CyberWire Daily - Daily: AUSA update. Mirai botnet shows risks of default IoT passwords. US-Russian tensions rise over imposition of costs.
Episode Date: October 4, 2016In today's podcast we hear about cyber conflict and its place in the international order, including especially its place in Russian-American relations. The implications of the Mirai botnet and the rel...ease of its source code. Kaspersky breaks the MarsJoke crypto ransomware. Russia indicates a crackdown on cybercrime (maybe). Ben Yelin from UMD CHHS explains changes the FBI wants to Rule 41. Igor Volovich from ROMAD Cyber Systems thinks is time to think beyond malware signature matching. Industry notes, and, from the black market, the Shadow Brokers still haven't found their ideal buyers. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Cyber conflict and its place in the international order,
including especially its place in Russian-American relations,
the implications of the Mirai botnet and the release of its source code.
Kaspersky breaks the Mars joke crypto ransomware.
Russia indicates a crackdown on cybercrime, maybe.
Industry notes and from the black market, the shadow brokers still haven't found their ideal buyers.
I'm Dave Bittner in Washington, D.C. with your Cyber Wire summary for Tuesday, October 4th, 2016.
To state the obvious, cyber conflict doesn't occur in a political, military, or strategic vacuum.
Its stakes and conditions are set by broader concerns.
Even, especially, the 400-pound hackers out there who live in meat space, or perhaps bacon space, and retain some connection to the non-virtual world.
Obvious as this may be, it's worth a periodic reminder that it's so. We're getting that kind
of reminder this week as we attend the 2016 Association of the United States Army meeting
and exposition. It's been interesting to get the perspective of those whose business it is to think long and hard about the dangers of the world.
We've been enjoying some interesting conversations with our hosts and colleagues in the Military
Cyber Professionals Association. We had a chance today to talk at length with the author of NATO's
Talon Manual, the best source known to us of thinking on international norms in cyber conflict.
We'll have that interview tomorrow, so be sure to check it out.
In today's news, much continues to be made of the recent Internet of Things botnet-driven distributed denial-of-service attacks.
The source code used to herd the Mirai botnet was released late last week, and it's been under inspection since.
There's a good news-bad news angle to this particular story.
That the code is out is bad news, since it's now available to other copycats and derivative
hackers who will no doubt seek to make more use of it in the wild. The good news is that
it's clear how the herding worked. It exploited default passwords carelessly left in place
by users. 61 default passwords were enough to assemble what was at the time
the largest DDoS attack on record. The victim of that attack, Krebs on Security, has taken a look
at the affected devices and, in conjunction with other researchers, has identified some of the
hardware used in the attack. Many of the devices were older ones, and the news is in some respects
encouraging. More companies, including such
leading device manufacturers as Hikvision, Samsung, and Panasonic, are now requiring
unique passwords by default. This isn't, of course, an infallible security measure,
but it's a step in the right direction. The Cyber Wire heard from Rod Schultz,
vice president of products at Rubicon Labs, who compared the modular reusable
code blocks found in IoT products to Lego. These software Lego can be stacked to rapidly create
new products, but those products also share the same vulnerabilities, he said. They can also be
rapidly exploited and repurposed to hit different attack surfaces. And that, according to Schultz,
is exactly what we are seeing with the
Mirai IoT botnet. He thinks we'll do well to prepare ourselves for more attacks of this kind.
To return to some better news, there's some out on the ransomware front. Kaspersky has cracked
the polyglot MarsJoke crypto ransomware, and they have a tool available to help comfort the afflicted.
So bravo, Kaspersky.
In the U.S., concerns about election hacking and voter influence persist,
and Russia is the source of those concerns.
Relations between the two countries are not growing warmer,
and conflict in other areas is likely to spill over into cyberspace.
U.S.-Russian relations grew noticeably colder this week,
as Russia formally withdrew from a bilateral plutonium control accord
in response to sanctions the U.S. has levied against Russia over the past two years.
Those sanctions were put in place largely in response to Russian encroachment into Ukraine.
The Russian point being made quite explicitly in public statements this week
is that U.S. imposition of costs, a centerpiece of American cyber policy,
will itself have costs for the Americans. There's another development in Russian policy that has
some direct implications for cyber security. Russia will now treat cyber crime as theft and
not fraud as it had formerly done. This is regarded by many observers as a positive development.
Theft is prosecuted more aggressively than fraud, and it carries more severe penalties.
When it comes to defending against malware, there's no shortage of solutions on offer,
and there's a spectrum of philosophies on how to best spend your resources.
Igor Volovich is from Romad Cyber Solutions,
and he maintains that if we're going to succeed,
it's time to reconsider traditional approaches, like, for example, signature-based systems.
Well, a signature is like a fingerprint, right? You have a specific set of criteria and attributes that describe a file. Typically, there is a hash associated with that file which is its unique cryptographic
signature and you can go off of that. There is also some behavioral characteristics or what we
used to call heuristics back in the day that you can employ but by and large it's a one-to-one
relationship. There is a single malware sample and then there is a specific signature designed
to detect that sample. It is a string matching, pattern matching function.
That's been the traditional way to look at things.
For every new exploit, we had to go find a new signature.
So that one-to-one signature-based relationship, it was no longer sustainable.
It still is not.
