CyberWire Daily - Daily: ISIS online sympathizers (but not ISIS itself, which is lying a bit low) claim Ohio State attacker. German security agencies warn of possible Russian disruption of elections. Mirai strikes again. San Francisco's Muni shrugs off ransomware. A look a
Episode Date: November 29, 2016In today's podcast, we hear about how ISIS sympathizers are celebrating the Ohio State slasher rampage in social media. Germany's BND warns of Russian plans to disrupt elections. Deutsche Telekom reco...vers from a Mirai-driven DDoS attack. San Francisco's light rail recovers from ransomware (and resumes collecting fares). Holiday retail cyber security trends. A look into the dark web. Continuing security troubles for former and prospective US Secretaries of State. Level 3's Dale Drew takes a look at critical infrastructure. The Carter Administration gets doxed, and xHamster is breached. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
ISIS sympathizers praise Ohio State's slasher rampage in social media.
Germany's BND warns of Russian plans to disrupt elections. Deutsche
Telekom recovers from a Mirai-driven DDoS attack. San Francisco's light rail recovers from ransomware
and resumes collecting fares. Continuing security troubles for former and prospective U.S. Secretaries
of State. The Carter administration, yes, the Carter administration, gets doxed and
ex-hamster is breached. Hey, didn't John McAfee warn you about that?
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, November 29, 2016.
In the U.S., investigators of yesterday's car crash and knife rampage on the campus of The Ohio State University
have found social media posts from the late alleged attacker,
in which he avows an intention to avenge injury and insult to Muslims.
ISIS has not yet claimed responsibility for inspiring the attacker,
but the caliphate's sympathizers have begun lionizing the late alleged attacker online as a brother,
and they continue to draw pride and encouragement from an apparent act of terrorism.
The head of Germany's foreign intelligence service, the Bundesnachtrichtendienst, BND,
joins warnings of a Russian cyber threat to next year's elections.
Bruno Kahl, speaking to the Deutsche Zeitung,
remarked that Europe was seeing a wave of cyber incidents that appeared to have no purpose beyond triggering political uncertainty and delegitimizing the democratic process as such.
Kahl's assessment echoed warnings earlier this month by his colleague, Hans-Georg Massen, head of the domestic intelligence agency BFV.
head of the domestic intelligence agency BFV.
Call spoke as Deutsche Telekom recovered from a large distributed denial-of-service attack that knocked out service to some 900,000 customers.
The DDoS attack, not yet attributed, is provisionally thought to be the work of criminals, not state actors.
As it recovers from the incident, Deutsche Telekom has issued a router firmware upgrade
to mitigate the exploited vulnerability.
The malware implicated in the attacks appears to be an evolved version of the Mirai botnet Herder,
according to researchers from security firm Tripwire.
Tripwire's Craig Young outlined some of the highlights of this Mirai-driven attack for us.
After it infects a system, Mirai deletes the original malicious binary and relocates itself
to blend in with normal system items. Mirai also attempts to block access to the vulnerable remote
management protocol. This accomplishes two things, preventing a subsequent competing infection
and making it more difficult for ISPs to forcibly reset devices. One of the main servers used in the
attack infrastructure is registered out of
Kyiv, Ukraine, under the name Peter Parker, and clearly the hoods behind the attack don't know
that with great power comes great responsibility. The attackers built their payload for multiple
architectures. Young says, quote, as of this morning, the malware availability on the CNC
server is instead downloading and running a script which attempts to run a payload from each of seven architectures until one succeeds, end quote.
Previously infected systems are not running the new variant.
Young notes, quote,
This would imply that the controller has not or cannot update the malware on already deployed systems, end quote.
We also heard from Mike Amadi of the Synopsys Software Integrity Group.
He thinks the Deutsche Telekom incident is a bad sign that massively scalable attacks are coming
to be all the rage among black hat hackers. Quote, this is particularly alarming because our testing
tools have been able to uncover literally thousands of scalable attacks on very commonly
deployed networking equipment and IoT devices
over the last several years. It seems that simply finding a vulnerability is no longer all that
interests the malicious hacker world, but finding and exploiting high-impact vulnerabilities is very
interesting. Unless developers and users implement more rigor into discovering and mitigating
software vulnerabilities, scalable attacks will continue to grow.
Rod Schultz of security firm Rubicon Labs says the incident illustrates the risks of what he calls a break-once-break-everywhere technology,
since the routers hosted by Deutsche Telekom appear to have little digital diversity.
That may make for simpler management of devices, but as Schultz points out,
quote, that simplification is also leveraged by attackers to compromise the system.
The problem isn't susceptible to an easy fix, and Schultz foresees it persisting for many years.
The other high-profile hack of these waning days of November was, of course,
the ransomware attack on the payment and scheduling systems of San Francisco's Muni
light rail. The Muni has resumed normal service and has resumed charging passengers fares for
their rides. Transit authorities decided to let everyone ride for free during the attack
rather than suspend service. The Muni, we note, did not pay the ransom, and security researchers
have applauded that decision. The system has also so far suffered
none of the consequences the attackers threatened. Krebs on Security reports that a security
researcher who asked that his or her anonymity be preserved hacked the attacker's mailbox and
found links suggesting connections to other ransomware attacks. Science points circumstantially
toward a Southwest Asian hacker, but there's no firm attribution yet.
