CyberWire Daily - Daily: Record breaking DDoS, record breaking account info theft.
Episode Date: September 22, 2016In today's podcast, we hear more on the recent hacking of German political parties. Russia reorganizes its security services—apparently the KGB is back in everything but name. KrebsOnSecurity sust...ains a record-breaking DDoS attack. Yahoo! discloses a record breaking data breach. Ben Yelin from the University of Maryland Center for Health and Homeland Security weighs in on a possible Snowden pardon. Steve Durbin tells us what organizations like the ISF have to offer. Ransomware may be meeting data manipulation. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The Russian government is the prime suspect in German political hacks.
Russia reorganizes its security services.
Apparently, the KGB is back in everything but name.
Krebs on security sustains a record-breaking DDoS attack.
Ransomware may meet data manipulation.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, September 22, 2016.
Deutsche Welle has followed up yesterday's report of a spearfishing campaign against
German political organizations, with more expert assessment that the compromise was
probably accomplished on behalf of Russian intelligence services.
The fish bait appears to have consisted largely of emails purporting to be from NATO.
The evidence isn't dispositive, but observers think it points fairly clearly in the direction of Moscow.
The Frankfurter Allgemeine quotes British expert Thomas Ridd as saying there's forensic evidence
that the hacks were linked to last year's intrusion into Bundestag networks.
Many observers in Germany are comparing the incident to discovery in the U.S.
that Fancy Bear and Cozy Bear were deep into the Democratic National Committee's emails.
The German incidents display no obvious ideological angle,
as both the center-right CDU-CSU and, for the most part, Moscow-aligned left party were affected,
but either a deeper game or an unselective collector's passion seem to be at work here.
In any case, there appears to be considerable Russian interest in electoral matters.
As the U.S. continues to mull the wisdom of a proposed separation of NSA from U.S. Cyber Command,
an idea favored by the current dual-hatted leader of both organizations,
and the separation of NSA itself from the Department of Defense,
Russian intelligence services are undergoing their own reorganization. President Putin has announced the impending unification
of the SVR, responsible for foreign intelligence, and the FSB, responsible for security,
into a Ministry of State Security. Investigation of last weekend's bombings around New York suggests
to many observers that the lone wolf metaphor for such attackers is inapt.
The suspect shows signs of conscious connection to ISIS inspiration.
Our analytics staff suggests that we take the metaphor seriously.
A lone wolf is an aberration, since wolves are pack animals.
If the wolves are within earshot of the howling, they're still in a pack,
no matter how physically dispersed those wolves may be.
Tuesday evening, the well-known investigative security website Krebs on Security suffered a major DDoS attack.
DDoS defense provider Akamai has succeeded in mitigating the attack,
but they're calling it one of the biggest distributed denial-of-service attacks on record,
clocking the attack traffic at 620 gigabits per second.
The largest attack Akamai had hitherto observed came in at 363 gigabits per second.
That earlier attack and other big attacks like it were accomplished by botnets using
DNS reflection or amplification.
But the attack against Krebs on security was different in that it relied on no such amplification or reflection.
Instead, Akamai says that the methods were garbage web attack techniques
that require a legitimate connection between the attacking host and the target.
This suggests a very large botnet, possibly composed of IoT devices.
An Akamai expert told Krebs that, quote,
someone has a botnet with capabilities we haven't seen before.
We looked at the traffic coming from the attacking systems,
and they weren't just from one region of the world or from a small subset of networks.
They were everywhere. End quote.
Krebs thinks it's possible the attack is retaliation for his recent outing
of the subsequently arrested proprietors of the DDoS for Hire service, VDoS.
Some of the post requests in
the flood referenced Free Applejack, the handle of one of the lads arrested. The ISF is a 26-year-old
not-for-profit organization headquartered in London. That's Steve Durbin, managing director
of the ISF, the Information Security Forum. We checked in with him to learn more about the ISF and what non-profit member-based organizations have to offer.
We provide a range of services to our members who are based all around the world, from New
Zealand across to South America, and including, of course, the United States and the UK and Europe.
But essentially, we provide research services, we provide software tools and methodologies, and we provide a sophisticated
collaboration environment that is both digital and face-to-face. And we do that from our analyst
bases that are in London and New York and Chicago. And over the course of 26 years, I mean, certainly
the landscape has changed. What are some of the developments that have been key to the evolution of the ISF?
Yeah, absolutely.
I mean, it bears no resemblance today to what it did 26 years ago.
I think, you know, back in those days, it was all about focusing on the technology.
It was about things like the firewalls and so on. Today, of course, it's very much more about the business of cybersecurity.
It's about an increasingly more complex threat
landscape. It's about how do you align some of the security services that you're providing both
within an enterprise and indeed to an organization with the business requirements of those organizations
too. So I think a very different focus today from what was prevalent all those years ago.
I mean, really the bedrock of what we do is something called the standard of good practice.
This provides some clear insight to our members, really around some of the controls that they
ought to be putting in place across the security environment. That ranges from everything from
physical right the way through to mobile, cloud, and so on.
