CyberWire Daily - Daily: DNC hacks, encryption, IoT hacks, and Pokémon.
Episode Date: July 27, 2016In today’s podcast we discuss ISIS terror and online inspiration. We learn that experts are reaching consensus that Russia hacked the US Democratic National Committee, and we hear some steps that mi...ght be taken to protect email. We speak with the company that provided cyber security for the Republican National Convention. New vulnerabilities are discovered in wireless keyboards and smart lightbulbs. Ransomware persists, and the numner of DDoS attacks seems to be spiking, recently. The White House issues PPD-41, “Cyber Incident Coordination.” Level 3's Dale Drew speaks to the uptick in DDoS attacks, and Vince Crisler from Dark Cubed shares his experiences protection the RNC national convention from cyber threats. And people are still catching Pokémon in places they shouldn’t. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
ISIS again celebrates murder online, using it as inspiration.
Security experts approach consensus that Russia was behind the DNC hack.
WikiLeaks' Assange says he released the DNC files when he did to damage nominee Clinton. Transcription by CastingWords agency responsibilities during cyber incidents, and Pokemon Go may get you to go places you shouldn't.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Wednesday, July 27, 2016.
ISIS claims credit online for the horrific attack in a church just outside of Rouen, France.
The caliphate's haste to associate itself with the murder suggests the sort of content the terrorist organization finds effective in information operations.
The killers themselves spoke and acted in ways consistent with ISIS inspiration.
A study finds evidence that such inspiration continues to reach a large enough audience to be worrisome. Some are ideologically committed.
Others appear to be simply disturbed individuals vulnerable to what the New York Times' stable of academic experts is calling contagion.
Most security experts have reached consensus that the DNC hack was a Russian job,
and in all likelihood a Russian government job, albeit in a deniable way.
Evidence remains necessarily circumstantial, but a great deal has accumulated.
Why the Russian government would be interested in hacking the DNC remains an open question.
Some see the DNC hacks as part of President Putin's long game
to discredit post-Cold War international democracy
and dismantle its sustaining institutions like NATO and the EU.
Why WikiLeaks released the hacked documents is no mystery at all. Julian Assange says he
timed the release to damage U.S. Democratic presidential nominee Hillary Clinton,
whom he views as an inveterate opponent and the author of many of Assange's troubles.
StealthBits Technologies' Brad Busey sees encryption as the basic defensive tool enterprises ought to use.
Quote,
The technology to encrypt emails is well known but not commonly implemented.
The main reason for this is complexity and infrastructure cost.
Most weight the value of the information that is transmitted against what it would cost to protect it.
If the protection cost outweighs the value of the information,
then most do nothing and let operations continue as normal.
End quote.
He suggests that enterprises might wish to take a hard look at such cost-benefit calculations.
Lastline's John Marshall reminded us of some of the other reasons enterprises decline to encrypt.
Quote,
The use of web-based email that requires two-factor authentication does help in terms of encrypting access,
email that requires two-factor authentication does help in terms of encrypting access,
but the usability and functional differences these have to corporate mail systems will lead users to prefer to use those, which typically rules encryption out, end quote. The Democrats
are holding their national convention this week in Philadelphia, and last week the Republicans
held their convention in Cleveland. Keeping that convention safe, both physically and from cyber attacks, was the responsibility of the Cleveland Host Committee,
a non-profit, non-partisan organization. On the cybersecurity front, one of the organizations
they brought in to protect the convention was Dark Cubed. Vince Chrysler is CEO at Dark Cubed,
and he told us about the preparations during the run-up to the convention.
At the end of the day, the real force of the effort is only a couple weeks long at most.
So from our perspective, our product, we installed it early
because we wanted to start getting a baseline of what does traffic look like on that network
so we can start understanding good versus bad and start to triage and understand,
you know, is the level of attack changing as we get closer to the convention or not.
So we deployed about eight or nine months early and started providing security
for that network late last year. And then as we came closer to the convention, resources start
spinning up and you start looking at how exposed is this network? What are the exposed ports from
the outside? What are the architecture and configuration of that network from the inside?
And then you come up with a game plan. And that's what was really exciting to me about the team that
we worked with for the convention is it wasn't a huge team, but it was a team of people that had
great experience and capability. And so it's applying those creative tactics to securing
that network. There's that old saying that the best defense is a good offense. Chrysler and his team use that strategy in Cleveland.
My fundamental philosophy in cybersecurity is offense always wins, defense always loses,
no matter what. So if somebody wants to hack a network and they have enough time, money,
and commitment, they will be successful. And so what that informs then is a different approach
to cybersecurity. It's broken out into a couple different pieces. One is, how do I protect my network as
best as possible given the resources I have? Two is, how do I find out sooner rather than later
that something has happened? And three is, how do I respond as quickly as possible to minimize the
damage once something does happen? And so when we came at the security infrastructure for the
convention, it was really coming at it with, okay, we've done our work on some of the basics
in terms of how do you minimize the exposure of the network?
So minimizing the number of connections,
minimizing the number of open ports,
having good awareness of all the devices
that are on the network.
But then it's really focused on how do you discover
that something strange is happening within those networks?
And that's where you start to see interesting things.
Because we were very proactive in terms of segmenting that network out, so you're segmenting out the official users from the guest users from the other infrastructure, you're able to watch activity in each of those segments independently.
