The CyberWire Daily Podcast 12.6.16
Ep 239 | 12.6.16

State-directed cyberattacks in the 2017 forecast. Tenable's Cybersecurity Assurance Report Card. DDoS and ransomware notes. Content filtering in social media. Connected toys too curious.


Dave Bittner: [00:00:03:14] More state hacking is in the forecast for 2017 and Pyongyang seems to have a head start. A new DDoS botnet rivals Mirai. Ransomware notes. Android users are advised to stick with Google Play and so avoid Gooligan. Content filtering in social media. Tenable talks about its cybersecurity report card and more connected toys seems to be far too curious about those who play with them.

Dave Bittner: [00:00:32:13] Time for a message from our sponsor Netsparker. Are your security teams dealing with hundreds of vulnerability scan results? Netsparker not only automates scanning, but it verifies the exploits it finds too. Reduce alert fatigue and improve security with Netsparker. Not only will your protection improve, but your costs will drop and that's a good deal in anyone's book. Netsparker's automated approach to web application scanning lets your security team concentrate on the things best left to the human beings. Find out more about Netsparker Desktop and Netsparker Cloud. Whether you're pen testing or securing your enterprise online, you'll find what you need at Netsparker dot com. And check this out, you can try it out for free with no strings attached. Go to Netsparker dot com slash cyberwire for a 30 day fully functional version of Netsparker Desktop. And by fully functional we mean, yes really, really, actually, truly fully functional. Scan the websites with no obligation. That's Netsparker dot com slash cyberwire and we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:43:11] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, December 6th, 2016.

Dave Bittner: [00:01:50:02] Observers at FireEye and elsewhere take a look at 2017 and predict more state-directed cyberattacks. Some of them are thought, on track record alone, to already be in progress, but still undiscovered. The usual suspects and objectives are invoked; Russian surveillance and information operations, Chinese industrial espionage, nor should the Democratic People's Republic of Korea be forgotten. The Yonhap News Agency reports that a South Korean military intranet has sustained a North-Korean directed malware infestation. Seoul's Ministry of Defense acknowledged finding the malicious code in one of its cyber command networks.

Dave Bittner: [00:02:26:23] As we mentioned on yesterday's show, Tenable Network Security published their global cyber security assurance report card for 2017, which measures the attitudes and perception of enterprise IT security practitioners around the world. Cris Thomas is a strategist with Tenable.

Cris Thomas: [00:02:42:07] It's interesting, we want to be able to try to go out there and talk to people who are actually in the trenches, the cyber security professional, and say, "Hey, what are your feelings about your organization's ability to determine your risk level in these various areas?" And so we've asked a bunch of people what their thoughts are, we've combined those results together and then assigned, not only each area a letter grade, but also each country and each industry vertical, so that we can sort of get a picture of where things might be good and where things might not be so good.

Dave Bittner: [00:03:17:03] So, take me through some of the key findings?

Cris Thomas: [00:03:19:18] Unfortunately, most of the key findings are not happy, if you will. In risk assessment we have an overall falling of a score by 12 percentage points and organizations ability to assess their risks has gotten worse this year over last. Cloud environments are still showing a very difficult time for people, despite how long we've been working with cloud. We saw a seven point drop in cloud. Mobile is not doing well at all. We've gone from 65 percent, a D, to an F, a failing grade in mobile and, you now we have devops and containers on top of that, and so we added those to the survey this year, but they did not get that great of a score, as you can possibly imagine.

Dave Bittner: [00:04:06:03] When you look at the numbers, when you look at the findings, what do you think is driving these decreases in confidence?

