CyberWire Daily - Daily: Another Ukrainian power grid outage may have cyber causes. ShadowBrokers may have got Equation Group code from a rogue insider. WordPress brute-forcing. Evading volumetric detection. Methbot ad fraud. Wassenaar remains controversial.
Episode Date: December 20, 2016In today's podcast, we discuss another possible cyber incident that hit Ukraine's power grid last Saturday. Flashpoint looks at the ShadowBrokers' alleged Equation Group code and sees a rogue insider ...behind the leak. WordPress sites are receiving a lot of brute-forcing attempts. New spam and other attack techniques are evading volumetric detection. Mirai is sniffing for new IoT bots, and Dave Larson from Corero Network Security tells us what to expect in 2017. Jonathan Katz from the University of Maryland outlines advances in fully homomorphic encryption. Russian crooks skim ad revenue with the Methbot scam. Wassenaar cyber arms control remains controversial. And informed speculation suggests the ShadowBrokers and Bocephus Cleetus are—da—effectively, the same people. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Another possible cyber incident in Ukraine's power grid last Saturday remains under investigation.
Flashpoint looks at the shadow broker's alleged equation group code and sees a rogue insider behind the leak. WordPress sites are receiving a lot of brute
forcing attempts. New spam and other attack techniques are evading volumetric detection.
Mirai is sniffing for new IoT bots. Russian crooks skim ad revenue with the meth bot scam.
Vosner's cyber arms control remains controversial, and informed speculation suggests the shadow brokers and Bosifis Cletus are,
duh, effectively the same people.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, December 20, 2016.
Many of you will recall that a year ago this month,
the power grid in eastern Ukraine was taken down by a complex cyber attack.
It involved phishing that installed black energy and kill-disk malware
to facilitate access to substation controls,
followed by telephonic denial of service designed to impede response and recovery.
This Saturday, Ukraine again experienced an electrical outage,
this one on the north side of Kyiv and in adjacent districts.
Yukon Airgo, the national power company,
said the interruption was caused by an external influence.
Investigation continues and is focused on failure of automation control.
The entire incident was remediated rapidly,
with power restored within 30 minutes,
and a complete recovery in just over an hour.
Last year's attack was widely attributed to a combination of Russian criminal and state actors,
but there's so far no word on who was responsible for Saturday's disruption,
or on how it was achieved.
Flashpoint has published its close look at the shadow broker's leak of
equation group code. The security company concludes with medium confidence that it was an inside job.
They say the data's structure looks like something from an NSA internal code repository,
one accessible to contractors and employees. That is, they think it unlikely that the agency was
hacked from the outside.
They also think that one of the more widely believed early theories about the source of compromise,
that some operators carelessly left the code exposed on a staging server, is also unlikely.
You can see their report on Flashpoint's blog, flashpoint-intel.com.
WordPress vulnerabilities may have been overestimated,
as source code analysis shop Rips noted last week,
but some bad actors are paying them a lot of attention nonetheless.
Over the past three weeks, the security shop WordFence has observed 1.6 million brute force attempts daily against WordPress sites.
About a sixth of these attacks originate from a single Ukrainian ISP.
Cisco's Talos unit warns of a hailstorm spam. It evades detection by sending low volumes of spam
from a large number of IP addresses. PerimeterX observes a similar technique used in botnet-driven
brute force attacks, which avoid tripping volumetric warnings by using a very large number of bots.
New Star's study of DDoS growth by 2016 is out.
They find, not surprisingly, that growth was explosive and it's likely to be fueled by the commodification of attack tools that's proceeding apace.
The most famous of those black market commodities, the Mirai bot-herding malware, is, according
to the SANS Institute Internet Storm Center, prowling the wild, seeking the ruin of IoT devices exposed at
port 6789.
For more on DDoS attacks and where we can expect things to go in 2017, we checked in
with Dave Larson.
He's the COO and CTO at Carrero Network Security, and he tells us where the DDoS arms race stands.
At the moment, it's the attackers have the upper hand because they have this
new tool in these growing IoT botnets that they can leverage, and that tool is not going to be
quickly remediated. It's all well and good for one of the Chinese manufacturers of the DVRs and CCTV cameras associated with initial incursions to issue a recall.
That doesn't mean that the products will actually be recalled.
It means there are IoT devices that are in place in utilization and very rarely touched, patched, updated, or monitored by the end users who use them.
patched, updated, or monitored by the end users who use them. So for a little while at least,
I think this weapon remains in place. The good news is that now everyone is aware of the danger.
And at the very first stage, I think you're going to see significant more attention paid to setting up devices without default passwords.
The good news on the Dyn attack is that it took down Twitter and Okta and Reddit
and made it onto the mainstream news for that entire day,
which means even the average person is aware of it now
and that passwords are probably something that you should have put some thought into. So I think in one respect, the attack itself has probably diminished the future capacity
and scale of these attacks because people are going to take proper practice and procedures
to lock things down.
