The CyberWire Daily Podcast 11.8.16
Ep 222 | 11.8.16

Election Day cyber updates. Mirai goes to pieces. Five Eyes and Europol take down dark web souks. Turkey and clamps down on their Internet.


Dave Bittner: [00:00:03:16] All hands on deck for the elections, but really the Feds seem to think the hacking problems will be small and manageable. The information ops might be another thing. Flashpoint sees Mirai losing its mojo in a black market market correction. Users in Turkey flee censorship into Tor. Operation Hyperion shuts down a lot of dark web nastiness. Tesco fraud investigations continue. And, Your Honor, the plaintiff pleads bad writing.

Dave Bittner: [00:00:36:02] Time to take a moment to tell you about our sponsor CyberSecJobs. If you're an information security professional seeking your next career, or your first career, check out and find your future. CyberSecJobs is a veteran owned career site and job fair company for information security professionals and students. If you're a job seeker, you can create a profile, upload your resumé and search and apply for thousands of jobs. And if you're a recruiter, it's great for you too. If you're looking to source information security professionals, you should contact CyberSecJobs about their flexible recruitment packages designed to meet your needs. To learn more, visit That's And we thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:32:06] I'm Dave Bittner in Baltimore, with your CyberWire summary for Tuesday, November 8th, 2016.

Dave Bittner: [00:01:38:16] As the US elections proceed, the Federal Government is simultaneously said to have all hands on deck against hacking, and to not really be that worried about this whole hacking thing. The story is more complex than contradictory, however. The hacking officials aren't too worried about would be widespread direct compromise of voting systems in ways that could directly manipulate the elections results, essentially industrial scale voter fraud. This indeed seems relatively unlikely. US voting is run by the states, with heavy participation by local governments, and that system is sufficiently disparate and not coordinated to give it a certain built-in, if not entirely intentional, resistance to widespread centralized fraud.

Dave Bittner: [00:02:21:05] On the other hand, it's worth noting that both Cylance and Symantec have shown that hacking various voting machines is clearly feasible. Like, most of the rest of the stuff that touches the Internet, voting machines weren't designed with this kind of cybersecurity in mind.

Dave Bittner: [00:02:36:03] Most observers see the principal threat as Russian information operations directed toward eroding public trust and confidence in the vote, with data deception and denial following in their train. The US Intelligence Community has publicly attributed hacks of political networks, most notably that of the Democratic National Committee, to the Russian government. President Putin hasn't been shy about characterizing American democracy as a mess, complete with taunts asking whether US allegations of Russian influence operations means that the Americans now think of themselves as a Banana Republic. His words, not ours, we have no beef against bananas or any other healthy produce. Many analysts think that, if his goal was to bring discredit to the US political system, Mr. Putin can already chalk up at least a preliminary victory.

Dave Bittner: [00:03:24:08] The data deception and denial, Wired magazine calls out as the other significant risk, would probably involve denial-of-service operations, social media trolling, and interference with journalistic coverage of the election, especially reporting of results. Some such activity could be state directed, or it could be merely state inspired, or even just criminal activity taking advantage of the conditions surrounding a high-profile event. Some of the probes of voter databases US authorities hint they've seen, appear to be of the third criminal variety.

Dave Bittner: [00:03:56:13] As far as denial-of-service attacks are concerned, both Democratic and Republican presidential campaign sites sustained Mirai-driven distributed denial-of-service campaigns yesterday, but to little effect. Not only was it a bit late in the game to be hitting party sites, with due allowance made for whatever ground game the parties had in mind, but Mirai seems to be losing its mojo. Flashpoint researchers tell us that this is because the widespread availability of the Mirai botnet-herding malware source code has caused its botnets to fracture. Essentially, there are more aspiring botmasters trying to stampede the webcam and home router bots against their chosen targets, but there aren't enough bots to go around. So again, the black market functions like a market - it's supply and demand.

Dave Bittner: [00:04:42:16] Crowdstrike, the well-known cyber threat intelligence company, is among those who attributed the DNC hacks to Fancy Bear and Cozy Bear. We spoke with Crowdstrike's Dan Larson about threat actors, what motivates them, and why it's better to be proactive than reactive.

