The CyberWire Daily Podcast 11.29.16
Ep 234 | 11.29.16

ISIS online sympathizers (but not ISIS itself, which is lying a bit low) claim Ohio State attacker. German security agencies warn of possible Russian disruption of elections. Mirai strikes again. San Francisco's Muni shrugs off ransomware. A look at the dark web.


Dave Bittner: [00:00:03:20] ISIS sympathizers praise Ohio State slasher rampage in social media. Germany's BND warns of Russian plans to disrupt elections. Deutsche Telekom recovers from a Mirai-driven DDoS attack. San Francisco's light rail recovers from ransomware and resumes collecting fares. Continuing security troubles for former and prospective US Secretaries of State. The Carter Administration, yes the Carter administration, gets doxed and XHamster is breached. Hey, didn't John McAphee warn you about that?

Dave Bittner: [00:00:39:20] Time for a message from our sponsor Netsparker. Are your security teams dealing with hundreds of vulnerability scan results? Netsparker not only automates scanning, but it verifies the exploits it finds too. Reduce alert fatigue and improve security with Netsparker. Not only with your protection improve but your costs will drop and that's a good deal in anyone's book. Netsparker's automated approach to web application scanning lets your security team concentrate the things best left to the human beings. Find out more about Netsparker desktop and Netsparker cloud, whether you're pen testing or securing your enterprise online, you'll find what you need at and check this out, you can try it out for free with no strings attached. Go to for a 30 day fully functional version of Netsparker desktop. And by fully functional we mean yes really, really, actually, truly fully functional. Scan the websites with no obligation. That's And we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:50:16] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, November 29th, 2016.

Dave Bittner: [00:01:57:12] In the US, investigators of yesterday's car-crash and knife rampage on the campus of the Ohio State University have found social media posts from the late alleged attacker in which he avows an intention to avenge injury and insult to Muslims. ISIS has not yet claimed responsibility for inspiring the attacker, but the Caliphate's sympathizers have begun lionizing the late alleged attacker online as a "brother," and they continue to draw pride and encouragement from an apparent act of terrorism.

Dave Bittner: [00:02:27:23] The head of Germany's foreign intelligence service, the Bundesnachrichtendienst (BND), joins warnings of a Russian cyber threat to next year's elections. Bruno Kahl, speaking to the Süddeutsche Zeitung, remarked that Europe was seeing a wave of cyber incidents that appeared to have no purpose beyond "triggering political uncertainty" and "delegitimizing the democratic process as such." Kahl's assessment echoed warnings earlier this month by his colleague Hans-Georg Maaßen , head of the domestic intelligence agency BfV. Kahl spoke as Deutsche Telekom recovered from a large distributed denial-of-service attack that knocked out service to some nine hundred thousand customers. The DDoS attack, not yet attributed, is provisionally thought to be the work of criminals, not state actors. As it recovers from the incident, Deutsche Telekom has issued a router firmware upgrade to mitigate the exploited vulnerability.

Dave Bittner: [00:03:24:16] The malware implicated in the attacks appears to be an evolved version of the Mirai botnet herder, according to researchers from security firm Tripwire. Tripwire's Craig Young outlined some of the highlights of this Mirai-driven attack for us. After it infects a system, Mirai deletes the original malicious binary and relocates itself to blend in with normal system items. ·Mirai also attempts to block access to the vulnerable remote management protocol. This accomplishes two things: preventing a subsequent competing infection, and making it more difficult for ISPs to forcibly reset devices. · One of the main servers used in the attack infrastructure is registered out of Kiev, Ukraine, under the name "Peter Parker," (and clearly the hoods behind the attack don't know that with great power comes great responsibility). The attackers built their payload for multiple architectures. Young says "As of this morning the malware available on the C&C server is instead downloading and running a script which attempts to run a payload from each of seven architectures until one succeeds." · Previously infected systems are not running the new variant. Young notes "This would imply, that the controller has not (or cannot) update the malware on already deployed systems."·

Dave Bittner: [00:04:40:01] We also heard from Mike Ahmadi, of the Synopsys Software Integrity Group. He thinks the Deutsche Telekom incident is a bad sign that "massively scalable" attacks are coming to be all the rage among black hat hackers. "This is particularly alarming because our testing tools have been able to uncover literally thousands of scalable attacks on very commonly deployed networking equipment and IoT devices over the last several years. It seems that simply finding a vulnerability is no longer all that interests the malicious hacker world, but finding and exploiting high impact vulnerabilities is very interesting. Unless developers and users implement more rigor into discovering and mitigating software vulnerabilities, scalable attacks will continue to grow."

Dave Bittner: [00:05:24:06] Rod Schultz, of security firm Rubicon Labs, says the incident illustrates the risks of what he calls a "break once, break everywhere" technology, since the routers hosted by Deutsche Telekom appear to have little "digital diversity." That may make for simpler management of devices, but, as Schultz points out, "that simplification is also leveraged by attackers to compromise the system." The problem isn't susceptible to any easy fix, and Schultz foresees it persisting for many years.

Dave Bittner: [00:05:53:16] The other high-profile hack of these waning days of November was, of course, the ransomware attack on the payment and scheduling systems of San Francisco's Muni light rail. The Muni has resumed normal service, and has resumed charging passengers fares for their rides. Transit authorities decided to let everyone ride for free during the attack rather than suspend service. The Muni, we note, did not pay the ransom, and security researchers have applauded that decision. The system has also, so far, suffered none of the consequences the attackers threatened. KrebsOnSecurity reports that a security researcher who asked that his or her anonymity be preserved, hacked the attacker's mailbox and found links suggesting connections to other ransomware attacks. Signs point, circumstantially, toward a Southwest Asian hacker, but there's no firm attribution, yet.