And so we certainly saw on the guest wireless as machines would come in and start instantly pinging out to botnets or malware command and control servers.
Those would spike in our systems.
I remember one morning, I think it was Tuesday or Wednesday morning,
that a machine connected to the guest Wi-Fi,
and within two hours it had done thousands of requests out to a foreign IP address.
But we saw that there was UDP traffic traveling overseas,
and we were able to block that traffic.
But we were able to continue to see it ping, and it pinged for about five and a half hours until finally giving up.
And again, there were certainly lots of other malware, botnet sorts of activity.
There's lots of external scanning from all the common actors that you would expect to see.
But we were watching that in real time and blocking those as they came in.
That's Vince Crisler. He's the CEO at Dark Cubed.
Two recently discovered vulnerabilities are worth noting, and they also involve encryption issues.
In the first, Bastille Networks describes KeySniffer, a vulnerability in low-cost Wi-Fi
keyboards that don't encrypt keystrokes before sending them to the Wi-Fi dongle.
Bluetooth devices aren't affected. An attacker could intercept those keystrokes before sending them to the Wi-Fi dongle. Bluetooth devices aren't affected.
An attacker could intercept those keystrokes from distances of more than 100 meters.
In the second, Rapid7 has reported nine vulnerabilities in Osram's Lightify smart light bulbs,
the most serious of which could permit attackers to capture authentication handshakes.
Osram has patched four of the nine bugs.
So, businesses, you may not be that interested in your light bulbs, but those light bulbs
may be interested in you.
Insinia Security reports finding UK Telco O2 customers' credentials for sale on the
dark net.
The credential stuffing problem originates in password reuse.
We heard from Tripwire's Travis Smith, who pointed out that, quote, password reuse can cripple even the most secure systems.
Using authentic credentials rather than attempting to leverage exploits
is less risky for the attacker,
as security tools are more likely to detect an active exploit.
Since passwords are commonly reused across websites,
stolen credentials from one breach are often used across other sites.
End quote.
Many observers of this breach recommend using a password manager.
A good idea, to be sure, although such products aren't a panacea either.
Google's Project Zero Day has found a hole in password manager LastPass.
Ransomware and denial-of-service attacks continue to be the leading forms of cybercrime
affecting businesses and individuals.
F-Secure is being quoted as saying a ransomware gang has admitted its connection to an unnamed Fortune 500 company
that allegedly hired the crew to disrupt competitors.
Mike Patterson, CEO of Plixer, commented on this to the CyberWire, saying,
quote,
I wouldn't be surprised if we hear about big companies launching ransomware attacks.
The attacks, however, don't mean they were approved by executive management.
The best defense right now is to educate employees to be careful when clicking.
Locky and Cryptex, of course, remain among the leading strains of ransomware circulating in the wild.
Healthcare organizations continue to be preferred, but not exclusive, targets.
DDoS is also on the rise, with targets in Russia prominently affected.
DDoS can be conducted with straightforwardly criminal motives,
but it's also a common hacktivist tactic.
Terbium Labs researchers are watching an actor calling himself, herself, or themselves the Israeli Falcon, who's involved in DDoS attacks against various Palestinian targets.
The nominal motive
is retaliation for Anonymous' Op Israel, although the Falcon also uses a Guy Fawkes mask, as anyone
could. In the U.S., President Obama yesterday issued PPD-41, Cyber Incident Coordination,
establishing a much-commented-on color system for the severity of cyber incidents.
establishing a much-commented-on color system for the severity of cyber incidents.
Many industry observers wonder where the last few years' high-profile attacks would fall on the scale.
The policy also fixes roles and missions for cyber attack response.
The FBI leads threat response, DHS leads asset response, and the ODNI leads intelligence blocking and tackling.
Finally, unscrupulous Pokemon Go players have
cooked up geospoofing bots that enable them to cheat. We're shocked, shocked, that there's
cheating going on in an online game, and Pokemon have turned up inside another denied area,
the hot zone of Japan's breached and broken Fukushima nuclear reactor. A tip, if you're in Japan, don't go into Fukushima, even for a Magmar,
Venusaur, or Gardevoir. Okay, well, of Gardevoir, but wear your full protective gear, kids, or maybe
a geospoofing bot. And then, trainers, as you look back, you can say, we'll always have Fukushima.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Thank you. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. Dale, you mentioned that you've been seeing an uptick in DDoS attacks lately.
You know, we really have.
Not only have we been seeing an uptick in DDoS attacks from a volumetric perspective,
our average DDoS attack is between 10 to 15 gigs.
And we've been seeing that increase quite exponentially.
We've been seeing DDoS attacks in the 75 to 100 gig range, a little bit more common here lately.
the 75 to 100 gig range, a little bit more common here lately.
We're also seeing an increase in application attack DDoSes where bad guys are getting much more creative and much more direct in being able to pretend to be millions of legitimate
users gaining access to an application and consuming the resources of that application,
which makes it very difficult to stop a DDoS attack.
And then we're also seeing a very large uptick in what we believe to be fake DDoS ransomware hoaxes.
We've seen a number of ransomware attempts going out to customers that appeared to represent
well-known DDoS hacking groups
like the Armada Collective
and the Lizard Squad,
but they're not the same sort of MO.
They're using much different
sort of tactics
and getting ransomware for them.
So we believe that people
are pretending to be these collectives
to make a quick buck.
Dale Drew, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks, Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.