagram.

Dave Bittner: [00:03:21:06] And in industrial Internet of Things news, Booz Allen Hamilton has a new research report on 2015's hack of the power grid in Western Ukraine. Of particular interest is the attackers patience. The blackouts were two years in preparation, and the campaign was part of an extensive, multi-pronged effort. Booz Allen researchers conclude that the campaign involved at least 11 distinct attacks against Ukrainian mining, television, railways, electrical power distribution, and governmental archives. The investigators also find more circumstantial evidence to support the consensus that Russian threat actors were directly involved.

Dave Bittner: [00:03:59:12] In the UK, the Lincolnshire and Goole Trust, a National Health Service hospital system, continues to recover from a cyberattack that forced it to cut back on planned operations and divert major trauma cases to neighboring facilities. It appears the attack involved ransomware, which has proved particularly damaging to healthcare IT infrastructure this year. Plixer's Thomas Pore also contacted the CyberWire about this incident, and offered an account of why the healthcare sector seems to see so much ransomware. The real-time assistance healthcare providers give, and the obvious time-sensitivity of their services go a long way to explaining why cybercriminals would find ransomware particularly attractive to use in attacks on hospitals. It's harder for them to ride out an attack when patient health and safety are on the line.

Dave Bittner: [00:04:47:06] Turning to hacktivism, Anonymous remains predictably double-minded about ISIS. On the one hand, the anarchist collective doesn't like violent jihad. On the other, it also doesn't want to get co-opted by the Man. Anonymous hacktivists have sought, with unknown success, to disrupt ISIS presence on social media especially, but not all the collective's operators think the attempt a good thing. Motherboard held a Skype interview with Discordian, regarded as a long-time member of the collective, complete with a Guy Fawkes mask, who's decidedly on the stick-it-to-the-man side of the question. Discordian calls the internal division a civil war. He doesn't like ISIS, he says, but he also doesn't think ISIS can be fought through censorship. And he thinks Anonymous cooperation with security agencies is opening the group up to infiltration.

Dave Bittner: [00:05:37:19] Skycure reports on Exaspy, Android malware used in highly targeted attacks against business executives. Exaspy masquerades as a Google Play app, and it has these unpleasant capabilities. It collects chats and messages sent and received via SMS, MMS, and popular email and IM apps, including Gmail, Facebook Messenger, Skype, and WhatsApp. It records both audio and telephone calls. It can collect pictures and take screenshots. It scoops contacts, browser histories and calendar entries. And, finally, it exfiltrates all this stuff to a remote server controlled by the hoods who run it.

Dave Bittner: [00:06:16:02] This week has seen some significant industry news. CenturyLink, which is itself in the process of buying Level 3, has just announced that it's selling its data centers and collocation business to a joint venture led by BC Partners and Medina Capital. That new security company, it hasn't yet got a name, but it will immediately become at least a mid-major player in the sector, has also acquired four complementary cybersecurity shops, Cryptzone, Catbird, Easy Solutions, and Brainspace. We'll watch developments with interest.

Dave Bittner: [00:06:48:15] Finally, the US elections approach with much overheated trepidation about vote hacking. At this point such fears will probably serve as inspiration to incite whatever enthusiasts, activists, bullies, trolls, intelligence services, and the whole tribe FBI Director Comey tends to characterize as screwed up individuals, to do their level skid best to be a nuisance. If Fancy Bear is as interested in messing with the election as Fancy Bear appears to be, well, Fancy Bear can probably just take the week off and kick back. More WikiLeaks dumps are expected, but don't expect the FBI to wrap up renewed investigations into State Department emails and pay-for-play foundation allegations before Tuesday. It will take time to sift through those half-million plus homebrew server emails on Mr. Weiner's laptop.

