Yahoo's big breach—industry reactions. Spyware circulates in the wild. Investigation of election hacking continues. Hacktivism and "faketivism." The ShadowBrokers are back.

Dave Bittner: [00:00:03:20] Yahoo discloses a record setting breach, over a billion customers accounts are affected. Microsoft reports finding FinFisher-like spyware in the wild. US investigation of Russian election hacking continues. The case for and against Fancy Bear is being made by observers; but the intelligence community says it will keep its conclusions to itself until the investigation is complete. ThreatConnect describes faketivism and the ShadowBrokers are back and their broken English hasn't gotten more convincing.

Dave Bittner: [00:00:37:14] Time for a message from our sponsor, Netsparker. Are you still scanning with labor intensive tools that generate more false positives than real alerts? Let Netsparker show you how you can save time and money and improve security with their automated solution.

Dave Bittner: [00:00:50:20] How many sites do you visit and, therefore, scan that are password protected? With most other security products, you've got to record a log-in macro; but not with Netsparker. Just specify the username, the password and the URL of the login page and the scanner will figure out everything else.

Dave Bittner: [00:01:05:23] Visit netsparker.com to learn more and, if you want to try it for yourself, you can do that too. Go to netsparker.com/cyberwire for a free 30 day fully functional trial version of Netsparker Desktop. Scan your websites and let Netsparker show you how easy they make it. Netsparker.com/cyberwire. We thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:36:04] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday December 15th, 2016.

Dave Bittner: [00:01:42:11] Late yesterday, Yahoo disclosed that the company was breached in August 2013 with more than a billion customer accounts compromised.

Dave Bittner: [00:01:50:14] This incident is said to be distinct from the breach disclosed in September of this year, and that earlier breach affected 500 million customers. "The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords using MD5 and, in some cases, encrypted, or unencrypted security questions and answers." That's the official statement from Yahoo.

Dave Bittner: [00:02:15:22] This incident is regarded as being the largest breach on record, in terms of the number of individuals affected.

Dave Bittner: [00:02:22:10] The company's investigation concluded that an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. The company has not been able to identify the intrusion associated with the theft, but believes this incident is distinct from the one the company disclosed on September 22nd of this year.

Dave Bittner: [00:02:42:03] Yahoo also reports that an unauthorized third party accessed Yahoo proprietary code to forge cookies and that this third party seems to be connected to the unnamed state-sponsored actor Yahoo believes is responsible for the breach the company reported in September.

Dave Bittner: [00:02:59:01] The company doesn't know how the breach was accomplished, but does believe the culprits were state-sponsored. Who that sponsoring state might be remains unspecified. Other observers who've looked into the matter – notably the security firm InfoArmor, which investigated the earlier breach – take issue with that conclusion, saying the breaches look like the work of criminals, albeit, criminals who may have had nation states among their customers.

Dave Bittner: [00:03:24:00] Yahoo says it's working with appropriate law enforcement agencies and that it's notifying affected customers. Observers expect this latest breach disclosure to affect Verizon's planned acquisition of Yahoo's core assets.

Dave Bittner: [00:03:37:16] Security industry experts have weighed in with their views on what happened and how such attacks might be prevented, or mitigated. We'll talk a bit later with the CyberWire's Editor, John Petrik, who'll give us an overview of some of these reactions.

Dave Bittner: [00:03:50:13] Microsoft reports finding Fin-Fisher-like spyware in APTs on European and Turkish systems. FinFisher is a controversial lawful intercept tool, that's been connected with surveillance, by various repressive regimes.

Dave Bittner: [00:04:05:13] US investigation of Russian election hacking continues. The Department of Homeland Security says the vote wasn't manipulated, and many observers has read this as contradicting assertions by the CIA that Russian operators did indeed seek to influence the election. In fact, however, they're talking about two different kinds of hacking.

Dave Bittner: [00:04:25:10] Homeland Security is saying that the vote count itself wasn't interfered with, that there's no evidence that voting machines, or vote tallying were compromised.

Dave Bittner: [00:04:34:00] The CIA's claims referred to the doxing that released various discreditable emails from senior figures in the Democratic Party and the Clinton campaign. This was election hacking, if you will, but hacking in the service of influence operations, not vote fraud. The intelligence community is investigating this apparent Russian activity and says it will have little further comment until the investigation is complete.