Cris Thomas: [00:04:13:15] That's a good question. I think I was kind of surprised to see basically a drop on almost all the grades across the board, whether that is mobile or cloud or whether it's Europe or United States or Australia or education or government or retail. Just about everything we looked at, the numbers dropped and why is that is, a good question? I had hoped from last year that we're getting better at our jobs, we're doing better things, we've learned more stuff, our numbers should increase this year, at least a little bit, but there are very few aspects, very few areas that we actually saw increases. So, why did everything decease? I think possibly, again, we're looking at people's perceptions of their organization's abilities. It's really hard to get definitive metrics in some of the questions that we're asking, so a lot of this comes down to how you feel about your organization's ability to do their job.

Cris Thomas: [00:05:10:16] And so, if you're hit over and over and over again by these massive news reports of these massive breaches, OPM data breach, target data breach, you have all the election stuff that happened this year and you're seeing all this negativity in the news, you may get a little downbeat and a little discouraged and think, "Well gee, maybe we're not as good at our job as we thought we were," or maybe our technology's better now and so we actually have some numbers to say, "Hey, you know, we're not doing as good as we thought and so we have to assess ourselves at slightly lower grade."

Dave Bittner: [00:05:42:10] Were there any bright spots in the report?

Cris Thomas: [00:05:44:17] Yes, there were a couple of bright spots. The biggest one, for me, was one of the final questions that we asked, and it was just kind of a - I don't want to say a give me - but we asked everybody what their overall perception was of their security from this year to last year? Compared to this time last year, do you feel more optimistic or pessimistic about your organization's ability to defend itself against cyber attacks? Now, this is a question we asked last year also, but this year we have almost 90 percent, over 90 percent of the people who feel either the same or better about their organization's ability, about being optimistic about the future and I think yes, that's interesting.

Dave Bittner: [00:06:26:15] That is interesting, isn't it?

Cris Thomas: [00:06:28:12] You have all this pessimism and all these bad grades and, "Oh no, we're bad at this, we're bad at that, we're bad at this, but, oh look, next year we're going to be better. We're going to have a positive attitude and we're going to go out there and we're going to be awesome defenders." Because as a defender, the news is almost always bad, because somebody is always getting breached and you read about it in the news and you're always trying to fight off the bad guys and yet, despite all this bad news that's out there, we're maintaining a positive attitude and, to me, I think that's better than half the battle.

Dave Bittner: [00:06:57:22] That's Cris Thomas from Tenable Network Security. He's known online as Space Rogue.

Dave Bittner: [00:07:03:01] The global cyber security assurance report card is available on Tenable's website.

Dave Bittner: [00:07:09:08] Mirai appears to have a competitor in the distributed denial-of-service market. Web performance and security company CloudFlare has reported that a new, so far unnamed, botnet began executing attacks on November 23rd. It ran on a predictable schedule: eight hours a day for seven days, beginning at 10:00 am Pacific Standard Time. On the eighth day, the attack switched to 24 hours, reaching a peak volume of 400 gigabits per second. For comparison, Mirai has hit 620 gigabits per second. It's unclear what kind of bots it's comprised of. It may or may not be an IoT botnet. Attacks seem to have originated with Chinese IP addresses and to have targeted servers in California. CloudFlare thinks the targets were "gaming and virtual goods sites and services." What the motive might be is also obscure, but gaming and virtual markets are, of course, particularly sensitive to disruption.

Dave Bittner: [00:08:04:08] Ransomware also tends to hit enterprises that depend upon high online availability, which is one reason so many health care providers have been victims. Locky ransomware operators have shifted to dot osiris extensions in malicious code being spread by bogus Excel invoices. No decryption is yet available, so secure, regular backup is the best preparation for recovery.

Dave Bittner: [00:08:28:00] Globe2 ransomware is implicated in successful attacks on British hospitals that disrupted patient services. Three hospitals were affected by the disruption of systems in the North Lincolnshire and Google NHS Foundation Trust. Some 2800 patient appointments were canceled. Investigators either don't know or are not saying how the attack was accomplished.

Dave Bittner: [00:08:50:12] Ransomware exacts opportunity costs from its victims. San Francisco's Muni light rail estimates it lost some $50,000 in fares during the attack. That's $75,000 less than the ransom Muni refused to pay, but it still hurts.

