CyberWire Daily - Daily: Halloween special: mummies, lycanthropes, vampires, villagers with pitchforks, and virtual stakes through virtual hearts.
Episode Date: October 31, 2016In today's Halloween podcast, we consider post mortems on the October IoT distributed denial-of-service attacks, which suggest there are bigger problems than just factory settings. Recalls of potentia...lly compromised devices continue, and some think about hacking back. (A hint—think twice.) HackForums pulls down its network stressor offerings. South Korea says the North is up to more cyber badness. US election hacking concerns continue. The FBI reopens its email inquiry. Level 3's Dale Drew discusses the growing scale of online attacks. And observers wonder, what do you have to do to lose a clearance? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Postmortems on the October IoT distributed denial-of-service attack
suggest there are bigger problems than just factory settings.
Recalls of potentially
compromised devices continue, and some think about hacking back. A hint? Think twice.
HackForums pulls down its network stressor offerings. South Korea says the North is up
to more cyber badness. U.S. election hacking concerns continue, and observers wonder,
what do you have to do to lose a clearance?
What do you have to do to lose a clearance?
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, October 31, 2016.
Happy Halloween, all.
Postmortems on the dying DDoS attacks of October 21 have focused properly enough on users of common IoT devices, leaving default factory passwords in place. But there are other issues of IoT security that fixing passwords
won't touch. The ease with which such devices can be found through simple Shodan searches would be
one. The economic forces driving enterprise users toward remote online management of IoT devices
comprise another. The more easily such
devices can be remotely provisioned, configured, updated, and maintained, the larger the attack
surface they present. Firmware is like tana leaves, come to think of it. Three to give it life,
nine to give it motivation. What to do about the security of the Internet of Things remains a
matter of considerable discussion. Calls continue to avoid repeating the path taken about the security of the Internet of Things remains a matter of considerable discussion.
Calls continue to avoid repeating the path taken at the dawn of the Internet itself,
by which we mean the big Internet, son of ARPANET. The conventional and correct wisdom about the Internet is that its parents chose to optimize information exchange among trusted parties
with little thought to the possibility, since realized that the parties would soon be in the hundreds of millions
and that their trustworthiness would range all the way from Van Helsing to, say, Nosferatu.
It's a little late in the day to think one could design security into the IoT.
It's well past the initial design stages by now,
but there are hopes that in the future the various security cameras, DVRs, baby monitors, burglar alarms, thermostats, and coffee makers might be stitched together better than Dr. Victor von Frankenstein might have managed.
So we're left with the prospect of mopping up after the rush to declare, it's alive.
USAID Director Keith Alexander suggested Saicon 2016 that,
given resources enabling legislation and general cooperative goodwill,
we might be able to secure the IoT within, say, two years.
But of course technology solutions won't fully address the polyvalent challenges of security.
We will no doubt continue to see recalls, and future devices will no doubt incorporate better security and better
setup defaults. Unfortunately, the older devices will continue their zombie-like course through
the networks. Researchers at security company Invincia have discovered flaws in the Mirai IoT
botnet forming Trojan implicated in those recent distributed denial-of-service attacks.
It's a stack buffer overflow flaw that could be exploited to crash the attack process,
and Invincia has the exploit to do it.
But before you take up the torches and pitchforks, fellow villagers,
and set out to drive a stake into Mirai's heart, know this.
You probably can't do it legally.
We know, we know, nobody ever lawyered up in Borgo Pass,
but hey, this is still America,
last time we looked anyway, and getting all those baby monitors back from the grip of the undead
would involve, like, infecting them, and that would run afoul of the Computer Fraud and Abuse Act.
So don't. And Invincia especially agrees with you. They're not necessarily recommending it either,
but perhaps some sort of cooperative effort with permission on all sides could rescue the Mina harkers from the IoT
from enslavement to their bot masters. Shame, or perhaps fear, in the gray market has led the
dabblers in the dark arts over at hack forums to remove server stress testing from among its
offerings. Server stress testing is generally
regarded as a euphemism for 50 shades of DDoS for hire. Some observers have connected hack forums
with the attacks sustained by DINE, but this is unclear and probably unlikely. With Mirai wandering
the world seeking the ruin of DNS providers, it's not clear crimeware as a service was necessary.