Dave Bittner: [00:04:58:19] The Intercept has a useful skeptical rundown of the case against the Russian intelligence services. They acknowledge that there's plenty of circumstantial evidence that Cozy Bear and Fancy Bear indeed took an interest in the US Presidential Election. But they argue that such evidence would fall short of what an indictment would require.

Dave Bittner: [00:05:17:04] The threat intelligence firm ThreatConnect offers an account of how influence operations are likely to work in practice. Such operations commonly involve false flags and front identities long familiar in covert operations.

Dave Bittner: [00:05:30:13] ThreatConnect has concluded that Fancy Bear, the Russian intelligence agency known as the GRU, uses these faketivist fronts in its work: CyberCaliphate, fake ISIS sympathizers; CyberBerkut, fake Russian sympathizing Ukrainian separatists; Guccifer 2.0, a bogus homage to the well-known Romanian hackers; DCLeaks, a phony WikiLeaks sub-project; and AnPoland, which purports to represent the Polish branch of the anonymous collective.

Dave Bittner: [00:06:01:10] The shadow brokers, the hacktivists, or faketivists – you can take your pick, since there seems something fishy about them, however you cut it – who have been trying since the summer to auction out what they claim plausibly to be Equation Group attack code, resurfaced this week. They're reconsidering their sales model, giving up on the auction and returning to retail. A site has come to light that's now offering Equation Group tools for sale to all-comers. No word yet on how sales are going.

Dave Bittner: [00:06:29:15] Part of what renders the ShadowBrokers' story less than fully convincing is the screenwriter's broken English they affect in their communiques. They're again chatting with Motherboard and still sounding like the syllable-chewing crocodiles in the Pearls Before Swine comic strip. Here's a sample in which they, sort of, explain what they're up to.

Dave Bittner: [00:06:48:03] "The ShadowBrokers is not being irresponsible criminals. The ShadowBrokers is opportunists. The ShadowBrokers is giving responsible parties opportunity to making things right. They choosing no; not very responsible parties. The ShadowBrokers is deserving reward for taking risks, so ask for money. Risk is not being free. Behavior is obfuscation, no deception."

Dave Bittner: [00:07:13:22] Take that NSA, or whoever the responsible parties are. Oh, and one more thing, as Columbo would have put it, "The ShadowBrokers is not commenting on operation details, is bad opsec."

Dave Bittner: [00:07:26:17] Words to live by, kids. We'd never be in favor of bad opsec; unless, of course, you're a bad guy. In that case, be as sloppy as you want to be.

Dave Bittner: [00:07:39:16] Time to take a moment to tell you about our sponsor, Recorded Future, the real time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web, to give cyber security analysts unmatched insights into emerging threats.

Dave Bittner: [00:07:54:05] We read their dailies at the CyberWire and you can too. Sign up for Recorded Future's cyber daily email, to get the top trending technical indicators crossing the web: cyber news; targeted industries; threat actors; exploited vulnerabilities; malware; and suspicious IP addresses.

Dave Bittner: [00:08:09:04] Subscribe today and stay ahead of the cyber attacks. They watch the web, so you have time to think and make the best decisions possible for your enterprise's security. Go to recordedfuture.com/intel, to describe for free threat intelligence updates from Recorded Future. It's timely, it's solid and it's on the money. That's recordedfuture.com/intel. We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:08:38:12] Joining me once again is John Petrik. He's the Editor of the CyberWire. John, we've received a lot of commentary from people around the cyber security industry on this Yahoo breach. Give us a rundown, what are people saying about it?

John Petrik: [00:08:50:18] Yes, we have heard a lot. We'll start with what Yahoo itself has said and their statement's worth quoting at a little bit of length. Yahoo said late yesterday, "For potentially affected accounts, the stolen user account information may have included names; email addresses; telephone numbers; dates of birth; hash passwords, using MD5; and, in some cases, encrypted, or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text; payment card data; or bank account information. Payment card data and bank account information are not stored in the system that the company believes was affected."

