CyberWire Daily - Daily & Week in Review: Political hacks: email, Twitter, and iCloud. Calls mount for tough US response to Russian cyber operations. Two Android vulnerabilities and one threat revealed. Verizon calls Yahoo! breach "material."
Episode Date: October 14, 2016In today's podcast we follow the continuing story of election hacks, and the varying but convergent motives behind them. We get a side helping of good government advice from Mr. Putin. (Thanks, Vlad!)... Al Qaeda tries to reach the Millennial jihadist market with ISIS-like information operations. The Internet-of-Things enhances its reputation as an Internet-of-Trouble. Cyber stocks see turbulence as downbeat guidance spooks speculators. Pork Explosion isn't a movie from the Seventies—it's an Android backdoor. The Johns Hopkins University's Joe Carrigan responds to a listener inquiry about Amazon's recent password resets. DDoS expert Dave Larson from Corero Network Security shares his perspective on recent attacks. And please don't use a misspelled app to take selfies. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Election hacks continue with a side helping of good government advice from, of all people, Mr. Putin.
Al-Qaeda tries to reach the millennial jihadist market with ISIS-like information operations. Thank you. And if you really must take selfies, at least try not to do so using a misspelled app You've been warned
I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, October 14th, 2016
The week closes as it began with the continuing story of election-related hacks in the U.S.
Wednesday evening, Clinton campaign chairman John Podesta's Twitter account was hijacked to tweet,
Vote Trump.
We shouldn't have to say this, but we do.
It was a hack.
Mr. Podesta hasn't jumped ship to Team Trump.
It's since emerged that more than his Twitter account was compromised.
Apparently, his iCloud account was also hacked and then wiped.
This occurred some 12 hours after the latest WikiLeaks dump of predictably low-sounding emails.
We repeat, no one's email has, in our experience, ever served as much of a letter of recommendation.
Among the leaked emails were some that contained Mr. Podesta's password.
We won't repeat it here, but we hope he's changed it by now.
The FBI is said to be investigating the compromise of Podesta's accounts,
along with other Democratic Party hacking incidents.
Russian intelligence services remain the prime suspects.
Russian President Putin shrugs continued denial,
but then goes on to say that the whodunit's not important.
Rather, it's the what's in it.
Coming across like the good government blue-stocking few would have suspected him of being,
Mr. Putin suggests that people should worry more about the dumped email's contents
than they worry about how WikiLeaks got them.
The unstated conclusion is that said contents ought to shock, shock us.
With all due apologies to Mr. Putin, observers are fairly well convinced
that the who in this particular whodunit resides in Moscow.
WikiLeaks is a convenient conduit, but unlikely to be the hackers.
The Russian interest is said to lie in discrediting the U.S. political system.
The White House has promised to protect U.S. interests in cyberspace,
but how the U.S. will actually respond to Russian hacking remains up in the air.
At week's end, more foreign policy experts and defense intellectuals
are calling for that response to be vigorous.
If the policy mavens have their way, the U.S. will err on the side of toughness,
but sanctions still seem the likeliest response.
Al-Qaeda, now clearly the junior varsity in jihad, is receiving much the
same military pressure as the ISIS varsity, and Al-Qaeda is also turning to an ISIS-like campaign
of online inspiration in the hopes of recouping its millennial jihadist mindshare. DDoS protection
specialists at security firm Akamai continue their exploration of the IoT botnets that have been driving recent denial-of-service campaigns.
They've found the showdown crypto vulnerability in at least 2 million devices.
Observers express frustration that this vulnerability persists.
It ought, many think, to have been dealt with long ago,
since it amounts to a poor implementation of Secure Shell.
Akamai is also reported on the other uses criminals are finding
for compromised Internet of Things devices. Principal among these uses are tests of stolen
credentials. The Cyber Wire heard from Rod Schultz, vice president of product at Rubicon Labs.
He thinks the biological metaphor of a virus is an apt one and useful to understanding what's
going on with the IoT security. Quote, Connect a device to a network and you must model that device as a biological entity.
History has shown that certain biological viruses have catastrophic impact on society,
and now that we are connecting billions of devices to a network,
it's time everyone understands that the same thing is going to happen to digital things.
End quote.
Schultz thinks giving devices unique credentials and identities could do against computer viruses
what vaccines did against biological pathogens.
It's been an up-and-down week in industry news,
as downbeat projections concerning security spending from Fortinet
dragged down share prices around the sector.
There have been exceptions, like Barracuda,
but in general, traders have punished cyber stocks this week. Investors, however, see more promising fundamentals
and so regard many cyber stocks and their exchange-traded funds as offering buying opportunities.
Verizon says it finds the Yahoo breach material, hinting that Yahoo's bad news will affect
Verizon's planned acquisition of the troubled internet giant's core assets.
Most analysts expect the effects to be a deep discount in price, not a cancellation of the deal altogether.
Yahoo says it stands by its valuation.
Finally, several new Android vulnerabilities surfaced late this week, including Pork Explosion,
a Foxconn factory debugger left behind in
ship devices.
Pork Explosion can serve as a backdoor.
We read that the backdoor was named by the researcher who discovered it.
He said to be a barbecue enthusiast.
The popular Nine Android app, used to access Microsoft Exchange resources, has also been
found vulnerable to man-in-the-middle exploitation, but there
appears to be a fix for this one being pushed out.
And selfie enthusiasts, beware.
A bogus video app promises great selfies but actually delivers identity theft.
Don't be taken in by it.
It masquerades as an Adobe Flash Player app, but those of you who proofread your screens
carefully won't be deceived.