Dave Bittner: [00:07:42:15] Time to take a moment to tell you about our sponsor Delta Risk, a Chertoff Group company. Since 2007, Delta Risk's experts have been delivering managed security services and risk management consulting to clients worldwide. They know technical security, policy, governance and infrastructure protection, and above all, they know a thing or two about effective planning. The biggest blindspot organizations have about cybersecurity is in incident response planning and Delta Risk can help. The last thing you want to be doing when you're IT infrastructure is virtually crashing down around your metaphorical ears, is to be improvising a plan. So, get ahead of the problem and download Delta Risk's White Paper top ten incident pain points. Are you prepared? You can find it at Check yourself against the challenges Delta Risk lays out. Again, that's ten. And we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:08:44:03] Joining me once again is Malek Ben Salem. She's from Accenture Technology Labs. Malek, you all made some news recently with some announcements about redactable blockchain. Fill us in on what's going on there.

Malek Ben Salem: [00:08:55:23] Sure. As you know, blockchain is a technology that supports Bitcoin, which is a permissionless or open cryptocurrency and, immutability is the basis for trust in that system. However, there are many issues with the misuse of the immutability of the Bitcoin blockchain, such as now it contains inappropriate and illegal material, including links to pornography. In real world uses of the blockchain, there may be needs for making a change. And while, in most cases, the immutability characteristic of the blockchain is really important. There may be other cases where you may need to make changes, particularly when we're talking about permissioned or private blockchains. So, that's what Accenture has worked on in collaboration with Stevens Institute, and we've announced what we called the redactable blockchain, which creates a mechanism for doing just that. Making a change to the blockchain in specific cases.

Dave Bittner: [00:10:12:23] How does this not bump up against one of the, sort of, core foundations of how blockchain works?

Malek Ben Salem: [00:10:18:15] So, if we're talking about the core foundation, meaning that immutability?

Dave Bittner: [00:10:22:22] Yes.

Malek Ben Salem: [00:10:23:07] Then, obviously, it does violate that, because this is creating a way to change the blockchain, right? To edit the blockchain. However, it's very controlled. Basically, what happens is, the blocks of data in a blockchain are linked back to the previous blocks by a hash. And a hash is the output of an algorithm that turns data into a fingerprint of the data, if you will. If the data changes in anyway, the hash would change in an unpredictable way. Now, these hashes are organized into something that's called a Merkle tree, or a hash tree, and the hash of the transactions are organized into pairs of twos, linked together in a chain. Then, they're hashed again. So, the hash at the very top of the tree is called the Merkle root. And that Merkle root is placed into a blocks header, along with the hash of the previous block, and a random number called anance. This creates all of the information that keeps the blocks of data cryptographically linked in a chain.

Malek Ben Salem: [00:11:34:02] To enable the blockchain redaction capability, a padlock is added in the links between the blocks with a key using a special hash function, what we call a chameleon hash, and if you have the key, you can unlock the link between the block to be edited and its successor block without breaking the hash chain. With that capability, you can change the blocks at the transactional level, because you can change the contents of a block, and you can consolidate and edit all these changes and delete any information that you may want to delete, and then recreate the link with this chameleon hash and close the lock again. Now, again, this capability should be only given to a governing body of that private blockchain, and needs to be used in special cases where, you know, some private data has to be redacted, or some illegal information that is not supposed to go on the blockchain, like, you know, pornography or, you know, things like that, that's when this approach needs to be used.

Dave Bittner: [00:12:48:13] Alright. Interesting stuff, as always. Malek Ben Salem, thanks for joining us.

Dave Bittner: [00:13:01:20] My guest today is Bill O'Hern. He's a Senior Vice President at and Chief Security Officer for AT&T, the largest telecommunications company in the world. AT&T just wrapped up their 18th annual cybersecurity conference in New York City. And after the show, we caught up with Mr. O'Hern for his take on the industry and the part big players like AT&T have to play.

Dave Bittner: [00:13:23:12] Yes, you know, it strikes me, you know, obviously, AT&T is one of the largest communications companies in the world, but, at the same time, you have a challenge where you need to be nimble?