It's not clear crimeware as a service was necessary.
South Korean sources report an increased tempo of North Korean cyberattacks.
The targets are said to be largely defectors in human rights groups,
anathema to what many in East Asia consider the gargoyles of Pyongyang.
South Korean authorities say they're doing what they can for the human rights groups, but there are apparently limits to the number of strands of garlic available to be extended to the defectors. U.S. election hacking fears persist. States seem
ambivalent about accepting help from the Department of Homeland Security, a little like Jabez Stone
thinking about accepting help from that cloven-hoofed feller who showed up at his New Hampshire farm.
What's behind the ambivalence we can't imagine.
Probably you can get a senator to advocate for you when payment comes due.
WikiLeaks continues to leak, mostly to the detriment of the Democratic Party, but the biggest election-related cyber news came late Friday, as such news often does.
An ambiguously worded letter from FBI Director Comey to Congress
suggested the Bureau had found some things in an unrelated inquiry
that's led it to reopen their investigation of former Secretary of State Clinton's emails.
That unrelated inquiry, reports say, may have been into illicit online contacts
engaged in by former Representative Anthony Weiner.
Are there more surprises to come in the week and a half before the election?
Who knows? But cross the right palm with silver and, well, even one who is pure at heart, you know,
can become a wolf when the autumn moon is bright. Observers wonder how former NSA contractor Martin,
alleged to have accumulated large quantities of classified material at Borgo West, by which we mean Glen Burnie, Maryland,
kept his top-secret clearance as long as he did.
Clearances seemed to be tougher to lose than to get.
I mean, if you were the county clerk
and Renfield showed up to renew his real estate license,
you wouldn't say,
Sure, here you go.
Would you? Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me is Dale Drew. He's the Chief Security Officer at Level 3 Communications.
Dale, you know, we're seeing these large-scale attacks. I'm thinking of the Mirai botnet attacks, things like that.
And what's an appropriate level of concern when it comes to thinking about these new waves of large-scale attacks?
You know, I will say that you're absolutely right. The size of the DDoS attacks that are occurring are getting larger faster.
They're evolving at a much more rapid rate.
The resources they're bringing to bear are significant.
Their use of the Internet of Things is helping them to evolve their capabilities.
And so it's something that we definitely worry about.
I would say that the
great thing about the internet is the fact of how diverse it is, the fact that it is comprised of so
many different independent operators that a single failure of a single operator will not
cause a catastrophic harm to the rest of the global internet. But at the same time, you know, these
attacks are definitely worrying. You know, and when you throw things like consumer devices into the
mix, you know, you have carriers that are building networks for businesses and making sure they have
carrying capacity for businesses. Then you have, you know, carriers that are building networks for
consumers. And now those consumer networks are having significant contributions to this overall larger attack.
So yes, it is something that I'd say carriers worry about quite a bit. We evolve our capability
to filter, to stop, mitigate, and detect these sorts of bad activities. And we're having to get
much better at it. We are being forced to, being much more equipped,
being able to detect and proactively stop these sorts of attacks
because of the nature of the amount of volume
and the amount of capability that they're bringing to bear.
Is there a little bit of a catch-22 here where,
as providers make bandwidth available,
then that bandwidth is also available to the bad guys.
Yeah, I mean, it is a little bit of a cat and mouse game, right?
It is from the standpoint of the more bandwidth that we add, especially to the consumer space, as an example, which tends to be a bit easier to compromise in the business space, then the more attractive that overall capability is to the bad guy.
And the more the bad guy wants to be able to compromise those classes of devices that
have access to that processing power and that bandwidth to be able to launch attacks.
So the more we evolve the network, the more that network is being used against us to calculate
attacks.
So internet providers like Level 3 have to spend,
you know, a lot of their time going a little bit further, you know, digging into the makeup of
the ecosystem of the bad guys and how they operate and being able to provide capabilities in the
network, not just to carry traffic, but to be able to prevent, block, and correct that traffic when it comes from a bad guy.
Dale Drew, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.