Dan Larson: [00:04:58:02] You know, if you look over the last three years, we've seen an incredible uptake in the number of private organizations and governments that are experiencing breaches. Kind of an emerging trend that we're starting to see, you know, you can see it as part of the election, actually, is this strategic leaking of documents for the purpose of either political gain or private economic gain. And that notion of breaching an organization as a means to an end, rather to being the end itself, is kind of the alarming trend that we're seeing and that we're working to put to an end.

Dave Bittner: [00:05:33:08] When you talk about the difference between proactive and reactive cybersecurity, what are you talking about there?

Dan Larson: [00:05:39:21] I think many of us in cybersecurity are used to this model where something bad happens, a researcher then analyzes that event and produces something, like a virus signature or an IOC, and then deploys that. And the problem with that whole model is that you're looking in the rear view mirror, right? It assumes it starts with something bad happening and then you do some research to overcome it and prevent it in the future, but that model needs to change. And, in order to get to proactive, what we believe at Crowdstrike is, you need to be actively monitoring the adversaries out there, understanding how they do what they do. What is their trade craft? And if you're successful in understanding those things, you're able to build preventative measures so that, from a technology perspective, you're able to put in place counter measures that will prevent the initial infection from happening in the first place.

Dan Larson: [00:06:38:16] I think one of the great misconceptions for a lot of businesses is they say, you know, "We're too small to be targeted," right? These targeted attacks are only happening to big named corporations or, you know, political entities and that sort of thing, and that is simply not true. In our customer base, you know, we have customers who have experienced breaches that are ten to 20 employees, and then, of course, the multi-nationals. And the bottom line is, if you have enough intellectual property to justify creating a business, you know, a business that employs people and is relevant in the economy, those are the exact same conditions that make you an interesting target for a lot of the cyber adversaries.

Dave Bittner: [00:07:19:17] That's Dan Larson from Crowdstrike.

Dave Bittner: [00:07:23:21] Tor's duality is on full display this week. Internet users in Turkey are moving heavily to Tor as they seek to circumvent their government's blocking of social media services and its implementation of stronger online censorship. On the other hand, Operation Hyperion, a multinational police takedown of Tor-enabled black markets, has shown the less savory uses to which the anonymizing network may be put. And congratulations to the Five Eyes and Europol, which ran Operation Hyperion. The criminal dark web markets they shuttered were selling not only illicit drugs, but counterfeit items, toxins, fraudulent identities and the documents to go with them, and credit card data. They also offered an array of nasty services, including hacking, contract killing, and money laundering.

Dave Bittner: [00:08:12:02] The fraud campaign directed against customers of the UK's Tesco Bank remains under investigation. The bank suspended much online account access, but permitted continued access to paycards and ATMs, which suggests to some the fraud may have been an inside job, as opposed to an external hack. Tesco also hasn't referred to the incident as a hack. Estimates of the bank's exposure to litigation and regulatory penalties run as high as £1.9 billion. Whether that's a British billion or just an American billion we don't know, but either way, that's a whole lot of pounds.

Dave Bittner: [00:08:48:17] Finally, Tesla Motors has been in a legal spat with one Todd Katz, formerly CFO of an oilfield and pipeline services company, and for some reason a critic of Tesla. Tesla is suing Mr. Katz for impersonating Tesla founder Elon Musk in an email sent to Tesla's CFO on August 3rd of this year. Mr. Katz has now countersued. His claim is essentially that no one could have taken his impersonation seriously, since it was so riddled with fractured syntax and a host of other solecisms a real email from Mr. Musk would never have committed. Thus, Tesla suffered no actual harm. So, here's the message Mr. Katz acknowledges sending. "Why you so cautious with Q3/4 gm guidance on call? Also, what are your thoughts on disclosing M3 res number? Pros/cons from ir pov? What is your best guess as to where we actually come in on Q3/4 deliverables. Honest guess? No bs. Thx 4 hard work prepping 4 today." As Naked Security reports, Mr. Katz says in his brief, "Nobody who received this preposterous and grammatically deficient email ever believed it really came from Elon Musk."

