The CyberWire Daily Podcast 12.30.15

Dave Bittner: [00:00:03:07] A look at ISIS online community, possibilities and limitations of social media as sources of intelligence. Microsoft addresses Flash Player issues in IE and Edge. National cyber laws and policies considered and industry analysts forecast a very big 2016 for cyber security. This CyberWire Podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at isi.jhu.edu.

Dave Bittner: [00:00:45:15] I'm Dave Bittner in Baltimore with your CyberWire Summary for Wednesday, December 30th, 2015. Officials in the US and UK continue to warn of ISIS intentions to attack critical infrastructure, even as they deprecate the caliphate's technical capabilities to do so. ISIS remains far more active in social media than elsewhere in the cyber domain. War on the Rocks has an account of ISIS Twitter usage. It's the familiar story of a factitious community's appeal to the disaffected. Recruits find fellowship and transcendence as they are drawn into ISIS chatter. Prosecutions of ISIS adherents in London and Texas, highlight both the possibilities and limitations of monitoring social media for clues to terrorist activity. Such monitoring is proving useful in investigation and prosecution, but when authorities attempt prediction, the signal to noise ratio is frustratingly low.

Dave Bittner: [00:01:38:13] New accounts of US intelligence collection against foreign targets appear. The most recent cases under discussion involve monitoring Israeli official communications during nuclear negotiations with Iran. The operations are said to have had collateral collection of US parties to electronic conversations, notably some members of Congress, as their side effect. The Wall Street Journal provides historical context, describing Cold War rules that continue to govern aspects of foreign intelligence collection.

Dave Bittner: [00:02:06:03] Windows 10's recovery feature sends user encryption keys back to Microsoft. Several observers offer suggestions for working around what's generally unwelcome functionality.

Dave Bittner: [00:02:17:00] Devotees of Apple mobile devices continue to enjoy the safety of the company's App Store, but some users are bypassing those protections, even with non-jailbroken iOS devices, downloading unvetted apps from rogue marketplaces, using what Proofpoint calls, DarkSideLoaders.

Dave Bittner: [00:02:34:01] Microsoft has issued an emergency advisory for Edge and Internet Explorer, that addresses vulnerabilities recently discovered in Adobe Flash Player.

Dave Bittner: [00:02:42:14] In industry news, FBR Capital forecasts very high demand for cyber security products and services in 2016. It also foresees a wave of mergers and acquisitions in the sector. US cyber legislation remains controversial as its implications are digested. India deliberates information sharing and Internet sovereignty. Businesses worldwide consider the effects of China's new security laws, but when it comes to baked-in surveillance, no government on Earth can hold a candle to North Korea's Red Star operating system.

Dave Bittner: [00:03:15:22] This CyberWire Podcast is brought to you through the generous support of Betamore, an award winning, coworking space, incubator and campus for technology and entrepreneurship, located in the Federal Hill neighborhood of downtown Baltimore. Learn more at betamore.com.

Dave Bittner: [00:03:36:08] Joining me now is Andre Protas. He's the Technical Director of the Security Research Team at CyberPoint International. Andre, I want to talk about DDoS attacks, so let's just start with the basics. What does DDoS stand for and how do I know if a DDoS attack is happening?

Andre Protas: [00:03:53:16] Distributed denial of service. Generally a DDoS attack is when multiple nodes will attack one single node and try to exhaust that node's resources. So that exhaustion can be either a memory or resource exhaustion, so doing a lot of requests for the same web page that might take a long time to load, or it might just be simple bandwidth exhaustion. And the idea of the DDoS is that it's coming from so many different IP addresses in different locations that you can't just simply block one IP address and not have the attack continue. Because it comes from a lot of different locations, it's kind of like a death by 1000 cuts.

Dave Bittner: [00:04:31:23] Are there ways to mitigate that sort of attack?

Andre Protas: [00:04:34:05] The most common DDoS that is really out there is one that's for web servers so somebody who wants to take down Yahoo.com or one of the major websites, what they'll do is they DDoS and they'll have a bunch of different nodes, whether they're people firing up software or they're a botnet or one of these other large node systems. They're going to start exhausting the resources at that site by making very large requests to that web server. So what a lot of people will do is they'll use content distribution networks, CDNs for short. There is a couple of example companies like Cloudflare that would do that. And what that does is, your website is not being served by one single node now, it's almost distributed in itself. So when people go to Yahoo.com they're not actually going to the Yahoo server, they're going to an Akamai server in the UK, if they're nearby, or they're going to a Cloudflare server in San Francisco if that's where they're at. So it pushes the content out on the web so that it fights distribution with distribution.

Dave Bittner: [00:05:39:09] And so how do DDoS attacks end? Is it a matter of the attacker giving up or moving on to a different target?

Andre Protas: [00:05:48:16] Yeah, generally. So they just get bored and walk away. Sometimes they might get caught. So whenever they are actively attacking, there is always that threat that they might get caught themselves. They are the ones that are issuing commands so they might close the attack so that they can close their exposure.

Dave Bittner: [00:06:05:10] So, help me understand. How does a DDoS attacker organize themselves to be able to come at you from so many different directions?

Andre Protas: [00:06:12:00] Generally, for the single attacker with multiple nodes, is a botnet. So they'll harvest a whole network of bots, either by going after vulnerable websites or doing drive-by exploitation and basic malware installation. So they can get up to ten, 20, 30,000 nodes pretty easily, create those different networks and then task them all - on Thursday next week I want you all to go attack a certain website.

Dave Bittner: [00:06:42:22] Andre Protas, Technical Director of the Security Research Team at CyberPoint International, thanks once again for joining us.

Dave Bittner: [00:06:50:14] A note to our listeners, we're back today but the CyberWire will be taking this Thursday and Friday off for the New Year holidays. We'll be back as usual on Monday, January 4th. And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. The CyberWire Podcast is produced by CyberPoint International and their Editor is John Petrik. Thanks for listening.