CyberWire Daily - Daily: Election Day cyber updates. Mirai goes to pieces. Five Eyes and Europol take down dark web souks. Turkey and clamps down on their Internet.
Episode Date: November 8, 2016In today's podcast we hear that US authorities are ready for election hacking, but assess the risk as low. (The information operations, however, seem to be another matter.) Flashpoint sees Mirai being... fragmented in a black-market market correction. Users in Turkey flee censorship into Tor. Operation Hyperion shuts down a lot of dark web nastiness. Tesco fraud investigations continue. Palo Alto's Rick Howard describes a new white paper on the growing sophistication of Nigerian online scammers. CrowdStrike's Dan Larson explains the evolving motivations of threat actors. And an email spoofer tells the court there's no tort, because his email was so implausible. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k and enter code N2K at checkout. That's join delete me dot com slash N2K code N2K.
All hands on deck for the elections, but really the Fed seemed to think the hacking problems will
be small and manageable. The information ops might be another thing. Flashpoint sees Mirai losing its mojo in a black market market correction. Users in Turkey
flee censorship into Tor. Operation Hyperion shuts down a lot of dark web nastiness. Tesco
fraud investigations continue. And, Your Honor, the plaintiff pleads bad writing.
honor, the plaintiff pleads bad writing. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, November 8th, 2016. As the U.S. elections proceed, the federal government
is simultaneously said to have all hands on deck against hacking and to not really be that worried
about this whole hacking
thing. The story is more complex than contradictory, however. The hacking officials aren't too worried
about would be widespread direct compromise of voting systems in ways that could directly
manipulate the U.S. election's results, essentially industrial-scale voter fraud.
This indeed seems relatively unlikely. U.S. voting is run by the states,
with heavy participation by local governments, and that system is sufficiently disparate and
not coordinated to give it a certain built-in, if not entirely intentional, resistance to widespread
centralized fraud. On the other hand, it's worth noting that both Silance and Symantec have shown
that hacking various voting machines is clearly feasible.
Like most of the rest of the stuff that touches the Internet,
voting machines weren't designed with this kind of cybersecurity in mind.
Most observers see the principal threat as Russian information operations
directed toward eroding public trust and confidence in the vote,
with data deception and denial following in their train.
The U.S. intelligence community has publicly attributed hacks of political networks,
most notably that of the Democratic National Committee, to the Russian government.
President Putin hasn't been shy about characterizing American democracy as a mess,
complete with taunts asking whether U.S. allegations of Russian influence operations
means that the Americans now think of themselves as a
banana republic. His words, not ours. We have no beef against bananas or any other healthy produce.
Many analysts think that if his goal was to bring discredit to the U.S. political system,
Mr. Putin can already chalk up at least a preliminary victory.
The data deception and denial Wired Magazine calls out as the other significant risk
would probably involve denial of service operations, social media trolling,
and interference with journalistic coverage of the election, especially reporting of results.
Some such activity could be state-directed, or it could be merely state-inspired,
or even just criminal activity taking advantage of the conditions surrounding a high-profile event.
Some of the probes of voter databases U.S. authorities hint they've seen
appear to be of the third criminal variety.
As far as denial-of-service attacks are concerned,
both Democratic and Republican presidential campaign sites
sustained Mirai-driven distributed denial-of-service campaigns yesterday, but to little effect.
Not only was it a bit late in the game to be hitting party sites,
with due allowance made for whatever ground game the parties had in mind,
but Mirai seems to be losing its mojo.
Flashpoint researchers tell us that this is because the widespread availability
of the Mirai botnet-herding malware source code has caused its botnets to fracture.
Essentially, there are more aspiring botmasters trying to stampede the webcam
and home router bots against their chosen targets,
but there aren't enough bots to go around.
So again, the black market functions like a market.
It's supply and demand.
CrowdStrike, the well-known cyber threat intelligence company,
is among those who attributed the DNC hacks to Fancy Bear and Cozy Bear.
We spoke with CrowdStrike's Dan Larson about threat actors, what motivates them, and why it's better to be proactive than reactive.
You know, if you look over the last three years, we've seen an incredible uptick in the number of private organizations and governments that are experiencing breaches.
the number of private organizations and governments that are experiencing breaches.
Kind of an emerging trend that we're starting to see, you know, you can see it as part of the election, actually, is this strategic leaking of documents for the purpose of either
political gain or private economic gain.
And that notion of breaching an organization as a means to an end rather to being the end itself is kind of the
alarming trend that we're seeing and that we're working to put to an end. When you talk about
the difference between proactive and reactive cybersecurity, what are you talking about there?
I think many of us in cybersecurity are used to this model where something bad happens,
a researcher then analyzes that event and produces something like
a virus signature or an IOC and then deploys that. And the problem with that whole model is that
you're looking in the rear view mirror, right? It assumes it starts with something bad happening,
and then you do some research to overcome it and prevent it in the future.
But that model needs to change.
And in order to get to proactive, what we believe at CrowdStrike is,
you need to be actively monitoring the adversaries out there,
understanding how they do what they do, what is their tradecraft.
And if you're successful at understanding those things,
you're able to build preventative measures so that from a technology perspective, you're able to put in place, right? These targeted attacks are only happening to
big name corporations or, you know, political entities and that sort of thing. And that is
simply not true. In our own customer base, you know, we have customers who have experienced
breaches that are 10 to 20 employees. And then, of course, the multinationals. And the bottom line
is, if you have enough intellectual property
to justify creating a business, you know, a business that employs people and is relevant
in the economy, those are the exact same conditions that make you an interesting
target for a lot of the cyber adversaries. That's Dan Larson from CrowdStrike.
