The CyberWire Daily Podcast 11.30.16
Ep 235 | 11.30.16

Mirai remains a threat; experts expect more IoT-driven DDoS. ISIS, online radicalization, and terror attacks in the US. Snooper's Charter and its alternatives. Gooligan Android malware.

Transcript

Dave Bittner: [00:00:03:19] Deutsche Telekom recovers from DDoS, but observers warn there's more Mirai where that came from. Germany arrests an alleged mole in the BfV. ISIS claims the Ohio State attacker as its soldier. San Francisco's Muni hangs tough on ransomware. A new Android malware strain is out in the wild. And Ross Ulbricht's defense team say they've found a third crooked cop in the Silk Road case.

Dave Bittner: [00:00:32:15] Time for a message from our sponsor Netsparker. When you want automated security, you want it to be, well, automatic. Netsparker delivers truly automated web application security scanners. It can be surprisingly labor intensive to scan websites and other solutions need a lot of human intervention. To take one example, with other scanners you have to configure URL rewrite rules to properly scan a website. Not with Netsparker. They say it's the only scanner than can identify the set up and configure its own URL rewrite rules. Visit netsparker.com to see how Netsparker's no false positive scanner frees your security team to do what only humans can do. Don't just take their word for it, if you'd like a free trial go to netsparker.com/cyberwire for a 30 day fully functional version of Netsparker Desktop. That's netsparker.com/cyberwire. Scan your websites with no strings attached. And we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:36:12] I'm Dave Bittner, in Baltimore, with your CyberWire summary for Wednesday, November 30th, 2016.

Dave Bittner: [00:01:42:18] It continues to be a rough week in Germany. Deutsche Telekom has mitigated and largely recovered from the distributed denial-of-service attack that shut down nearly a million customers for a few hours Sunday, but the consequences of the incident are more enduring. Researchers at the security firm Flashpoint have confirmed that the denial-of-service attack was Mirai-based and they've concluded, with high confidence, that the incident represented an attempt by the botmasters to increase the number of devices under their control. Thus, the incident would appear to be a skirmish in a criminal turf war. Flashpoint's report says, "A natural next step in the evolution of this malware is for criminal actors to decouple the Mirai payload from its spreading mechanism, and use a different spreading mechanism."

Dave Bittner: [00:02:28:05] Note the wide geographical reach of the threat. Germany leads infections by a wide margin, but there are also significant infestations in the UK, Brazil, Iran, Turkey, Chile, Ireland, Australia, Argentina, Italy, and Thailand. Many observers have concluded that the incident is related to last week's outages at Ireland's Eircom.

Dave Bittner: [00:02:49:14] One of the alleged botmasters, BestBuy, who is in cahoots with one Popopret, has been chatting with Motherboard, to whom he or she or they, boasts of the ease with which they were able to wrest control of bots from other criminals. BestBuy also says they're sorry about any inconvenience Deutsche Telekom customers might have experienced. The botmasters didn't really mean any trouble. Although if they didn't mean trouble, what in the world did they mean?

Dave Bittner: [00:03:15:06] There was wide speculation after Mirai hit Dyn in late October, that the DDoS attacks were a trial by a nation state seeking to prove out its ability to take down critical infrastructure at will. That initial speculation hasn't been confirmed, but it hasn't entirely gone away, either. German Chancellor Merkel says it's not yet known who the attackers were, but she and other German politicians are clearly looking east, toward Russia.

Dave Bittner: [00:03:40:13] For some perspective on protecting yourself against bots, whether they're engaged in DDoS, content scraping, price scraping, scalping, or any of the other things bots get up to. We checked in with Omri Iluz from PerimeterX, a company that specializes in defending against bots.

