ShadowBrokers update. More consequences of the Yahoo! breach. Other sites suffer data compromises. US investigations of, plans for retaliation against, Russian influence operations proceed.

Dave Bittner: [00:00:03:22] The ShadowBrokers stock their discount rack with Equation Group bargains. Yahoo's data breach attracts regulatory investor and due-diligence scrutiny. Yahoo's stolen data is also being offered for sale on the dark web. US investigation of Russian election influence operations continues, and the US says, it's planning some sort of retaliation.

Dave Bittner: [00:00:30:02] Time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's cyber daily. We look at it. The CyberWire staff subscribes and consults it every day. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how many analysts you might have on staff. We're better that, however many you have, you haven't got enough.

Dave Bittner: [00:00:53:03] Recorded Future does the hard work for you, by automatically collecting and organizing the entire web, to identify new vulnerabilities and emerging threat indicators. Sign up for the cyber daily email to get the top trending technical indicators crossing the web; cyber news targeted industries; threat actors; exploited vulnerabilities; malware; and suspicious IP addresses.

Dave Bittner: [00:01:13:10] Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:38:05] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday December 19th, 2016.

Dave Bittner: [00:01:45:01] Having had small success with the auction, they've been trying to run since this past summer, the ShadowBrokers have now put the Equation Group code they've obtained on their discount zeronet retail shelf. The code could, if purchased, or released, afford various bad actors newly commodified modes of attack.

Dave Bittner: [00:02:03:18] Stolen Yahoo data has now appeared for sale on the dark web. They're initially priced around $300,000; which is on the high side for a data breach, but perhaps not overpriced, given the sheer reach and volume of the stolen material. Observers note, the data is valuable for either criminal, or espionage purposes, fraud, or compromise.

Dave Bittner: [00:02:23:18] The former motive, fraud, has appeared and continues to appear in other breaches committed by organized cyber crime. The latter motive, traditionally operating in intelligence services, can be seen behind earlier enormous breaches, like the one achieved at the US Office of Personnel Management. The two markets also touch one another, with criminals sometimes selling to security and intelligence services, and the services sometimes making use of criminal organizations.

Dave Bittner: [00:02:50:11] Looking at the consequences of the Yahoo breach in the marketplace, Yahoo itself faces growing hostile scrutiny from both regulators and investors. The US Securities and Exchange Commission is said to be looking into the breach, as are Information Commissioners in Ireland and the United Kingdom.

Dave Bittner: [00:03:07:02] The company's stock price has taken its foreseeable hit, and there are multiple reports that Verizon is reconsidering its planned acquisition of Yahoo's core assets. The US telecoms giant may back out entirely; at the very least, it seems likely Verizon will expect a steep discount in the ultimate purchase price.

Dave Bittner: [00:03:26:10] Some other notable compromises came to light late last week and over the weekend; although they do seem small potatoes compared to the unfortunate standard set by the Yahoo incident. Turkey's Akbank was targeted via its SWIFT money transfer interface. The bank may be liable for up to $4 million; but it says that no customer information was compromised. It also says that its losses should be covered by insurance.

Dave Bittner: [00:03:51:08] The financial firm Ameriprise inadvertently exposed customer accounts on an Internet connected back-up drive. LinkedIn has reset 55,000 passwords on its lynda.com online learning platform. Sports site Bleacher Report suffered exposure of an undisclosed number of user accounts in a November hack. Fitness company PayAsUGym sustained a compromise of some 300,000 customers' data and successful phishing of more than 100 Los Angeles County Government employees may have exposed more than three quarters of a million citizens' information.

Dave Bittner: [00:04:27:23] Distributed denial-of-service also remains with us. The skids at Phantom Squad have hit servers for the popular online game Battlefield One. Expect more of the same as people try out games they receive over Christmas. This is what counts as lulz for a few hackerweight of bad actors.

Dave Bittner: [00:04:47:11] The US Election Assistance Commission continues to work with security and law enforcement agencies to investigate the compromise it sustained over the past year. Recorded Future connected a known criminal Rasputin to the caper. Rasputin is selling a SQL exploit, derived from the hack, on the dark web.