Yet, there are very few solutions that really address that problem.
We're looking at it from a cyber criminal value chain.
How is malware monetized and who makes the money and when?
Well, it turns out everybody's making money in that chain from the original person who's
discovering the vulnerability to the guy who weaponizes it, to the guy who creates the
exploit kit, to the guy who monetizes it at the very end.
The person who's actually spamming out or sending out phishing emails, sending out ransomware
emails.
Everybody in that chain is making money.
Now, the guy at the top of that chain, that's the guy I want to get to.
Unfortunately, the industry has focused on these kind of law enforcement based attribution
models is what we call them, where we want to find who's doing it, raid their house,
find out which ISP is supporting them,
go knock them down, put them in jail, et cetera.
And, you know, FBI likes to release big press releases and talk about the busts that they've
made.
And those are great things and they need to happen.
Unfortunately, that's not scalable.
So without going on a cyber whodunit hunt every time we have a new family or a new exploit
kit released, how do we just focus on the tradecraft? And it goes to the very root of the problem, finding out the immutable characteristics
of malware families, not just strains, but actual big families, and then focusing on that tradecraft,
detecting it in real time, and then blocking its execution on the endpoint, in the cloud, or possibly even
across the network. Is it an all or nothing thing? Is there still a place for signature matching?
Well, it's like hygiene, right? You want to wash your hands before you eat a meal, right? There
are basic things, best practices that we've followed for a long, long time. There are some
ingrained notions in this industry, and we've sort of conditioned the market to
accept antivirus as a very basic, foundational, fundamental part of the security stack, as
we call it, the portfolio of services and tools that we have in the enterprise.
So from a psychological perspective, I think a lot of folks are very tied to the hip to
the idea of antivirus needing to be there. And if that's the barrier to entry for these new technologies, so be it.
We're not trying to upset the apple cart, so to speak, but we should not be accepting the eventuality of compromise.
The notion that everybody's going to get breached, whether you know it or not.
And we think we need to move beyond that.
So what is the next evolutionary step?
The next evolutionary step is actually disrupting cybercrime and cybercriminal tradecraft.
Elevating our thinking, evolving our thinking,
and then demanding that the industry evolve with us to provide the solutions
that can actually deliver this capability to the enterprise and to the public at large.
That's Igor Volovich from Romad Cyber Systems.
In industry news, Carbon Black is said to be preparing for an IPO.
It's also partnering with IBM to take on competitors in the endpoint security market.
In the long-running discussion of what induces boards to take cybersecurity seriously,
it turns out that the easiest risk for a board to understand is compliance risk,
at least according to a study Osterman Research conducted on behalf of Bay Dynamics.
That's mixed news at best, since it would seem to cede standards development to regulators and to reinforce tendencies toward a check-the-box approach to security.
And finally, the shadow brokers still haven't found any takers for those equation group zero days they say they have for sale.
So hop to it, zero-day shoppers. There are bargains galore.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, the Department of Justice is asking for an amendment to Rule 41.
This has some significant repercussions for online privacy and cybersecurity. Let's start at the beginning here. Explain to us, what are we talking about with Rule 41?
Sure. So, Rule 41 is under the Federal Rules of Criminal Procedure, and it allows
the Federal Bureau of Investigations or the FBI to go ask a judge to allow them to install
malware to hack into computers that are believed to be connected to
various criminal activities. So generally, we're talking about, you know, some of the most heinous
things that could be on the internet, chatter, social media chatter among terrorists, child
pornography, drug trafficking. Currently, there's a significant limit to Rule 41 in that judges can
only authorize intrusions into computers within their own
jurisdictions. And the reason that's a limit is because oftentimes we don't know exactly whether
the individual putting the information on the internet is actually within that judge's
jurisdiction. I mean, with all the complications with routing and IP addresses, it's very hard to
identify whether a particular individual is putting information
on the internet within a particular judge's jurisdiction. So the DOJ is proposing to change
the rule to limit that restriction. And they also are trying to expand the reach of authority of
Rule 41 by authorizing the federal government to get permission to hack a number of computers.
This article that you sent me, Dave, quoted up to a million computers with just a single
warrant.
And that presents major constitutional concerns.
I mean, one of the reasons we have the Fourth Amendment and one of the reasons that the
founding fathers were so adamant about it is that we descended from a system in England
where they had general warrants, where the police could basically come into a person's house looking
for not a specific piece of information, but just granting them the ability to find what they could
find and charge based on whatever they could find in the person's house. And I think courts and
judges have been very reticent to these kind of broad general warrants that aren't specified based
on probable cause against an individual. So there's been an effort in the United States Senate,
led by a couple of the lead civil libertarians in the Senate, Senator Ron Wyden of Oregon
and Senator Rand Paul of Kentucky, to try and stop this amendment. It's scheduled to go into
effect in December. If I had to guess, I don't
think that, A, there's an appetite for some sort of legislative fix to this amendment, and B, with
all the distractions with the presidential race and some of the must-pass pieces of legislation
now before Congress, I just don't think this is an issue that Congress is going to take up in the
next three months. So I think it's very likely that we do see these new rules go into effect. All right, Ben Yellen, thanks so much. We'll
talk to you soon. And now a message from Black Cloak. Did you know the easiest way for cyber
criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical. Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to