What we've also done with this is map it directly across to things like the NIST cybersecurity framework.
That's very, very important for our American-based members, of course.
But it doesn't stop there.
It also goes across to ISO standards, to COVID-5, PCI DSS, a whole range of other standards. So really, if you're a multinational organization
and you have to comply with these different standards or you wish to comply with these
different standards, the standard of good practice is a good place to start.
Do you think being a not-for-profit, that that gives you the ability to approach things from
a different perspective than a company who has to make money?
I think it has a number of benefits, Dave, certainly. I mean, you know, we do always
have to be focused on delivering member value, clearly, in everything that we do. But it does
mean that we're able to be very cost effective in terms of the way that we deliver that value back
to the membership. It also means that we are very focused on remaining independent and objective.
So we don't go out of our way to promote vendor products and services and so on.
And I think the other unique thing about the ISF is that our shareholders effectively are our members.
So there is a very clear line of sight between an organization that joins as a member,
clear line of sight between an organization that joins as a member, the research and deliverables that they receive that is in response to their request, and also our governance structure. So
it's quite a unique way of going forward, but it certainly served us well over the last 26 years.
That's Steve Durbin, Managing Director of the ISF, the Information Security Forum.
Some late breaking news.
Yahoo has confirmed that information on at least 500 million user accounts has been stolen.
The Wall Street Journal reports that Yahoo says the hack occurred in 2014 and that Yahoo thinks a state-sponsored actor was responsible.
Observers note this is the largest ever publicly disclosed data breach.
And finally, ransomware continues to afflict
enterprises around the world. Academic institutions appear to have surpassed healthcare as the sector
most targeted by criminals. What those sectors have in common is their collection and retention
of large quantities of personal data. Yesterday, we were at the third annual Senior Executive
Cybersecurity Conference organized by the Johns Hopkins University's Information Security Institute.
We heard Johns Hopkins professor Avi Rubin,
who blocked out a new and disturbing future for ransomware.
Why, he asked rhetorically, simply encrypt files?
Why not manipulate data instead?
Suppose you were able to establish persistence in a hospital's network
and systematically alter patient medical records for a few months. Then you could approach the hospital, point out that their data was
corrupt and that you can prove it, but don't worry, you could offer to restore the integrity
of their data for a fee. And don't call it a shakedown, call it a subscription.
Professor Rubin, you've got a dark imagination.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today
to see how a default-deny approach can keep your company safe and compliant.
Joining me once again is Ben Yellen. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, we're coming up on the end of President Obama's second term in office,
and that is a time when the president considers who they may grant presidential pardons to,
and I think certainly at the top of many people's minds is Edward Snowden.
And we're seeing compelling arguments, I'd say, from both sides,
for and against a presidential pardon. Can you walk us through those arguments?
Yeah, I think there are compelling arguments on both sides. And I know this topic has come to a head recently because of the release of the new Oliver Stone film about Edward Snowden's life.
And in fact, we've seen compelling arguments within institutions themselves.
First, we saw it within the NSA.
There was a 60 Minutes segment several months after the Snowden disclosures in 2013,
where there was a divide between the director of the NSA, Keith Alexander,
who argued that Snowden should not be pardoned. A pardon would be a moral hazard and that it would encourage other contractors or employees within the national security apparatus
to leak documents knowing that there would not be any adverse consequences.
Whereas the deputy director, a man by the name of Richard Leggett,
actually entertained the possibility of a presidential pardon,
saying that because Snowden possessed hundreds of thousands of pages of classified material,
it may be in the government's interest to try and deal with them, to try and get them to forfeit the material in exchange for some sort of
immunity, including a presidential pardon. And we've also seen this argument play out in the
Washington Post, interestingly, over the last week. The Washington Post received a Pulitzer Prize
for their coverage of the Snowden disclosures back in 2013, yet their
op-ed board this past weekend wrote an editorial saying it would be improper to pardon Snowden,
much for the same reasons that General Alexander illustrated in his 60-minute segments. But then
today we saw an op-ed from one of the media specialists who work in the Washington Post who took a different view and said the disclosures were extremely valuable for our public policy debate.
And it's hard to understate the policy effects of the disclosure.
bulk metadata of phone records that led to the enactment of the USA Freedom Act, which basically ended that bulk metadata program. So it's hard to argue that the disclosures haven't
had an enormous public policy impact and that without the disclosures, we wouldn't have been
able to have this national conversation. So again, I think these are very compelling arguments. It's
something where we see the typical divide between civil libertarians who prize the concepts of transparency and openness and allowing the public to have full knowledge of some of these clandestine programs against the security apparatus who understands the threats posed by divulging classified information, and in many cases may be privy to
other secret information indicating the damage done by Snowden, whether it's cost the lives of
U.S. soldiers in the battlefield or otherwise. So I think you're absolutely right that both
sides have compelling cases. All right, time will tell. Ben Yellen, thanks for joining us.
will tell. Ben Yellen, thanks for joining us. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your
executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.