Omri Iluz: [00:03:56:02] Most people, when they think about web security or online security, still think about a single hacker sitting in front of a computer somewhere and trying to hack into a website. And that was true ten years ago. But, once attackers move from being just a skip kid, or people that are doing this for their ego and to show off to their friends, into the organized crime space, they also started looking into ways to optimize their hacking. So, instead of sitting in front of one website for a few weeks to hack into it, they started scripting their attacks. So, every operation they can do manually, they now automate. They create a script and they just deploy that on something call a BartNet, and now they can target thousands of websites. So, a BartNet is simply an army of machines that they control.

Dave Bittner: [00:04:55:00] What are some of the threats that sort of suit themselves to these sort of botnets?

Omri Iluz: [00:04:59:07] The first one is what's called account abuse. Any website with a user account system, meaning a login, create account capabilities is being abused by these bots. And I remind you, these bots are completely automatic, so it doesn't matter how small or how big the website, they would just run and try to hack into it. The second one is boot close. It can be with gift card or credit cards. An attacker would come in, because he has now an army of bots at his disposal, and he can just try how many times he wants. He can go to the check balance page on a website and just try to put in randomly gift card numbers, seeing if any of them has a balance.

Omri Iluz: [00:05:45:08] Another attempt that lends itself very well to bots is content theft. If you run a website, a commerce website, your competitor wants to know exactly when you start a sale, exactly what price you're selling it for and what do you have in stock. So, what they would do, they would use bots to pull every page, every item, every price from your website and they'll do it very frequently, so maybe once an hour, and they'll create a database of your entire website without you even knowing that.

Dave Bittner: [00:06:17:02] What are some of the ways that people who are running websites can protect themselves against these kinds of bots?

Omri Iluz: [00:06:22:10] Today, especially since the IoT botnet, I'm sure you and your listeners have heard about that, the big IoT botnet?

Dave Bittner: [00:06:30:00] Oh yes.

Omri Iluz: [00:06:30:15] We are shifting the focus into profiling the behavior of every visitor. So, instead of looking at the signature of the request coming in, the IP or the rate that it's coming, we'll look at the actual interaction of the user with the application. And I'm talking about things like, look at the mouse movement, look at the clicks. If someone is logging into your website, he should be moving his mouse to click on the login button. He should be typing his password. If he's coming from a mobile phone, you should be able to pull sensor information, battery accelerometer. If you don't see all of that, most likely it's a bot. So, once you start looking at the actual behavior, it is very hard for them to stay hidden.

Dave Bittner: [00:07:17:19] That's Omri Iluz from PerimeterX.

Dave Bittner: [00:07:22:15] The other bad news out of Germany concerns the arrest of a BfV domestic intelligence officer. He's alleged to be an ISIS mole who was not only feeding the Islamist group information, but also helping plan terror attacks. His thinly pseudonymous social media activity, jihadist chatter mostly, brought him under suspicion.

Dave Bittner: [00:07:42:16] ISIS has, in its online propaganda, now officially claimed the late alleged Ohio State attacker as its soldier. Investigators have found various statements threatening death to unbelievers and retaliation for their complicity in worldwide disrespect and repression of Muslims. Observers consensus is that this was a matter of inspiration, not direction, and if so, that certainly fits the common ISIS pattern. Centrally directed attacks outside of the Caliphate's shrinking territory have tended to be the exception, rather than the rule.

Dave Bittner: [00:08:13:19] In a different case, a young man, Justin Sullivan, pleads guilty in a US Federal court to terrorism charges. He admitted to preparing attacks in Virginia and North Carolina. Those attacks didn't come off. His allocution makes for sad reading: disaffection drawing him toward fantasies of others deaths, which in turn drew him to ISIS online propaganda, whence he fell in the summer of 2015 under the influence of ISIS senior recruiter Junaid Hussain. Mr. Sullivan, aged 20, agreed to a life sentence, the maximum penalty for attempted terrorism.