Dave Bittner: [00:10:03:23] All we can say is, all your quarterly guidance are belong to us.

Dave Bittner: [00:10:12:21] Time to thank our sponsor E8 Security. And let me ask you that question. Do you fear the unknown? Lots of people do, of course. UFO's, men in black, stuff like that. But, we're not talking about those. We're talking about real threats, unknown unknowns that are lurking in your network. The people at E8 have a White Paper on hunting the unknowns with machine learning and big data analytics that go beyond the old school legacy signature matching and human watch standing. Go to and download their free White Paper, Detect, Hunt, Respond. It describes a fresh approach to the old problem of recognizing and containing a threat that no one has ever seen before. The known unknowns, like alien abduction and Kang and Kodos, they're nothing compared to the unknown unknowns out there in the wild. See what E8's got to say about them. and check out that free White Paper. And we thank E8 for sponsoring our show.

Dave Bittner: [00:11:13:10] And joining me once again is Rick Howard. He's the CSO at Palo Alto Networks. He runs their Unit 42 Threat Intel team as well. Rick, you all have a new report out from Unit 42. This is called your Nigerian Threat Actor Report. Now, it's become almost a cliché and I think we joke around the office about, you know, "I just got a letter from a Nigerian prince who wants to cut me in on the wealth." But, there's more to it here. This report really digs into it.

Rick Howard: [00:11:40:20] Yeah. Our Unit 42 guys have been paying attention to this, because we keep seeing these attacks going against our various customers around the world. And, first, you know, we have to talk about the code name, because you can't really write a White Paper without giving it a cool code name. So, this is classified as Silver Terrier. And you're right, it is a joke around the industry that these Nigerian fraudsters, you know, are going to ask me for money and we always give it to them. But, what we've seen in the last couple of years that these folks have really upped their game, okay? Where typically they were really low level cybercrime actors, they've now moved into the realm competing with other more high end cybercriminals, you know, out of Eastern Europe.

Rick Howard: [00:12:23:08] This all started back in the, you know, the 80s with the scams you were talking about. And we refer to them as like the 419 scams, because in Nigeria they have a law, Section 419, that forbids this kind of thing, so that's how they kind of got the name. But now, since then, they have moved, like I said, upgraded their craft. They're using professional tools like ZeuS and DarkComet. They go after, you know, cheap malware or free malware that they use in their own schemes. They've gone away from blanket targeting to going after very specific targeting to specific industries that we're seeing high-tech and higher education, manufacturing, health care and construction. The volume is steady, about 5,000 to 8,000 attacks per month. So, like I said, they've really upped their game.

Rick Howard: [00:13:10:10] What's interesting about the White Paper we just produced, is we were able to get access to some of their social media from these fraudsters in the country, and they're not your typical people we used to think did this. They're not these little script kiddy teenager people, they're mostly in their mid 40s. They live in the Southeast region of Nigeria and they're pretty well to do. They're educated. They don't hide for some reason. I guess it's okay to be a cybercriminal in Nigeria.

Dave Bittner: [00:13:36:21] Yes, I was going to ask. Does the Nigerian government just turn a blind eye to this stuff?

Rick Howard: [00:13:41:11] I think it's kind of they wink and nod and, you know, squint at that kind of crime and kind of let it go on. I'm not an expert there. But it's interesting that they can hide in plain sight. I think what's also interesting is that they run teams. The ones in charge of these groups, they're running lower, not as technically savvy teams, but they give them very specific tasks to do. What I love about this is that they use Facebook for their social stuff, and they don't necessarily hide that they're criminals, but they don't really talk about it a lot, but they use Google+ to do their, you know, cybercriminal stuff so, I guess that they're a covert channel. Anyway, it's a very interesting report and you guys should all read it and I think you'll enjoy it.

Dave Bittner: [00:14:27:14] Alright. Rick Howard, thanks for joining us.

Dave Bittner: [00:14:31:21] And that's the CyberWire. Thanks to all of our sponsors, who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.