The CyberWire Daily Podcast 2.2.16
Ep 27 | 2.2.16

The CyberWire Daily Podcast 2.2.16


Dave Bittner: [00:00:03:17] German security services point to Russia as the culprit in last year's Bundestag hacks. SentinelOne continues to warn against black energy. The US Congress looks at the now closed juniper back-door and doesn't like what it thinks it sees. FireEye buys Invotus. Bell Aerospace acquires Wavefront. Quick Heal says it's ready for an IPO and Alert Logic says it'll be ready for its own next year. The cyber sector continues to watch the strange case of Norse. And finally, we take a look at the sorry wages of cyber crime.

Dave Bittner: [00:00:36:05] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at

Dave Bittner: [00:01:00:16] I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, February 2nd, 2016.

Dave Bittner: [00:01:06:22] The 2015 breaches of Bundestag systems in Berlin, so far unattributed, are looking more like a Russian operation. An anonymous source within the Russian security services told Spiegel that the attacks were quote, "Clearly attributable to a Russian military intelligence service," end quote. Deutsche Welle cites observers who think the deep game is destabilization of the European Union with the play-book taken from hybrid operations Russia has conducted against Ukraine. Cyber operations, exploitation of ex-patriot or ethnic, Russian sentiment, and so on.

Dave Bittner: [00:01:38:24] SentinelOne having completed, it says, reverse engineering the BlackEnergy 3 malware kit, wants everyone to pull their heads out of the sand. A company executive is quoted by the Voice of America as saying, "This is cyber warfare. We need to wake up and see that this is war." BlackEnergy still seems an espionage kit and the other observers wonder how it's implicated in what SentinelOne and others have called a widespread campaign aimed at disrupting utilities.

Dave Bittner: [00:02:05:09] Has BlackEnergy acquired some ability to manipulate control systems? This seems to most observers as doubtful. Or is it being used to harvest operator credentials? More investigation seems clearly in order.

Dave Bittner: [00:02:18:18] The US Congress is turning its attention to the possibility that the encryption issue in Juniper products, which Juniper closed last month, may have its roots in an NSA developed encryption algorithm, widely suspected of having been constructed with an intentional back door. If that turns out to be the case, it may represent a security own-goal. The US government is a big Juniper customer and the gear the Feds bought and used, apparently has a back door as big as anything sold to other customers.

Dave Bittner: [00:02:45:17] DDoS attacks have become, by many accounts, the single most common cyber assault on financial services enterprises. HSBC has recovered from last week's incident. But the trend looks like an enduring one. And not only banks are affected. The Elder Scrolls Online game reported a DDoS episode yesterday. Any enterprise that depends for it's business on maintaining high levels of internet access for its customers, is vulnerable to DDoS.

Dave Bittner: [00:03:10:12] Virtual private service provider Linode publishes a commendably forthright account of the attack it sustained at the end of December, including the lessons it learned in response. The motivations for DDoS are generally one of these three - hacktivists who disapprove of an enterprise or of some cause connected with an enterprise, often mount denial of service campaigns. Relatively easy and inexpensive to mount, DDoS ranks up with website defacements as a common hacktivist tactic. A second common motivation for denial or service attacks is extortion.

Dave Bittner: [00:03:41:11] In the early days of cyber crime, denial-of-service was used to hold online gambling sites up for ransom. And there's been some evidence that this form of criminal activity is enjoying an uptick.

Dave Bittner: [00:03:52:05] And finally, the third and in some ways the most sophisticated use of DDoS is as misdirection for some other more serious attack. If you can occupy incident responders with a big, noisy denial of service campaign, they may well overlook, for example, your quieter efforts to gain persistence in their network.

Dave Bittner: [00:04:07:14] In industry news, FireEye makes another acquisition. This time of automation shop, Invotus. This is thought to be a play that will improve incident response capabilities. Bell Aerospace enters the cyber security market with it's purchase of Wavefront. Quick Heal is said to be preparing for an IPO next week. And Alert Logic says it's using 2016 to prep going public next year.

Dave Bittner: [00:04:29:22] Norse Corporation’s main website is still dark. Although its DarkMatters news page and labs site were online today. Forbes comments on what had caused the chaos left for presumably former employees, quoting Norse's CTO as rather surprisingly saying he doesn't know whether they're still in business. Forbes also notes the investment KPMG Capital made in Norse this past autumn. And CSO offers what it calls a deconstruction of Norse reports on Iranian cyber operations. It sees such reporting as a cautionary tale of what can happen at the intersection of marketing and tendentious analysis.