Dave Bittner: [00:05:05:22] Investigation of Russian hacking of US elections continues; now also goaded on by bipartisan Congressional attention. The issues roughly are these. First, few seriously doubt that Russian intelligence services compromised the Democratic National Committee and also made attempts, with mixed success, on the Republicans.

Dave Bittner: [00:05:25:03] Second, there's a general consensus that the disconnected, State run elections in the US system were effectively out of reach of direct foreign manipulation The Election Assistance Commission hack isn't countervailing evidence. That small agency is a voluntary standard setting and advisory body and does not run voting.

Dave Bittner: [00:05:43:12] Third and most interestingly, how WikiLeaks actually received the emails perceived as so damaging to the Clinton campaign, remains less clear. As recently as November 17th, US Director of National Intelligence, James Clapper, told the House Intelligence Committee that, as highly confident as the intelligence community is that Russian services successfully compromised the DNC, "as far as the WikiLeaks connection, the evidence there is not as strong, and we don't have good insight into the sequencing of the releases, or when the data may have been provided. We don't have as good insight into that."

Dave Bittner: [00:06:19:15] Theories as to how WikiLeaks got the emails include: they got them from the Russian Security Services – WikiLeaks explicitly denies this; they got them from a group that was fronting for Russian Security Services; they hacked into the DNC themselves – this is mostly journalistic a priori speculation; or they got them from a disgruntled DNC insider – reports alleging this generally point to a disgruntled supporter of Senator Sanders' failed campaign for the Democratic nomination. In any case, investigation proceeds.

Dave Bittner: [00:06:53:16] As far as the Cozy Bear and Fancy Bear intrusions into the DNC are concerned, the best guess is that they were accomplished through phishing. Indeed, last week someone involved in DNC network security attributed the successful compromise to his own mistyped instructions. Such highly targeted phishing, spearphishing, whale phishing, is expected to continue into 2017 because, well, it works.

Dave Bittner: [00:07:18:01] This past year's Verizon data breach report concluded that about 30% of phishing messages are opened by the mark less than four minutes after receipt.

Dave Bittner: [00:07:27:01] The CyberWire heard from Plixer CEO Mike Patterson on the risk of phishing and what can be done to mitigate it. He advises testing an anomaly detection. "All organizations should continually test employees by sending phishing attacks to internal users. These test emails alert security teams about employees who clicked a link thinking it was safe, when they should have deleted the message.

Dave Bittner: [00:07:49:00] Security teams should also use NetFlow to baseline end user behaviors, and trigger for abnormal traffic patterns, like a jump in the transfer of data. If security isn't monitoring for these types of behaviors, they can slip right past defenses."

Dave Bittner: [00:08:05:00] Detailed attribution of the DNC incidents, suitable for, say, an indictment, is of course different from a well-founded intelligence conclusion and here, US authorities have been explicit and forthcoming. They see the activities of Fancy Bear and Cozy Bear, as the GRU and FSB have come to be known in cyberspace, as a direct Russian influence operation intended to influence the US election.

Dave Bittner: [00:08:29:16] US President Obama, in the last month of his presidency, faces growing pressure to do something. He's indicated that he intends to and that the response will be proportional. There's no shortage of experts weighing in on what proportional ought to mean, with many of them suggesting that some goose sauce, in the form of transparency, be ladled back onto Mr. Putin and his senior colleagues in the Russian Government.

Dave Bittner: [00:08:59:08] Time to take a moment to tell you a little bit more about today's sponsor, Recorded Future. I know you've heard of Recorded Future; I talked about them earlier in today's show. The real time threat intelligence company. Their patented technology continuously analyzes the entire web, to give infosec analysts unmatched insights into emerging threats.

Dave Bittner: [00:09:17:05] We subscribe to and read their cyber daily; they do some of the heavy lifting and collection and analysis that frees you to make the best informed decisions possible for your organization.

Dave Bittner: [00:09:26:18] Sign up for the cyber daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web: cyber news; targeted industries; threat actors; exploited vulnerabilities; malware; and suspicious IP addresses.

