The CyberWire Daily Podcast 11.14.16
Ep 225 | 11.14.16

Russian banks suffer IoT botnet DDoS. Fancy Bear's still phishing. Lessons from Tesco fraud. Third-party risk hits Michael Page. Casino Rama data breach. Adult website loses data for 339 million accounts. FTC litigation. Moscow anti-trust case.


Dave Bittner: [00:00:03:18] DDoS hit big Russian banks and yes, IoT botnets can reach out and touch you even in Siberia. Fancy Bear's been poking at think tanks and ESET has a run down of Fancy's fancies over the past couple of ears. DDoS can be low and slow as well as high and noisy. Canada's Casino Rama, that's the casino's name, sustains a breach. A family of sites that none of you would visit is also breached, we tell you because you're probably asking on behalf of 339,000,000 friends. LabMD wins a stay against the FTC. And Kaspersky takes Microsoft to court in Moscow on an antitrust beef.

Dave Bittner: [00:00:44:24] Time to take a moment to share a message about our sponsor, E8 Security. You know, the old perimeter approach to security no longer protects against today's rapidly shifting cyber threats. You've got to address the threats to your networks once they're in your networks. And E8 Security behavioral intelligence platform enables you to do just that. It's self-learning security analytics give you early warning when your critical resources are being targeted. The E8 Security platform automatically prioritizes alerts based on risk and lets your security team uncover hidden attack patterns. To detect, hunt and respond you need a clear view of the real risks in your business environment and that's what E8 gives you. Visit and download their free white paper to learn more. That's E8, transforming security operations. And we thank E8 for sponsoring our show.

Dave Bittner: [00:01:49:08] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, November 14th, 2016.

Dave Bittner: [00:01:55:15] Security-camera-driven DDoS attacks have intermittently hit major Russian banks since November 8th. The attacks appear criminal as opposed to state-sponsored. The botnet was assembled from devices in at least 30 countries, mostly the US, India and Israel. The identity and, note, the location of those responsible remains unclear.

Dave Bittner: [00:02:16:21] Not unclear is the identify and location of Fancy Bear. It's the GRU, probably reachable at the Aquarium at the Khodynka Airfield, not that we'd recommend you actually try to do so.

Dave Bittner: [00:02:28:03] Security analysts continue to mull Fancy Bear's post-election, post-Microsoft-patch phishing romp through US think tanks and other policy wonk targets. Most see opportunistic targeting of Microsoft zero-days before they're closed. ESET has a study of Fancy Bear's operations. ESET calls them Sednit, one of at least seven names this threat actor has been given. And it's striking how active and widespread Fancy's activities have been. ESET lists three of the group's high profile targets. In April 2015, TV5Monde, a major French television network. In May 2015, Germany's Bundestag. In March 2016, the US Democratic National Committee.

Dave Bittner: [00:03:10:00] ESET invites you to draw the inference that Sednit, aka Fancy Bear, isn't shy about hitting prominent targets and that the group's interests are, as ESET puts it in their blog post, "connected to international geopolitics."

Dave Bittner: [00:03:23:24] It's worth noting that Fancy Bear has noisily drowned out whatever its cousin, Cozy Bear, has been up to. Cozy, unlike the outgoing and obstreperous Fancy, is quiet but has been observed to establish persistence in some of the same targets compromised by Fancy, notably the US Democratic National Committee.

Dave Bittner: [00:03:42:19] Also on the noisy side were October's distributed denial-of-service attacks driven by the Internet-of-things Mirai botnets. While these attacks seems to have subsided as widespread availability of the Mirai source code and competition for devices among criminal botmasters have fragmented Mirai botnets, there are other DDoS threats out there.

Dave Bittner: [00:04:03:15] In particular, researchers at Denmark-based TDC Security Operations Center are describing one, BlackNurse, which is a low and slow yet effective technique that exploits firewall vulnerabilities as opposed to IoT botnets. Certain firewalls are vulnerable to being clogged by a relatively low rate of traffic. As Ars Technica puts it, quote, "One modest laptop can knock big servers offline," end quote. A proof-of-concept attack shows that a single laptop could deliver BlackNurse traffic at 180 megabits per second, more than enough to down vulnerable servers. The firewall companies don't think this is a significant threat. As Palo Alto notes, BlackNurse works only under certain non-default conditions that contravene best practices.

