CyberWire Daily - Daily: Mirai remains a threat; experts expect more IoT-driven DDoS. ISIS, online radicalization, and terror attacks in the US. Snooper's Charter and its alternatives. Gooligan Android malware.
Episode Date: November 30, 2016In today's podcast, we hear about Deutsche Telekom's recovery from DDoS, and why there's probably a lot more Mirai where that came from. Omri Iluz from PerimeterX gives us the background on botnets.�...�Germany arrests an alleged mole in the BfV. ISIS claims the Ohio State attacker as its "soldier." The Snooper's Charter becomes law in the UK. San Francisco's Muni hangs tough on ransomware. A new Android malware strain is out in the wild. We welcome Awais Rashid from Lancaster University to the show. And Ross Ulbricht's defense team say they've found a third crooked cop in the Silk Road case. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Deutsche Telekom recovers from DDoS,
but observers warn there's more Mirai where that came from.
Germany arrests an alleged mole in the BFV.
ISIS claims the Ohio State attacker as its soldier. San Francisco's Muni hangs tough
on ransomware. A new Android malware strain is out in the wild. And Ross Ulbrich's defense
team says they've found a third crooked cop in the Silk Road case.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, November 30, 2016.
It continues to be a rough week in Germany.
Deutsche Telekom has mitigated and largely recovered from the distributed denial-of-service attack that shut down nearly a million customers for a few hours Sunday.
But the consequences of the incident are more enduring.
Researchers at the security firm Flashpoint have confirmed that the denial-of-service attack was Mirai-based,
and they've concluded with high confidence that the incident represented an attempt by the botmasters
to increase the number of devices under their control.
Thus, the incident would appear to be a skirmish in a criminal turf war.
Flashpoint's report says,
Note the wide geographical reach of the threat.
Germany leads infections by a wide margin, but there are also significant infestations in the UK, Brazil, Iran, Turkey, Chile,
Ireland, Australia, Argentina, Italy, and Thailand.
Many observers have concluded that the incident is related to last week's outages at Ireland's IRCOM.
One of the alleged botmasters, Best Buy, who is in cahoots with one Popopret,
has been chatting with Motherboard, to whom he, she, or they
boasts of the ease with which they were able to wrest control of bots from other criminals.
Best Buy also says they're sorry about any inconvenience
Deutsche Telekom customers might have experienced.
The botmasters really didn't mean any trouble.
Although if they didn't mean trouble, what in the world did they mean?
There was wide speculation after Mirai hit Dain in late October that the DDoS attacks were a trial
by a nation-state seeking to prove out its ability to take down critical infrastructure at will.
That initial speculation hasn't been confirmed, but it hasn't entirely gone away either.
German Chancellor Merkel says it's not yet known who the attackers were,
but she and other German politicians are clearly looking east toward Russia. away either. German Chancellor Merkel says it's not yet known who the attackers were,
but she and other German politicians are clearly looking east toward Russia.
For some perspective on protecting yourself against bots, whether they're engaged in DDoS,
content scraping, price scraping, scalping, or any of the other things bots get up to,
we checked in with Amri Elouz from PerimeterX, a company that specializes in defending against bots.
Most people, when they think about web security or online security, still think about a single hacker sitting in front of a computer somewhere and trying to hack into a website. And that was
true 10 years ago. But once attackers move from being just script kiddies or people that are doing this for their ego and to show off their friends into the organized crime space, they also started looking into ways to optimize their hacking.
So instead of sitting in front of one website for a few weeks to hack into it, they started scripting their attacks.
So every operation they can do manually, they now automate.
They create a script and they just deploy that on something called a botnet.
And now they can target thousands of websites.
So a botnet is simply an army of machines that they control.
What are some of the threats that sort of suit themselves to these sort of botnets?
The first one is what's called account abuse.
Any website with a user account system, meaning a login, create account,
capabilities, is being abused by these bots.
And I remind you, these bots are completely automatic.
So it doesn't matter how small or how big the website, they would just run and try to hack
into it. The second one is BruteForce. It can be with gift card or credit cards. An attacker would
come in because he has now an army of bots at his disposal, and he can just try how many times he wants. He can go to the check
balance page on a website and just try to put in randomly gift card numbers, seeing if any of them
has a balance. Another attack that lends itself very well to bots is content theft. If you run a
website, a commerce website, your competitor wants to know exactly when you start
a sale, exactly what price you're selling it for, and what do you have in stock. So what they would
do, they would use bots to pull every page, every item, every price from your website, and they'll
do it very frequently. So maybe once an hour, and they'll create a database of your entire website
without you even knowing that.
What are some of the ways that people who are running websites can protect themselves against these kinds of bots?
Today, especially since the IoT botnet, I'm sure you and your listeners have heard about that, the big IoT botnet.
Oh, yes.
We are shifting the focus into profiling the behavior of every visitor.
So instead of looking at the signature of the request coming in, the IP or the rate that it's coming,
we look at the actual interaction of the user with the application.
And I'm talking about things like look at the mouse movements, look at the clicks.