Dave Bittner: [00:06:44:21] Our partners at Terbium Labs, who watch the dark web pretty closely, say that, as they predicted, the cyber black market was holding Black Friday sales, too. They saw one vendor of cybercriminal tools flacking their wares with the come-on that the holiday season is the best time to commit fraud.

Dave Bittner: [00:07:02:09] Turning elsewhere, old news today either returns or persists. The old news that's returned comes courtesy of WikiLeaks, which has released a tranche of Carter Administration diplomatic cables dating from 1979, a year which Assange and some others apparently believe represented a kind of watershed for recent history—a low point in American power, a brief period where the Soviet Union appeared to be in unchallengeable ascendancy, and a time marked by the rise of newly militant Islam in Iran and elsewhere.

Dave Bittner: [00:07:34:11] The old news that persists includes one former and one prospective US Secretary of State: former Secretary Clinton faces continued civil litigation over security issues with her emails, and prospective Secretary of State Petraeus (who met recently with President-elect Trump, reportedly to discuss the job) remains under investigation for security breaches committed during his tenure as CENTCOM commander and Director of Central Intelligence. Despite assurances to the contrary by President Obama and Homeland Security Secretary Johnson, concerns about election hacking produce recount drives in closely decided states.

Dave Bittner: [00:08:11:00] These recount demands are largely led by Green Party Presidential candidate Jill Stein. Terbium Labs told us they've seen a recent dump of personal information associated with the Greens and calls on the dark web for a general doxing effort against that party. Terbium also notes that one of Tor's more popular doxing and dumping sites has just popped back up after having been down for over a month. The site, CloudNine, has a new layout, and it has a record of hosting politically motivated doxing, along with more standard doxing dumps.

Dave Bittner: [00:08:44:02] And finally, there's apparently been a breach at the xHamster adult site, with user accounts appearing on the dark web. We know none of you have anything to worry about, but if a friend asks you, well, they can't say John McAfee didn't warn them years ago.

Dave Bittner: [00:09:03:13] Time for a message from our sponsor Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyses the entire web, to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytic talent is as scarce and pricey as it today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily and if it helps us we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to and subscribe for free threat intelligence updates from Recorded Future. That's and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:09:57:09] And I'm pleased to be joined once again by Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, we're just about to wrap up November, but before we do it's worth noting that November was critical infrastructure month.

Dale Drew: [00:10:09:16] Yes, I'd like to think that every month is critical infrastructure month. We're just highlighting a little bit more of it in November. Well, you know, and it's one of those issues where we're seeing more and more rapid exploitation of businesses. You know, businesses can no longer say "you can no longer reflect on a compromise being with regards to a period they have in the industry or some other unrelated company." It really is beginning to hit home more and more, because there are no, you know, unsafe territories for victims these days.

Dave Bittner: [00:10:46:07] People can't say "that will never happen to me."

Dale Drew: [00:10:48:03] That's exactly right. I mean I seem to recall there was a study by GAO, the Government Accountability Office, that said between 2006 and 2015 we increased from 5,500 victims a year to 77,000 victims a year. And so, you know that's a 1,300% increase in victims. So it really is no longer that it can't have a mean mentality.

Dave Bittner: [00:11:18:01] And so when we're talking about critical infrastructure, what does that encompass?

Dale Drew: [00:11:21:24] Well, you know, I mean, critical infrastructure is those elements that are responsible for making up a majority of our infrastructure, whether that's the water we drink in our homes, the transportation that moves us, the stores we shop in or the communications infrastructure we rely on to stay in touch with friends and family and businesses. So, you know it really is the things that bind our capability as a society.

Dave Bittner: [00:11:51:09] And we've seen what I would describe as sort of warning shots, you know shots across the bow. There's the famous story about the control system on the dam in Rye, New York, and, of course, the more serious stuff that happened in Ukraine with their power system. I think some people, myself included, have a hard time really getting a sense for, you know, how seriously to take some of these threats, because a major event has yet to happen, certainly here in the United States. Do you think that's a fair description?

Dale Drew: [00:12:24:02] You know, I think incidences are occurring pretty much on a regular basis and they're mostly in the forms of theft of intellectual property and, you know, we see a lot of compromises of some critical infrastructure providers, especially when it comes to where we see bids for infrastructure proposals. We see nation states break into quite a wide variety of critical infrastructure providers in an effort to steal intellectual property, so they can use that data to compete in those bids. So, you know something as trivial as that, that sort of avenue, gives them access to that baseline infrastructure and that capability to be able to launch other attacks. You know, there was an attack, I would call it a critical infrastructure per se, but it was pretty close. There was an attack October 21st against a fairly popular domain name service, DNS provider, that provided the ability to, you know essential serving directory name services for certain domains that are responsible for critical payment infrastructure, critical communications infrastructure. And, when that service went down a significant number of websites went down with it. And so something that, you know, those little connective tissues become very very critical in our ability to tie all this infrastructure together.

Dave Bittner: [00:13:46:24] And when we look at something like the ability of the Mirai botnet to take down large parts of the Internet in North America, do we consider the Internet to be critical infrastructure.

Dale Drew: [00:13:56:06] Yes I would say at this point, you know, the Internet absolutely is a critical infrastructure. I mean, not only are there businesses that operate almost entirely and exclusively on its dependency, but our ability to communicate as a society is largely dependent upon the availability of the Internet. So, absolutely, I think it is a critical critical infrastructure.

Dave Bittner: [00:14:22:09] Alright. Well Dale Drew once again thanks for checking in we'll talk again soon.

Dave Bittner: [00:14:28:20] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit The CyberWire dot com. Thanks to all of our sponsors, who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.