Dave Bittner: [00:04:49:12] In the UK, the number of customers affected by the Tesco Bank Fraud has been revised significantly downward from 20,000 to 9,000 but the incident continues to trouble bankers in the UK, Ireland and to a lesser but still significant extent, elsewhere. Observers have variously blamed insiders, credential stuffing or exploitation of some third party for the heist. But others suggest weak security controls, especially weak access controls, lay at the heart of the problem and that either internal systems or mobile applications may have been compromised. The big stick banks would wish to duck in cases like this is the penalties swung by the EU's General Data Protection Regulation, which they've got to worry about whether they've brexited or not.

Dave Bittner: [00:05:34:08] In the US, NIST has released maritime and small business addenda to its well received cybersecurity framework. The maritime profile specifically addresses the cyber dimensions of securing the transfer of bulk liquid cargoes, many of which are of course hazardous materials. The US Coastguard joined NIST in working on the document.

Dave Bittner: [00:05:55:05] The international UK based recruitment agency, Michael Page, has sustained a data breach that it blames on a third party contractor, Capgemini. Michael Page believes hundreds of thousands of names, email addresses, phone numbers, and other PII were inadvertently exposed on a development server. We note in passing that such exposure remains the going theory on how the ShadowBrokers got that Equation Group stuff they've been trying to auction off.

Dave Bittner: [00:06:22:19] Passwords may also have been compromised, although there's some hope the passwords were encrypted. The CyberWire heard from Chris Webber of security shop Centrify, who agreed that it looked like a case of third party exposure, quote, "It appears the contractor was using actual customer data on a publicly accessible development server. While passwords were also stolen, they were at least encrypted, although we would recommend that people change them anyway and if the same password is used for any other website, make sure those are changed too," end quote.

Dave Bittner: [00:06:53:23] Another breach was reported at the end of last week. A big Canadian casino, Casino Rama, disclosed that various employee, vendor and customer data were exposed. And we note in passing that third party risk runs both ways. In this case it appears the casino lost records concerning some of its vendors.

Dave Bittner: [00:07:12:09] Ontario based security firm, eSentire's CEO Paul Haynes, told the CyberWire that, quote, "Overall we've seen a rise in attacks targeting gaming institutions like casinos," end quote. The lesson is that even organizations as security conscious as gaming companies can fall victim to increasingly sophisticated criminals. He suggests that casinos might consider continuous eyes-on-glass network monitoring. It would be analogous, perhaps, to the kind of surveillance deployed to the casino's physical floors.

Dave Bittner: [00:07:43:03] Not that you'd be directly affected, but you might want to tell some of your less proper friends, all 339,000,000 of them, that there are credible reports of a breach at AdultFriendFinder. Adam Brown, Manager of Security Solutions, at the security firm, Synopsis, told the CyberWire, quote, "In this case verification is shown that some data is stored in clear text, while passwords are encrypted with SHA-1, not enough to thwart today's adversaries." It's tough to know how an organization, adult, juvenile, senescent or adolescent, it doesn't matter, stores and processes anyone's data in its apps and data stores.

Dave Bittner: [00:08:20:10] And finally in legal news, LabMD has scored an appellate court win over the FTC. The dispute continues but for now, LabMD has got a stay on the Federal Trade Commission's consent order in the longstanding dispute over the lab's information security practices.

Dave Bittner: [00:08:37:01] Kaspersky files an antitrust claim against Microsoft in a Moscow court, alleging any competitive biases in Windows 10's security bundle. Did Senator Sherman have a seat in the Duma, too? Who knew?

