CyberWire Daily - Daily: The Mirai botnet DDoS attack, its consequences and attribution, with commentary from various observers.
Episode Date: October 25, 2016In today's podcast we hear about some who think that IoT botnets may be best considered an instance of a more general problem with poorly secured endpoints. Good digital hygiene can be good digital ci...tizenship. IoT device recalls follow the DDoS against Dyn. Attribution of the attacks remains up in the air—Clapper looks at "multinational hackers, Jester looks at Russia (and Russia looks at Jester and sees Vice President Biden), and yes, John McAfee is looking at North Korea. Joe Carrigan from The Johns Hopkins University's Information Security Institute inventories IoT devices, and Malcolm Harkins from Cylance shares his thoughts on taking risks. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. of a more general problem with poorly secured endpoints. Good digital hygiene can be good digital citizenship.
IoT device recalls follow the DDoS against Dyn.
Attribution of the attacks remains up in the air.
Clapper looks at multinational hackers.
Jester looks at Russia.
And Russia looks at Jester and sees Vice President Biden.
And yes, John McAfee is looking at North Korea.
Stay tuned.
is looking at North Korea.
Stay tuned.
I'm Dave Bittner in Baltimore with your CyberWire summary
for Tuesday, October 25, 2016.
Security cameras and SOHO routers
formed the better part of the Mirai botnet herd
that stampeded through Dyn at the end of last week.
One IoT vendor, Will Price,
founder of Simple Control, told CE Pro that it's misleading to call this DDoS incident an
Internet of Things problem. He would rather understand it as a problem with vendors releasing
products that aren't properly secured, an issue that's certainly not confined to the IoT.
As he put it, quote, the budding Internet of Things has no more
to do with this than the advent of the Internet caused Windows XP security problems, end quote.
He's got a point, but the combination of widespread deployment, weak security,
and user inattention do seem to make the IoT particularly vulnerable to this sort of exploitation.
Ray Rothrock, CEO and chairman of cybersecurity
analytics company Red Seal, told the Cyber Wire that, quote, the reality is that the millions
of systems and things connected to networks and each other create unprecedented capabilities for
both good and harm, end quote. He thinks the problem is a species of the genus endpoint
insecurity and that the proper response should involve putting network security controls in place
to limit the effects of such attacks.
We also heard from Eldon Sprickerhoff, founder and chief security strategist of cybersecurity firm eSentire,
who offered some advice to users of the kinds of devices implicated in the attacks.
Because so many basic devices are now internet-enabled and
connected, it's too easy for their users, and that means most of us, to overestimate their default
security. No one wants their devices herded into a botnet. It's poor digital hygiene and citizenship,
the virtual equivalent of spitting on the sidewalk, and it can also affect your own systems in
unpleasant ways. Sprickerhoff recommends taking at least the following measures with your security system,
your router, your baby monitor,
with all those things at home that quietly and routinely touch the Internet.
First, change device passwords and use different complex passwords for each different system.
Next, ensure you've upgraded to the newest firmware available.
And finally, restrict external access to home devices,
with firewalling, disabling remote access capabilities, and things like that.
One manufacturer, Hangzhou Shoumai Technology,
which produces components widely used in digital video recorders and network security cameras,
has acknowledged that vulnerabilities in its products were exploited in the DDoS attacks on Dyn. They're recalling thousands of devices to aid remediation of the
vulnerability. Attribution of the Dyn attack still remains unclear. We heard a lot of speculation
Saturday at the U.S. Army and NATO-sponsored Saikhan event in Washington that a nation-state
was behind the attacks, and pretty much everyone was
looking at you, Russia. But in truth, not only is it difficult to disentangle state-sponsored
activity from organized crime, but the Mirai Code has been freely available for some time.
The Washington Free Beacon said that U.S. Director of National Intelligence Clapper
told it the incident was the work of a multinational hacker group. He didn't elaborate, but other sources suggested to the Free Beacon and others
that this was more a case of vandalism than it was a nation-state attack.
One apparent patriotic hacktivist, Jester, is convinced the Russians are coming.
He, she, or they sent Russia a message by defacing an old foreign ministry site,
and the Russian foreign ministry was not amused, suggesting darkly that one might well perceive the hidden hand of Vice President Biden
behind Jester. Last week at Cyber Maryland, we sat down with Malcolm Harkins, Chief Security and
Trust Officer at Cylance, to get his opinions, strong ones it turns out, on the state of the
cybersecurity industry, particularly when it comes to taking risks.
I believe that losers quit when they're tired, winners quit when they've won.
I think we've quit on the attempt to win this stuff and capitulated to, I think, a broad industry notion that compromise is inevitable versus the notion that attempt to compromise is inevitable.
And I don't think you can fully eliminate the risk, but I do think many people have given up
on the ability to prevention, and that's a shame.
Where do you think this attitude of surrender comes from?
Well, a couple things. One is, for years and years and years, the degradation of
the effectiveness for security solutions has been occurring. And we've all experienced it. I've
experienced it. And so I think there's a confirmation bias, so to speak, that because
that's happened for a long time, we have to accept that that's the only solution or the
only approach, in which case we default to detection and response. And I'm a former business
guy and got a background in economics. And when you think about it, the security industry itself
profits from the insecurity of computing. And one could argue then logically for profit motives, the vast majority of
the industry, not all of it, but a substantial portion of it grows because of the insecurity
of computing and the problems that occur. So economically, what do we think has happened?