Our partners at Terbium Labs, who watch the dark web pretty closely, say that, as they predicted, the cyber-black market was holding Black Friday sales, too.
They saw one vendor of cyber-criminal tools flacking their wares with the come-on that the holiday season is the best time to commit fraud.
Turning elsewhere, old news today either returns or persists.
The old news that's returned comes courtesy of WikiLeaks,
which has released a tranche of Carter administration diplomatic cables dating from 1979,
a year which Assange and some others apparently believe represented a kind of watershed for recent history.
A low point in American power,
a brief period where the Soviet Union appeared to be an unchallengeable ascendancy,
and a time marked by the rise of newly militant Islam in Iran and elsewhere.
The old news that persists includes one former and one prospective U.S. Secretary of State.
Former Secretary Clinton faces continued civil litigation
over security issues with her emails,
and prospective Secretary of State Petraeus,
who met recently with President-elect Trump reportedly to discuss the job,
remains under investigation for security breaches committed
during his tenure as CENTCOM commander and director of central intelligence.
Despite assurances to the contrary by President
Obama and Homeland Security Secretary Johnson, concerns about election hacking produce recount
drives in closely decided states. These recount demands are largely led by Green Party presidential
candidate Jill Stein. Terbium Labs told us they've seen a recent dump of personal information
associated with the Greens and calls on the dark web for a general doxing effort against that party.
Terbium also notes that one of Tor's more popular doxing and dumping sites
has just popped back up after having been down for over a month.
The site, Cloud9, has a new layout,
and it has a record of hosting politically motivated doxing,
along with more standard doxing dumps.
And finally, there's apparently been a breach at the ex-hamster adult site,
with user accounts appearing on the dark web.
We know none of you have anything to worry about,
but if a friend asks you, well, they can't say John McAfee didn't warn them years ago.
them years ago.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Dale Drew. He's the chief security officer at Level 3 Communications.
Dale, we're just about to wrap up November.
But before we do, it's worth noting that November was Critical Infrastructure Month.
You know, I'd like to think that every month is Critical Infrastructure Month.
We're just highlighting a little bit more of it in November.
Well, you know, and it's one of those issues where we're seeing more and more rapid exploitation of businesses.
You know, it's businesses can no longer say you can no longer reflect on a compromise being with regards to a peer they have in the industry or somebody, some other unrelated company. It really is beginning to hit home more and more because there are no unsafe territories for victims these days.
People can't say that will never happen to me.
That's exactly right.
I mean, I seem to recall there was a study by GAO, the Government Accountability Office, that said between 2006 and 2015, we increased from 5,500 victims a year to 77,000 victims a year.
And so that's a 1,300% increase in victims.
So it really is no longer that it can't happen to me mentality.
And so when we're talking about critical infrastructure, what does that encompass? Well, you know, I mean, critical infrastructure is those elements that are
responsible for making up a majority of our infrastructure, whether that's the water we
drink in our homes, the transportation that moves us, the stores we shop in, or the communications
infrastructure we rely on to stay in touch with friends and family and businesses
So, you know what really is the things that bind our capability as a society?
And and you know, we've seen what I would describe as sort of warning shots, you know shots across the bow
there's the famous story about the the the control system on the dam in Rye, New York,
and of course the more serious stuff that happened in Ukraine with their power system.
I think some people, myself included, have a hard time really getting a sense for, you know,
how seriously to take some of these threats because we, you know,
a major event has yet to happen certainly here in the United States.
Do you think that's a fair description?
I think incidences are occurring pretty much on a regular basis,
and they're mostly in the forms of theft of intellectual property.
And we see a lot of compromises of some critical infrastructure providers,
especially when it comes to where we see bids for infrastructure
proposals. We see nation states break into quite a wide variety of critical infrastructure providers
in an effort to steal intellectual property so they can use that data to compete in those bids.
So, you know, something as trivial as that, that sort of avenue gives them access to that baseline infrastructure and that capability to be able to launch other attacks.
There was an attack, I wouldn't call it a critical infrastructure per se, but it was pretty close. name service, DNS provider, that provided the ability to, you know, essentially serving
directory name services for certain domains that are responsible for critical payment
infrastructure, critical communications infrastructure.
And when that service went down, a significant number of websites went down with it.
And so something that, you know, those little connective tissues become very,
very critical in our ability to tie all this infrastructure together.
And when we look at something like the ability of the Mirai botnet to take down, you know,
large parts of the internet in North America, do we consider the internet to be critical
infrastructure?
Yeah, I would say at this point, the Internet absolutely is a critical infrastructure. I mean, not only are there businesses that operate almost entirely and exclusively on its dependency, but our ability to communicate as a society is largely dependent upon the availability of the Internet. So absolutely, I think it is a critical, critical infrastructure.
Absolutely. I think it is a critical, critical infrastructure.
All right. All right. Well, Dale Drew, once again, thanks for checking in. We'll talk again soon.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your