Dave Bittner: [00:05:05:02] And we conclude with some news on trends from the cybercriminal Underground. With the big losses businesses report when they're hacked, aspiring cyber gangsters might imagine that cyber crime is a royal road to riches. But not so. As is usually the case, crime is less lucrative than fantasies of greed suggest. A Ponemon Institute study commissioned by Palo Alto Networks, paints a familiar picture of crooks taking the obvious lowball score, when they could really earn more money with an actual, legitimate job. The comparison with street drug sales is obvious. The retailer runs huge risks with very little prospect of reward. Not that we're encouraging IT departments to hire criminals, or for that matter, discouraging them, but really, you'd be much better off working at a help desk than trying to set up as a behoodied crime lord.

Dave Bittner: [00:05:50:22] The study suggests the typical cyber crook gets a bit less than $29,000 a year for an average of 705 hours of work. Granted the 705 hours isn't full time, but the pay is still not great.

Dave Bittner: [00:06:03:15] We're reminded of the scene in Donny Brasco where Pacino's character is trying to break open a parking meter to get at quarters. The wages are low and really you're going to break your parent's hearts.

Dave Bittner: [00:06:14:20] This CyberWire podcast is brought to you by the Digital Harbor Foundation. A non-profit that works with youth and educators to foster learning, creativity, productivity, and community through technology education. Learn more at Digital Harbor dot org.

Dave Bittner: [00:06:34:17] Joining me is John Petrik, editor of the CyberWire. John, let's talk hacktivism, it comes up in the CyberWire fairly regularly. So what is hacktivism?

John Patrick: [00:06:42:19] Well you know what hacking is, right? Well a hacker is someone looks for and exploits weaknesses in computer systems or networks and typically, someone who does it illegitimately or illegally. There can be white hat hackers who are legitimate, vulnerability researchers. And there can be black hat hackers. Usually when people say hacker they're typically talking about a black hat. So what's a hacktivist? There are all kinds of people who take action against computer systems and networks. They can be classified by their motivations. A state intelligence service might hack for purposes of espionage. A cyber criminal has obvious criminal motives. What are they doing? They're looking to steal identities, they're looking to steal money, they're looking to extort ransoms, things like that. A hacktivist is someone who isn't motivated by money and who's not directed by his state. A true hacktivist is motivated by political or religions or ideological considerations. That's a hacktivist.

Dave Bittner: [00:07:42:08] What's the general view of hacktivists? Are they looked at as being a force for good or bad, or does it depend?

John Patrick: [00:07:52:21] It depends on what you mean. And if you look around the world you'll see different cyber riots going on all the time. There's a lot of cyber rioting in South Asia and you see what people call patriotic hacktivism going on with people swapping hacks between Armenian and Azerbaijani.

Dave Bittner: [00:08:13:03] What is a cyber riot?

John Patrick: [00:08:15:20] A cyber riot is like a riot, but conducted in cyberspace. It's when you've got a lot of disorganized people running around, breaking things, looting, causing disorder. That's a riot. And a cyber riot is doing that in cyberspace. So if you've got a lot of people defacing websites, breaking into databases, things like that and they're not doing it for any kind of obvious criminal motivation or under any central state direction, that's probably a cyber riot. And it's blurry, because just as you have people who riot to protest or to break things, you've also got people who are running along behind the other rioters looting from stores. The same things happen in cyber rioting.

Dave Bittner: [00:09:03:14] John Petrik, editor of the CyberWire, thanks for joining us. We'll talk again soon.

Dave Bittner: [00:09:09:14] And that's the CyberWire. Happy Groundhog Day. We hear from Punxsutawney that Phil did not see his shadow. No shadow be cast and early spring is forecast. Or something like that. At any rate cheers to all of you up on gobblers knob. For links to all of today’s stories, along with interviews, our glossary and more, visit the CyberWire dot com. If you enjoy the CyberWire podcast please go on iTunes and review the show. It really does make a difference and helps us spread the word. Thanks.

Dave Bittner: [00:09:37:17] CyberWire podcast is produced by CyberPoint International and our editor is John Petrik. Thanks for listening.