Well, the vast majority of the industry has come out with detection and response capabilities
because that's where people were anchored in.
And that's where they would like you to continue to believe you have to be.
And I don't think, as I said before, you can fully eliminate risk.
But I think we can do a far better job of preventing a substantial portion of the risks that we're experiencing.
We should absolutely constantly pursue perfection. It's okay to win ugly. And sometimes, you know, having been in the
security industry a long time, I've won ugly a lot. And some of that is being more of a risk
taker. So, you know, again, if you're in the security role and you're in for information risk
role, how often are you taking risks?
Your job is to, in many ways, manage people from taking risks.
And sometimes you have to take a risk on a newer technology, a newer approach, a newer thought in order.
So you kind of have to run to the risky thing in order to manage the risk.
But is risk-taking rewarded in this industry?
In some ways, unfortunately, no. And it's, again, a cultural
underpinning, right? But in many ways, and again, part of the dialogues that we had even in the
panel I was on today on C-suite concerns, businesses are in the job of managing risk.
When you launch a new product, when you build a new building, when you
go and enter a new market, that's risk-taking. It's financial risk-taking. And so businesses
are in the business of taking risk, and those that manage those risks the best
are generally the ones who win. That's Malcolm Harkins from Cylance.
And finally, antivirus pioneer, security gadfly, and sometime, we think,
presidential candidate John McAfee says he knows whodunit. North Korea dunit. He bases this
attribution on what he describes as dark web chatter. But commenters on the web have taken a
tell-it-to-the-marines attitude toward this. John can sometimes pop off like the much-beloved but eccentric uncle at the Thanksgiving table,
like the time he said he had a team of digital ninjas who could unlock an iPhone even if
the FBI couldn't.
Maybe yes, and maybe no.
But in the case of attributing the Mariah tax, the story is still, as they say, developing.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, you know, we've been seeing these stories about IoT buttnets.
I thought it might be interesting for you and I to just kind of go through sort of inventory.
What are the typical IoT types of devices that people have in their homes, in their offices?
Because some of them are surprising.
I mean, let's start with the obvious one the the cameras that's uh right that's the
one that gets all the press security cameras or uh the doorbell cameras that people i see ads on tv
for now you think about them as as providing a stream a video stream out to the world you know
if you haven't taken the time to time to go through and change the default password, then it's probably open to everybody to see.
And as we've seen with the recent botnet that took down Krebs' site to even exploit and make your camera part of a botnet.
Yeah, and I think a point to make with the Krebs botnet attack was that that was all done with default passwords.
Default passwords, that's right.
Every device on that botnet, according to the people we've spoken to,
was all default passwords.
So job one, when you get any IoT device, or any device really in general,
that connects to your network or the Internet, change the password.
But, you know, there were other devices involved with that
that I hadn't really thought of, and the main one for me was DVRs.
Right. Yeah, you and I were talking before the show,
and I was thinking about smugly saying,
well, I don't have very many
or any Internet of Things devices in my house,
but I do have a DVR.
Not only do I have a DVR,
but I have another cable box in my house
that I think also runs a Linux operating system
that can access the DVR.
They're networked together.
They're inside my house.
They have obvious ways to get outside to get the content that gets downloaded.
Those are Internet of Things devices. Yeah. And again, with this Krebs thing,
the code that they would put in the DVR lived in the DVR's RAM. So if you rebooted the DVR,
it would get wiped out. But how often do you reboot your DVR? I don't know that. I mean,
when the power goes out in the house, that's when my DVR gets rebooted right exactly I think the only way I
know how to reboot my DVR is by yanking the power cord out of the back of it and letting it sit
there for a minute and then plugging it back in just like when you when you have a technical
support call that's the first thing they tell you to do with all the hardware in your house right
right right other devices though I mean you know we we're starting to see sort of ones that make me scratch my head. I see Samsung has an internet-enabled stove.
Right. What could go wrong? Yeah, what could go wrong with a high-temperature,
unmonitored high-temperature device connected to the internet?
I was at the... That's an excellent question. I was at the Financial Crypto Conference in February
and one of the keynote speakers
was Adi Shamir, who's the S in
RSA. And one
of his statements was that this
Internet of Things phenomenon is
really going to present
the hugest security problem
that we've seen in a long time. He said it's just
going to blow up in our faces, I think. I mean, how many
devices were involved in that Krebs on security botnet
that was bordering on millions of devices?
And these devices are all cheap, readily available,
and they come with essentially commodity operating systems
running on hardware that is significantly more powerful
than was available 20 years ago.
Even if your device was taking part in this botnet, you might not notice.
Right.
The functionality of the device may not be interrupted at all.
Right, yeah.
The device keeps running, so you may not ever even notice that you've got a problem.
All right, Joe.
So, get a new device, change that password.
That's right. All right. Joe. So get a new device, change that password. That's right.
All right. Good talking to you. My pleasure.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and
their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.