Dave Bittner: [00:08:55:11] Time to take a moment to tell you about our sponsor, AlienVault. Do you know the typical attack goes undetected for more than eight months? This is especially frightening considering 90% of all businesses have suffered an attack. It's no longer a question of whether an organization will be breached, it's when. Better threat detection starts with AlienVault Unified Security Management. The AlienVault platform provides all of the essential security controls needed for complete threat detection in one easy to use and affordable solution. With its integrated security controls and expert threat intelligence from the AlienVault Labs security research team, you don't need to deploy and manage numerous security point products. Spend your time responding to threats rather than researching them with AlienVault. Visit today and download your free 30 day trail of AlienVault Unified Security Management. That's And we thank AlienVault for sponsoring our show.

Dave Bittner: [00:10:01:03] Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, you know these ongoing problems with IoT devices, the Mirai botnet, things like that, are these making us take a different view of how we look at overall security when it comes to the Internet-of-things?

Dale Drew: [00:10:18:20] You know, IoT security is sort of taking some fairly fundamental shifts in interest I'd say here lately. You know, traditionally our concern with IoT security is just how they're becoming more interconnected across the, the device ecosystem where, like, my, my Apple watch, for example, can now control a pretty large amount of devices in my home and that Apple watch goes with me when I go into work. And so, you know, our, our primary concern for IoT used to be focused on how do you secure that overall ecosystem? How do you make sure that IoT device to IoT device, you know, security is protected? Especially across vendors. And so the amount of vendor collaboration, the amount of security agreement on standards is paramount of interest.

Dale Drew: [00:11:08:00] But IoT security is now morphing into a whole new stratosphere because of the fact that we now have bad guys who are taking advantage of exposures on, what I would call, fairly immature IoT developed devices, and compromising those devices and being able to use them for things like DDoS attacks and ransomware attacks and, you know, more traditional sort of hacking on the network and DDoS on the network.

Dale Drew: [00:11:39:17] And, and the concern with that is, you know, for example, you know, Level 3 discovered a, a botnet, you know, one of them was called Bashlight and one's called Mirai. Somewhere in the vicinity of 1.5 to 1.6 million compromised IoT devices, and these are things like IP cameras, home routers and DVRs, and so when you have, you know, a million and a half devices at your disposal, the amount of damage that you can cause in the DDoS space now is unprecedented. It is something that we just have not seen in the industry before, something of that magnitude and that sort of capability. And so, you know, IoT device security now means a lot more things. It's not only device ecosystem infrastructure, but it's the maturity of the device itself. And what I'll say as an example is, you know, a majority of the devices that we've detected in these botnets were developed for their core functionality. They did not contemplate the overall sort of security ecosystem. So they have no ability to patch themselves. They have no ability for the vendor to push patch notifications. So a lot of these devices will, unfortunately, go, go through a very long existence of never being patch-able and therefore always being a potential compromise to the Internet itself.

Dale Drew: [00:12:57:21] So what we would recommend is, you know, as a consumer of IoT to make sure that you are not deploying insecure IoT devices, is when you get an IoT device, make sure you change the password. Make sure you do not use vendor default passwords and make sure you don't use the same password across all your IoT devices. When bad guy breaks into one, he then would then have access to all of them. Do your research, make sure that you buy a device that's a bit more re-- from a vendor who's a bit more reputable. And the best way to make that determination, in my opinion, is to find someone who's what's called Hub Approved. So, you know, that's like a Wink Hub or an Apple Smart Home Hub where the device has to interconnect with this hub provider because that hub provider has got security standards associated with things like encryption, authentication and logging.

Dale Drew: [00:13:52:00] And then the last one is I would recommend that if you are deploying these either in your small business or in your home, is to put them on a separate network. Or at the very least create a guest network so that when you invite people over to your home, if you want to give them access to the Internet, that they do not have access to your IoT devices. And that your IoT devices don't have access to the rest of your home network devices.

Dave Bittner: [00:14:17:16] Good advice as always. Dale Drew, thanks for joining us.

Dave Bittner: [00:14:22:22] And that's the CyberWire.

Dave Bittner: [00:14:24:09] For links to all of today's stories, along with interviews, our glossary and more, visit Thanks to all of our sponsors who make the CyberWire possible.

Dave Bittner: [00:14:33:05] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.