Dave Bittner: [00:09:06:21] Android users should remain wary of Gooligan malware, which continues to romp in the wild. Many observers are noting that its vectors are malicious apps the victims download from sources outside Google Play. So in this case, please, stay inside the walled garden.

Dave Bittner: [00:09:23:04] Social media companies and sites continue to grapple with content filtering. Counter-trolling seems unsuccessful. Control of terrorist imagery remains a work in progress, but is proceeding along lines followed to exclude child porn from networks.

Dave Bittner: [00:09:39:03] Finally, as you shop for children over the holidays, remember to exercise due diligence. Some tablets being marketed as offering child-safe searches have been shown easily susceptible to workarounds. For example, a simple browser search may not take the children to inappropriate content, but Google Translate may provide an unintentional workaround and you'd also do well to be suspicious of connected toys. "My Friend Cayla" and "I-Que Intelligent Robot," both basically dolls, and both made by Genesis Toys, have been complained about to the Federal Trade Commission and other regulatory bodies. They're alleged to be collecting and reporting way too much information about the kids who play with them. Come on, toy makers, can you try not to put Chuckie under the Christmas tree?

Dave Bittner: [00:10:29:22] Time for a message from our sponsor Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future Cyber Daily and if it helps us, we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to Recorded Future dot com slash intel and subscribe for free threat intelligence updates from Recorded Future. That's Recorded Future dot com slash intel and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:11:23:01] And joining me once again is Professor Awais Rashid. He heads the Academic Center of Excellence in Cyber Security Research at Lancaster University. Professor, I know today you wanted to tell us a little bit about cyber security and critical national infrastructure.

Professor Awais Rashid: [00:11:37:19] Yes, thank you for that. The security of regular information systems is very much in the news. These days we hear of large scale breaches often of credit card theft, financial theft, online, but equally, we are increasingly seeing cyber attacks against critical national infrastructure. These are the things that we see as fundamental to daily functioning of society. Things like power plants, water treatment facilities, your energy supply systems and you'd be surprised how many of them are potentially open to cyber attacks. The reason for this is that a lot of these systems were designed without actually security in mind. 20/30 years ago, when these systems were designed, they were designed based on proprietary protocols. They were often closed systems with little connectivity to the Internet and you needed very specialist knowledge to actually work with these systems. As our systems have become more and more connected, these systems are also connected to other systems within organizations and also potentially to the Internet and, as a result, given that they weren't designed with security in mind, there are often quite a lot of vulnerabilities in them and we are seeing increasing incidents.

Professor Awais Rashid: [00:12:52:12] These was a fairly well known incident of a German steel mill where a furnace was a destroyed as a result of a cyber attack that escalated and got out of hand. Similarly, we saw the cyber attack on the Ukraine power grid more recently. And, of course, there are more high profile attacks that we know historically, such as the military water services, almost now 10/15 years ago, as well as Circusnet, which destroyed the centrifuges in Iran's nuclear facilities. So, the problem we actually have is that these infrastructures are increasingly connected to the Internet. There have been studies done through the search engine SureDone that showed that a lot of these facilities are connected to the Internet, yet they are highly vulnerable to a number of what I would call fairly basic cyber attacks and that's an area we look at very closely in terms of securing such systems. The key issue is that these attacks don't often require you to be very sophisticated. The entry level to attack cyber physical systems such as an industrial control system which is prevalent in critical national infrastructures is actually quite low. Yes, you need to know a little bit about how these systems work, but in the end, underlying protocols and the systems that are in deployment are often so vulnerable that you don't really need to be a highly sophisticated attacker to actually breach these systems.

Dave Bittner: [00:14:24:11] Awais Rashid, thanks for joining us.

Dave Bittner: [00:14:28:16] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit The CyberWire dot com. Thanks to all of our sponsors, who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.