Dave Bittner: [00:08:48:01] San Francisco's Muni transit authorities hung tough against the ransomware extortionists who hit it over the weekend. The FBI and the Department of Homeland Security have been helping them out, but more ransomware attacks can be expected. The same attackers, who may be Iranian, as there are thought to be significant Farsi notes on the attack server, have been hitting companies in the US for several months. One of them paid up to the tune of $140,000. Veracode thinks the hackers are exploiting unpatched Oracle server vulnerabilities.

Dave Bittner: [00:09:18:21] A new Android malware strain, Gooligan, is out in the wild. A million Google accounts are thought to have been breached. More than 80 malicious apps are involved in spreading Gooligan. The name is Russian for hooligan, by the way, call it gool-ee-ghann if you want to sound like Ensign Chekhov. And about three quarters of Android devices are believed vulnerable to rooting by the malware.

Dave Bittner: [00:09:40:16] And a final word on crime and punishment. Attorneys for convicted Silk Road proprietor Ross Ulbricht say that there's a third bent cop out there on the case, in addition to the two already collared. He went by the handles albertpacino, alpacino, and notwonderful, and is alleged to have sold Ulbricht information about DEA enforcement actions. The defense team appears to be looking for grounds for an appeal, but no one else seems to be able to see how this sort of alleged corruption, bad and distasteful as it allegedly may be, could prove exculpatory. Allegedly.

Dave Bittner: [00:10:20:17] Time to tell you about our sponsor Recorded Future. Recorded Future is the real time threat intelligence company, whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely, because that's what you want, actionable intelligence. Sign up for the Cyber Daily email and every day you'll receive the top trending indicators Recorded Future captures crossing the web. Cyber News, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel and subscribe for free threat intelligence updates. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:11:29:12] And I'm pleased to welcome to the show Professor Awais Rashid. He heads the Academic Center of Excellence and Cybersecurity Research at Lancaster University. Professor, welcome to the show. By way of introduction, why don't you tell our audience a little bit about yourself and the type of work that you're doing there at Lancaster University?

Professor Awais Rashid: [00:11:45:19] Thank you very much for having me on the show. It's a pleasure to be here. My research mainly focuses on two areas. One is security of cyber physical systems and the other is human factors in cybersecurity. The two, of course, overlap and very often we look at both kind of technical and human aspects of security and how the two come together to create interesting problems and also solutions. In addition to that, within our center at Lancaster, we also work on security of large scale infrastructures, as well as a number of privacy enhancing technologies.

Dave Bittner: [00:12:24:05] Take us through some of the research areas there at Lancaster University.

Professor Awais Rashid: [00:12:28:06] So, there are four primary areas of research that we have. The first one being security of cyber physical systems. Here, we look at security of critical infrastructures such as cybersecurity of power grids, water treatment facilities, gas plants. These systems are often now connected to the Internet, or have various vulnerabilities and we specifically look at protecting these kind of systems. We are also looking at security of the emerging Internet of Things devices. Another big area of research for us is security of large scale networks. Here, we look at Internet scale networks, including the Internet backbone itself. In fact, we have done studies on the resilience of the Internet backbone in Europe. And we are also looking at security of emerging techniques, such as Software-Defined Networks, as well as Wireless Internet Works and mechanisms like that.

Professor Awais Rashid: [00:13:28:13] We do quite a lot of work on human factors in cybersecurity, studying how the design of systems perhaps impact humans responses to those systems. Looking at issues of usability, but also how, for instance, the human in the loop may be exploited by attackers, by looking at more sophisticated social engineering techniques that attackers might deploy. And, finally, we look at privacy in very large scale connected Social Technical Systems like online social networks. Looking at both how we may have more effective privacy policies and their operationalization in these kind of settings, but, also how we may do things like privacy preserving, data mining and new forms of privacy controls that might be more usable by individuals.

Dave Bittner: [00:14:22:15] Alright. Professor Awais Rashid, thanks so much for joining us. We're looking forward to having you on the show.

Dave Bittner: [00:14:29:22] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors, who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.