Dave Bittner: [00:09:30:14] The revelation that, perhaps, security questions were breached, that's of particular interest.

John Petrik: [00:09:36:11] It is interesting. For example, we heard from STEALTHbits Technologies who pointed out that, these kinds of questions tend to get used for multiple sites and, in fact, the information that is embodied in the questions and their answers is difficult to change.

John Petrik: [00:09:51:01] Assuming that you're telling the truth in answer to these questions, you're never going to have a different kindergarten teacher, your first pet is never going to have a different name, he's always going to be Rover. The first car you owned is not going to change. A number of people are saying that, this is another reason to move away from the password security question system towards forms of multi-factor authentication that need to be more widely adopted. That's the kind of feedback we're hearing on that.

Dave Bittner: [00:10:20:17] What about attribution? What are people saying, you know, in this case whodunit?

John Petrik: [00:10:25:15] Well that's interesting. Yahoo have been talking a lot about State sponsored actors, without specifying the State who did it. You know, a priori probability says, who are the State sponsored actors who would do this kind of thing? Everybody's going to assume Russia, China and North Korea. But it's not clear that that's really the case.

John Petrik: [00:10:46:06] InfoArmor – who investigated at some length the earlier breach that Yahoo acknowledged back in September of this year – told us that that's Yahoo's theory, but they're not convinced that's the case. They thought that the earlier breach was committed by a criminal group, and they're calling it Group E. They say they're Eastern European Black Hats; so think a kind of cyber mob. And they're stealing it for all the kinds of reasons that criminals steal these kinds of credentials.

John Petrik: [00:11:15:02] InfoArmor does say that Group E may well have customers who include Nation States; but that they think the actual hacking was probably done by this criminal group, and remember that attribution is always circumstantial. So this ought to be taken with an appropriate degree of skepticism. But they do seem to have a point about that.

John Petrik: [00:11:37:01] There's some gray areas in the distinction between criminal groups and State actors. Last year, at the Johns Hopkins Senior Executive Cyber Security Conference, we heard the US Cyber Defense Advisor to NATO, Curtis Levinson talk about this very thing. People were asking him, well you talk about Russian hacking, Russian activity, how much of this is the Russian Government and how much of this is criminal mobs?

John Petrik: [00:12:06:05] You know, he went on at some length, and clearly enjoyed doing so, to talk about Russian being a criminal nation. You know, he said, "Czar Putin is kept in power by criminals," is how he put it. His point is that the Russian Government frequently does make use of and tolerates criminal hacking activity because they can exploit this for intelligence purposes. The distinction between criminal gang and State actor may not necessarily be all that clear.

Dave Bittner: [00:12:37:15] In terms of recommendations, if you are someone who had a Yahoo account, what are people saying you should do?

John Petrik: [00:12:43:14] Well, we've got a to-do list from WinPatrol. They said, before you delete the account, delete all emails and folders, enter invalid information for security questions, then delete the account. They told us, they recommend that because they found that, when you remove accounts, they've sometimes seen that they're truly not deactivated and this might be why there are as many as a billion accounts that were compromised.

John Petrik: [00:13:07:15] They also say, obviously, if you've used the same password on any other site, change it. Don't reuse Yahoo passwords. If you've used the same security questions on other sites, change the answers. Never reuse the answer to a security question. If and when the next hack occurs, you don't want your answers to be used against you.

John Petrik: [00:13:28:20] If you associate your mobile phone number with your Yahoo account, WinPatrol says beware; you may become a target of smishers, those mobile phishing attacks we hear about. They recommend that you ensure your security software is up to date and capable of blocking attacks, so it's the good common digital hygiene advice that we hear so often from people.

Dave Bittner: [00:13:47:15] Alright, John Petrik, Editor of the CyberWire, thanks for joining us.

Dave Bittner: [00:13:53:15] That's the CyberWire. For links to all of today's stories, along with the interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible and, if you consider the CyberWire podcast a valuable part of your day, we hope you'll take the time to write a review on iTunes. It really does help people find the show.

Dave Bittner: [00:14:11:17] The CyberWire podcast is produced by Pratt Street Media, the Editor is John Petrik. Our Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. I've got a movie to catch, may the force be with you.