Bill O'Hern: [00:13:33:05] Yes, exactly. And software-defined networking helps us get there, right? If you think about the evolution of capability here, you know, traditionally, you have software and hardware combined into appliances and, typically, from a security perspective, you're putting together a chain of those appliances and every time there's a new threat, you're kind of forced to think about buying a new box or a new capability. And, you know, what's really unique about security function visualization is that, as you decouple that hardware and software and then you real-time enable the software functionality in the network, it becomes a really cost advantage and speed advantage for you to employ and deploy new security functionality.

Bill O'Hern: [00:14:27:03] But, I think the real benefits come from when you think about strong authentication and what that means and what we need to do in the network and leverage capabilities like our mobile key functionality. When you think about security function visualization and all of the orchestration that needs to occur to tie and integrate those platforms together. And then I think the biggie is, you know, as we get into this and we get into microsegmentation, it drives a lot of data. And getting real-time threat analytics in a way that it creates intelligence or actionable intelligence, that the network can then provision controls, I think that's really key to it. And those are all areas that, you know, we're doing a lot of innovation around and trying to push that into the next generation networking.

Dave Bittner: [00:15:23:01] Obviously, in the news we've seen this Mirai botnet attacking KrebsOnSecurity, hitting Dyn, you know, affecting much of the internet in North America and Europe. As a large scale provider like AT&T, how do you prepare yourselves to defend against those types of attacks?

Bill O'Hern: [00:15:44:00] Yes. See, this is a growing issue and I think there's several things that, you know, we need to think about this. First off, the problem exists primarily because OEM's are not really security conscious and neither is the user base. So, I think the first thing we've got to do is think about what types of standards need to be in place for products that are connected to the internet. And by standards, I don't mean regulation. What I'm really talking about is, you know, something similar to, like, Underwriters Laboratories. And, I think collectively as a community, we need to think about that and ensure that these OEM's have some level of standard that they're implementing at the security level.

Dave Bittner: [00:16:31:03] When I think about the scale of AT&T and the fact that, you know, your company has so many devices, so many products at really every level of technology, from, you know, consumers connecting to the network on their iPhones to large enterprise concerns. Does that scale give you certain advantages to offer a holistic view or a high level view of security at every level?

Bill O'Hern: [00:17:00:20] Well, I think it does. And, you know, you think about, you know, all of the things that you mentioned, whether it's wireless based or large enterprise based, right, there's nobody in the world that has the visibility that we have into running big global networks. So, you know, we play at everything from, you know, retail operations, to consumer operations, to business and government, you know, across the board. So, what's really important for us and our threat analytic platform is to be able to digest all of that data, look at the trends, look at the threat landscape, and to the extent that we can really capture that information and understand what's going on, and think about the protections that we're going to put in place. It's really on a scale and scope that's unparalleled anywhere in the world. You know, we ingest that and process that through our platforms in a way that we can then take action to help protect our services.

Dave Bittner: [00:18:03:04] As we head towards 2017, what do you see as being the biggest challenges facing the cybersecurity industry?

Bill O'Hern: [00:18:11:08] So, I think there are a couple. I think we're going to see a lot of consolidation. I think customers are at a point where they can't sustain buying a new service or product for every new threat that comes out. So, I think what that leads us down the path more so of is creating this virtualized ecosystem of capability, whereby utilizing APIs and integration and software-defined networking, we can just embed security in the core connectivity services. And customers don't have to go out and work with, you know, 40 or 50 different vendors and manage a whole bunch of different boxes. I think the real challenge here is, let's integrate that capability, let's bring the community together. Take the best of breed and push that capability right into the networks, so customers get to a point where security becomes effortless. It's in there, it's embedded. The capability's there, it's real-time, and it's learning and it's provisioning security capabilities, you know, on the fly.

Dave Bittner: [00:19:26:22] That's Bill O'Hern, Senior Vice President and Chief Security Office at AT&T.

Dave Bittner: [00:19:36:02] And that's the CyberWire. Thanks to all of our sponsors, who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jenniger Eiben. Our technical editor is Chris Russell and our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. Have a great weekend everybody.