If someone is logging into your website,
he should be moving his mouse to click on the login button. He should be typing his password.
If he's coming from a mobile phone, you should be able to pull sensor information, battery,
accelerometer. If you don't see all of that, most likely it's a bot. So once you start looking at
the actual behavior, it is very hard for them to stay hidden. That's Omri Elouz from PerimeterX.
The other bad news out of Germany concerns the arrest of a BFV domestic intelligence officer.
He's alleged to be an ISIS mole who was not only feeding the Islamist group information,
but also helping plan terror attacks.
His thinly pseudonymous social media activity, jihadist chatter mostly, brought him under suspicion.
ISIS has, in its online propaganda, now officially claimed the late alleged Ohio State attacker as its soldier.
Investigators have found various statements threatening death to unbelievers and retaliation for their complicity in worldwide disrespect and repression of Muslims.
Observers' consensus is that this was a matter of inspiration, not direction,
and if so, that certainly fits the common ISIS pattern.
Centrally directed attacks outside of the caliphate's shrinking territory
have tended to be the exception rather than the rule.
In a different case, a young man, Justin Sullivan, pleads guilty
in a U.S. federal court to terrorism charges. He admitted to preparing attacks in Virginia and
North Carolina. Those attacks didn't come off. His allocution makes for sad reading, disaffection
drawing him toward fantasies of others' deaths, which in turn drew him to ISIS online propaganda
once he fell in the summer of 2015
under the influence of ISIS senior recruiter Junaid Hussein. Mr. Sullivan, age 20, agreed
to a life sentence, the maximum penalty for attempted terrorism. San Francisco's Muni
transit authorities hung tough against the ransomware extortionists who hit it over the
weekend. The FBI and the Department of Homeland Security have been helping them out, but more ransomware attacks can be expected.
The same attackers, who may be Iranian, as there are thought to be significant Farsi notes on the
attack server, have been hitting companies in the U.S. for several months. One of them paid up to
the tune of $140,000. Veracode thinks the hackers are exploiting unpatched Oracle server vulnerabilities.
A new Android malware strain, Gooligan, is out in the wild.
A million Google accounts are thought to have been breached.
More than 80 malicious apps are involved in spreading Gooligan.
The name is Russian for hooligan, by the way.
Call it guligan if you want to sound like Ensign Chekhov.
And about three-quarters of Android devices are believed vulnerable to rooting by the malware.
And a final word on crime and punishment. Attorneys for convicted Silk Road proprietor
Ross Ulbricht say there's a third bent cop out there on the case, in addition to the two already
collared. He went by the handles Albert Pacino, Al Pacino, and Not Wonderful,
and is alleged to have sold Ulbricht information about DEA enforcement actions. The defense team
appears to be looking for grounds for an appeal, but no one else seems to be able to see how this
sort of alleged corruption, bad and distasteful as it allegedly may be, could prove exculpatory.
Allegedly.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to welcome to the show Professor Avas Rashid.
He heads the Academic Center of Excellence in Cybersecurity Research at Lancaster University.
Professor, welcome to the show.
By way of introduction, why don't you tell our audience a little bit about yourself
and the type of work that you're doing there at Lancaster University.
Thank you very much for having me on the show.
It's a pleasure to be here.
My research mainly focuses on the show. It's a pleasure to be here.
My research mainly focuses on two areas. One is security of cyber physical systems and the other is human factors in cyber security. The two, of course, overlap and very often we look at both
kind of technical and human aspects of security and how the two come together to create interesting
problems and also solutions. In addition to that, within our center at Lancaster, we also
work on security of large-scale infrastructures, as well as a number of privacy-enhancing technologies.
Take us through some of the research areas there at Lancaster University? So there are four primary
areas of research that we have. The first one being security of cyber physical systems. Here
we look at security of critical infrastructures, such as cybersecurity of power grids, water
treatment facilities, gas plants. These systems are often now connected to the internet or have various vulnerabilities.
And we specifically look at protecting these kind of systems.
We are also looking at security of the emerging Internet of Things devices.
Another big area of research for us is security of large-scale networks.
Here we look at internet-scale networks, including the Internet backbone itself.
In fact, we have done studies on the resilience of the Internet backbone in Europe.
And we are also looking at security of emerging techniques such as software-defined networks,
as well as wireless sensor networks and mechanisms like that.
We do quite a lot of work on human factors in cybersecurity,
studying how the design of systems perhaps impact humans as responses to those systems,
looking at issues of usability, but also how, for instance,
the human in the loop may be exploited by attackers
by looking at more sophisticated social engineering techniques that attackers might deploy.
And finally, we look at privacy in very large-scale connected sociotechnical systems
like online social networks, looking at both how we may have more effective privacy policies
and their operationalizations
in these kind of settings, but also how we may do things like privacy preserving, data
mining, and new forms of privacy controls that might be more usable by individuals.
All right.
Professor Avas Rashid, thanks so much for joining us.
We're looking forward to having you on the show. Thank you. your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.