Tor's duality is on full display this week. Internet users in Turkey are moving heavily to Tor
as they seek to circumvent their government's blocking of social media services
and its implementation of stronger online censorship.
On the other hand, Operation Hyperion,
a multinational police takedown of Tor-enabled black markets,
has shown the less savory uses to which the anonymizing network may be put.
And congratulations to the Five Eyes and Europol, which ran Operation Hyperion.
The criminal dark web markets they shuttered were selling not only illicit drugs,
but counterfeit items, toxins, fraudulent identities and the documents to go with them,
and credit card data.
They also offered an array of nasty services, including hacking,
contract killing, and money laundering. The fraud campaign directed against customers of the UK's
Tesco Bank remains under investigation. The bank suspended much online account access,
but permitted continued access to pay cards and ATMs, which suggests to some the fraud may have
been an inside job as opposed
to an external hack.
Tesco also hasn't referred to the incident as a hack.
Estimates of the bank's exposure to litigation and regulatory penalties run as high as 1.9
billion pounds.
Whether that's a British billion or just an American billion, we don't know, but either
way, that's a whole lot of pounds.
just an American billion, we don't know, but either way, that's a whole lot of pounds.
Finally, Tesla Motors has been in a legal spat with one Todd Katz, formerly CFO of an oil field and pipeline services company, and for some reason a critic of Tesla. Tesla is suing Mr. Katz for
impersonating Tesla founder Elon Musk in an email sent to Tesla's CFO on August 3rd of this year.
Mr. Katz has now countersued.
His claim is essentially that no one could have taken his impersonation seriously
since it was so riddled with fractured syntax,
and a host of other solacisms a real email from Mr. Musk would never have committed.
Thus, Tesla suffered no actual harm.
So here's the message Mr. Katz acknowledges sending.
Quote,
Why are you so cautious with Q34GM guidance on call?
Also, what are your thoughts on disclosing M3 res number?
Pros cons from AirPOV,
what is your best guess as to where we actually come in on Q34 deliverables?
Honest guess, no BS.
Thanks for hard work prepping for today.
As Naked Security reports, Mr. Katz says in his brief,
quote, nobody who received this preposterous
and grammatically deficient email
ever believed it really came from Elon Musk.
End quote.
All we can say is,
all your quarterly guidance are belong to us.
is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, Thank you. off Vanta when you go to vanta.com slash cyber. That's vanta.com
slash cyber for $1,000
off.
Cyber threats are evolving every second
and staying ahead is more than just
a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Rick Howard.
He's the CSO at Palo Alto Networks.
He runs their Unit 42 threat intel team as well.
Rick, you all have a new report out from Unit 42.
This is called your Nigerian threat actor report.
Now, it's become almost a cliche, and I think we joke around the office about,
you know, I just got a letter from a Nigerian prince who wants to cut me in on the wealth.
But there's more to it here.
This report really digs into it.
Yeah, our Unifority2 guys have been paying attention to this because we keep seeing these attacks going against our various customers around the world.
And first, you know, we have to talk about the codename because you can't really write a white paper while giving it a cool codename.
So is this classified as a silver terrier?
And you're right.
It is a joke around the industry that these Nigerian fraudsters, you know, are going to ask me for money and we always give it to them.
But what we've seen in the last couple of years that these folks have really upped their game.
OK, we're typically they were really low-level cybercrime actors.
They've now moved into the realm competing with other more high-end cybercriminals out of Eastern Europe.
This all started back in the 80s with the scams you were talking about.
And we refer to them as like the 419 scams because in Nigeria, they have a law, Section 419, that forbids this kind of thing.
So that's how they kind of got the name.
But now since then, they have moved, like I said, upgraded their craft.
They're using professional tools like Zeus and Dark Comet.
They go after cheap malware or free malware that they use in their own schemes.
They've gone away from blanket targeting to going after very specific targeting to
specific industries that we're seeing high tech and higher education, manufacturing,
health care and construction. The volume is steady, about 5,000 to 8,000 attacks per month.
So like I said, they've really upped their game. What's interesting about the white paper we just
produced is we were able to get access to some of their social media from these fraudsters in the country.
And they're not their typical people we used to think did this.
They're not these little script kiddie teenager people.
They're mostly in their mid-40s.
They live in the southeast region of Nigeria.
They're pretty well-to-do.
They're educated.
They don't hide for some reason.
I guess it's okay to be a cyber criminal in Nigeria.
Yeah, I was going to ask, does the Nigerian government just turn a blind eye to this stuff?
I think it's kind of they wink and nod and squint at that kind of crime and kind of let it go on.
I'm not an expert there, but it's interesting that they can hide in plain sight.
I think what's also interesting is that they run teams.
The ones in charge of these groups, they're running lower, not as technically savvy teams, but they give them very specific tasks to do.
And we were able to pick all that.
What I love about this is that they use Facebook for their social stuff, and they don't necessarily hide that they're criminals.
They don't really talk about it a lot. But they use Google Plus to do their cyber criminal stuff. And they don't necessarily hide that they're criminals. They don't really talk about it a lot.
But they use Google Plus to do their cyber criminal stuff.
So I guess that they're a covert channel, I guess.
So anyway, it's a very interesting report, and you guys should all read it, and I think
you will enjoy it.
All right.
Rick Howard, thanks for joining us.
for joining us. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland
by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. practical, and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.