But I think it's also going to set the tone for internet service providers to understand
that they're going to have to be involved in
the remediation of the problem. It's very, very difficult remotely across the world to deal with
these engines that exist on someone else's access network. But it is quite straightforward
for a service provider to be able to monitor their own access network, notice when a device
is infected, and then blacklist it off of the network so that it can't cause further damage, and then get the attention of their
subscriber to go and do the remediation if that involves sending the product back on a recall
or just reflashing it to factory defaults and giving it a good password. But if we follow all
of those procedures, then this will be better off a year from now than we are today.
That's Dave Larson from Corero Network Security.
According to security researchers at White Ops, Russian criminals are exploiting ad networks in the MethBot scam,
diverting between $3 and $6 million a day from U.S. advertisers.
between $3 and $6 million a day from U.S. advertisers.
The latest version of the Vosnir cyber arms export controls has still not found consensus approval from policy mavens and the security industry.
Vulnerability researchers continue to believe that it will unreasonably restrict
and possibly criminalize legitimate and essential security work.
The U.S. continues to maull its response to the ways in which its
convinced Russian intelligence services inserted themselves into the now-concluded presidential
election. The electors have met, and Donald Trump is now formally and officially the president-elect.
That Fancy Bear and Cozy Bear were in U.S. political party networks seems established
with a clear preponderance of evidence. Who actually gave WikiLeaks the damaging DNC emails is far less clear.
And finally, to return to the shadow brokers,
the well-known information security researcher who goes by the name of The Grug
offers an interesting and wide-ranging cultural and linguistic close reading
of the communications surrounding their equation group Leak.
He describes analyzing those communications, especially those from the newest cutout,
Bosephus Cletus, as being, quote, like semiotics and lit crit on steroids, end quote.
And we're not saying he's wrong.
If the shadow brokers wrote like a lazy screenwriter's approximation of Boris Badenov,
Mr. Cletus comes across as that same lazy screenwriter's impersonation of a hillbilly,
less credible than Jed Clampett or Ernest T. Bass at their hee-haw worst.
References to Sun People and The Deep State touch the rhetoric of the fringier alt-right and alt-left.
Other allusions pay homage to people ranging from Hank Williams Jr.
to Rage Against the Machine to the Dukes of Hazzard and their nemesis, Boss Hogg.
The Grug suggests the public-facing activities of the shadow brokers,
Fancy Bear and Bosephus Cletus, represent a coordinated Russian campaign providing,
at least, some misdirection for influence operations directed against the U.S. elections.
direction for influence operations directed against the U.S. elections.
Take a look at the Grug stuff.
He can be found at medium.com slash at the Grug.
That's G-R-U-G-Q.
And enjoy.
Maybe even earn a credit hour in cultural studies.
We'll leave the Grug the last word.
Quote, these guys are hilarious, but they also operate like an intelligence agency. critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber. That's vanta.com
slash cyber for $1,000
off.
Cyber threats are evolving every second
and staying ahead is more than just
a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Joining me once again is Jonathan Katz. Thank you. for. But this paper is talking about how perhaps there have been some breakthroughs that could make homomorphic encryption more practical. Why don't you start off by just giving us a
quick review on homomorphic encryption? Sure, I'd be happy to. So normally when we
encrypt stuff using public key encryption, you transform a message into a completely
unintelligible blob that only the holder of the secret key can decrypt. And what fully
homomorphic encryption allows you to do
is actually allow somebody who doesn't have the private key and can't decrypt to still perform
computations on the encrypted data. So basically, that means you can have a user encrypting some
data, and then some third party doing a computation, an encrypted computation on that data,
and then forwarding that data along either back to the client or to somebody else who can decrypt and get the result. And this is something
that's been a longstanding goal for cryptography since the late 1970s. And really, a breakthrough
was made about a decade ago now, showing that this could even be done at all.
And so tell us about this recent research that might make it more practical.
So there was some recent work out that showed how to improve the efficiency of fully homomorphic encryption by about a factor of
10. And this is really quite amazing because, like I said, for decades people were not even
sure that fully homomorphic encryption was possible. And then since the time that it was
discovered, there's been a sequence of improvements in the efficiency of fully homomorphic encryption, and people are hoping that
it will get to the point where one day it will in fact be practical. So when
we'd spoken previously about homomorphic encryption, you'd told us
about how it wasn't really practical for general use, it was really in the
experimental phases, and so if this research shows that it could be ten
times faster than it was, does that put it in the realm of being something that's usable?
Well, the work is really great.
I mean, the work is giving a factor of 10 improvement over the previous best results.
And like I said earlier, there's been a lot of work in improving the efficiency
of fully homomorphic encryption since it was invented.
Unfortunately, we're still a little bit far from the point of where it's going to be practical.
Basically, we started out when it was invented with being about 10 to the 8 times slower than a native computation,
and it's been improved by several orders of magnitude since then,
but it's still about 10,000 or so times slower than a regular unencrypted computation.
So researchers are definitely making progress, and this is certainly working in the right direction,
but we still have a ways to go before we're going to see it deployed in the real world, I think.
Jonathan Katz, thanks for joining us.
By the way, the title of the paper that we are discussing is
Faster Fully Homomorphic Encryption, Bootstrapping in Less Than 0.1 Seconds.
The authors are Ilaria Cilati, Nicholas Gama, Maria Georgieva, and Malika Izabekene. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to