Dave Bittner: [00:09:39:11] Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and the price is right. That's recordedfuture.com/intel. We thank Recorded Future for sponsoring today's show.

Dave Bittner: [00:10:03:22] Joining one once again is Yisroel Mirsky. He's a Researcher and Project Manager at the Cyber Security Research Center at Ben-Gurion University. Yisroel, you've been doing some research on some vulnerabilities with the 911 system, the emergency response system. What can you tell us about that?

Yisroel Mirsky: [00:10:20:12] Sure. A little bit of background first. The emergency response system, i.e., the 911 services, has saved countless lives since it was implemented in 1968 and the system has since evolved into what's referred to as the E-911 system, which is the Enhanced 911 system.

Yisroel Mirsky: [00:10:38:12] The Enhanced 911 system enables police, fire and medical service to be reachable from a single network. It's a kind of separate, private network from the telephony network, but bridged over. So when you dial 911, it routes your call directly to this emergency services network.

Yisroel Mirsky: [00:10:53:14] But, the real issue is that, unfortunately, the E-911 system is a circuit switch system which means, unlike the Internet, which is packet switched, which can bring over a large amount of data very efficiently, circuit switch systems are resource limited. In other words, when you make a call, it ties up the entire line.

Yisroel Mirsky: [00:11:13:06] This is a serious problem because, there's a certain kind of denial-of-service attack, called a DDoS attack, in which the attacker makes continuous calls to the service, in other words the call center, and ties up all the lines, thus denying service to legitimate callers.

Yisroel Mirsky: [00:11:30:17] We perform extensive simulations on models of the United States existing E-911 infrastructures and we found that it would only take about 6,000 affected smartphones to effectively DDoS the State of North Carolina; or approximately 0.0006% of the US population to DDoS the entire country.

Yisroel Mirsky: [00:11:51:22] We shared this information with the US Department of Homeland Defense, which then in turn shared it with NENA; which is the National Emergency Number Association and their response pretty much said that, we are pretty optimistic. In other words, they feel that the situation's more dire than we expected.

Yisroel Mirsky: [00:12:11:24] You know, it may even sound like fiction, but a few months ago, right after our publication, a man from Arizona posted a link on Twitter, which caused iPhones to repeatedly dial 911 and thousands of people who clicked this link caused DDoS’s across the nation.

Yisroel Mirsky: [00:12:28:02] To make it seem even more serious, we found another attack, a variant of the malware, in our labs with Mordechai Guriand Professor Yuval Elovici, a version of the malware that is unblockable. Basically what it does is, it hides its network identifier to the network, or basically randomizes it, thus preventing it from being blacklisted, or blocked at the entry to the network, or at the call centers themselves.

Yisroel Mirsky: [00:12:58:03] We published all sorts of different countermeasures of how to possibly try and mitigate this kind of threat; but we're still actively looking for a better solution, perhaps when the next generation 911 system is being deployed.

Dave Bittner: [00:13:12:15] Are there any plans on the horizon to update the 911 system, so it wouldn't be vulnerable to these sorts of attacks?

Yisroel Mirsky: [00:13:18:14] Well the main issue is that, at least the more severe kind of malware variant relies on the fact that the FCC put out a ruling that all calls, whether they have an identifier or not, be forwarded to the nearest call center in case of emergency. This is a very useful feature because you have families, or victims of abuse who have these kinds of freephones, that have no identifiers within them and they can place calls to abuse hotlines to request help.

Yisroel Mirsky: [00:13:52:01] They have to basically make a decision. Either they have to block all these NSIcalls and therefore stop the service and try and find some other solution; or they have to enable it and thus allow the possibility that anybody can try and call without an identifier on the network and place a 911 call. It's kind of like the case where your phone hasn't quite registered on the network yet, or doesn't have a SIM card in yet, yet it can still place 911 calls. That kind of idea, but a little more advanced.

Dave Bittner: [00:14:21:20] Yisroel Mirsky, thanks for joining us.

Dave Bittner: [00:14:26:04] That's the CyberWire. For links to all of today's stories, along with the interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media, our Editor is John Petrik. Our Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.