As often as not, it announces itself as Abodey Flash Player.
So keep it out of your digital abode and use a reputable app if you really must shoot yourself making duck lips.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Thank you. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
Joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute. Joe, we got a message from a listener who heard our reporting recently about Amazon's proactive approach to requiring people to change their passwords.
Amazon went through and sort of compared passwords against known databases of passwords that have been in big breaches.
And this listener said, so does that mean that Amazon has access to our passwords?
I would say no.
And the reason I say no is because Amazon strikes me as a company that does security right.
They have a huge business from Amazon Web Services.
So the way passwords are managed or stored, rather, is they're stored in what's called a hash.
And you can think of a hash as a one-way encryption algorithm.
Okay.
So I am going to encrypt something with the hope of never decrypting it again.
And there are properties of a good hashing algorithm,
and one of them is that given the output from a hashing algorithm,
it's very difficult to determine the input.
All right.
Now, that doesn't seem like a very good encryption scheme because now I can't recover the data,
right?
Okay.
And traditionally, you think of, I'm going to encrypt this data because I'm going to
need it later.
But the way this, it works perfect for hashing or for encrypting passwords.
So if I enter my password, and let's say my password is password123 because I like to
pick passwords that are going to get me hacked immediately.
So I pick password123.
That password goes into the hashing algorithm
and the algorithm outputs
what looks like a random string of characters.
But if I enter that same password again,
it will output that same string of characters.
I see.
Okay.
So there's another factor that makes that much more difficult to guess called salting
the passwords, which is where I pick a random series of characters to either append or prepend
to my password.
That way now, if you and I both have password 123 as our passwords, our hashes are different.
Right.
So I can't just go through the database and look it up.
So your reader asks, does that mean that Amazon has our passwords stored?
I'm going to go ahead and say no.
Amazon is storing their passwords salted and hashed and what they're doing is they're getting
access and anybody can do this.
Just go out on the internet and look for it.
You can find lists of known passwords and these are passwords that have been found through social engineering of passwords.
People are predictable.
They repeat the same process over and over again.
Passwords are actually fairly predictable
unless you use a random string of characters.
And what they're doing is they're essentially
cracking the passwords that they have in their database.
And if they're finding a match,
they're notifying the user
that they have to change their password.
What do you mean when you say cracking the passwords in their database?
Okay, so if I have a list of hashed passwords, imagine any of these breaches where you hear
that somebody's leaked out hashed passwords.
Right.
There's a program out there called Hashcat, which runs on GPUs, the graphics processing
units, that is incredibly good at parallel processing for hashing algorithms.
And it works really well on these graphics cards.
So I can run, if I'm running MD5,
which is nobody should be storing their passwords in MD5,
but chances are there are a lot of websites out there that you have accounts on
that are storing their passwords in MD5.
I can hash those passwords from a dictionary. I can guess passwords at a rate of something like
millions a second. Take millions of guesses a second. Well, Amazon has their web services and
their cloud and their elastic computing cloud, all those different products. They have all this
processing power. So it seems to me, I haven't talked to anybody from Amazon,
but if I was going to guess at what they were doing,
is they're using some of that processing power to go ahead and run a program
that then hashes the passwords against users' accounts and sees if they get a hit.
And if they get a hit, then they notify the user.
A hit being a matching password.
A match to a known password from one of the publicly available databases.
Exactly.
So basically, there's a technical way that they can compare the passwords to the known passwords
without them actually knowing what that password is.
That's right. And let me go on record here and say that I think this is an incredibly smart
thing that Amazon's doing.
Because what they're doing is they're taking a database that they have, that they've gleaned from these sources.
That means that other people have that list as well.
And they are saying that your password shows up in this list.
You need to change your password because it's too weak.
Thanks, Joe, for explaining it.
It's good stuff.
We'll talk to you again soon. Yeah, it's too weak. Thanks, Joe, for explaining it. It's good stuff. We'll talk to you again soon.
It's my pleasure.
My guest today is Dave Larson.
He's the COO and CTO at Carrero Network Security,
a provider of inline DDoS mitigation technology.
With record-breaking DDoS attacks in the news,
we asked Mr. Larson for his
perspective on how we got here and what can be done to protect against what seems to be a growing
threat. All these new large-scale attacks have the same persona, if you will. They're being
orchestrated and operated out of IoT botnets with many thousands, hundreds of thousands of devices
in order to get to the scale that was seen
in the last week and a half. And so what do you make of this? Is this, you know, the reports are
that the scale of these attacks doubled what had been seen previously. Is this sort of thing a
game changer? Yeah, I think it is. I think it's not surprising. In fact, I actually believe that
that terabit attack was not the first one.
I think one of the funny things about this industry is that people claim these sizes.
But if you know anything about DDoS attack, oftentimes there is tremendous overflow of these attacks as you get closer and closer to the origin of the attack.
So I think these attacks have been well over a terabit in scale.
of the attack. So I think these attacks have been well over a terabit in scale. And I think we've seen several of them occur, whether it's against organizations like Krebs, whether it's against
PlayStation or Xbox over the Christmas holidays. These attacks have been with us, but I think they
are going to get worse. I would argue that the Krebs attack at 665 gig, the only entities that can meaningfully stop these kinds of attacks are the
tier one service providers that are transiting all this traffic anyway. And there is no reason
for them to carry the attack. The mitigating equipment and solutions are available, they are
effective, and they are economical. They can be used to stop this kind of activity before
it even impacts anybody downstream. But only the operators themselves have the capacity and
bandwidth scale to deal with the threat at this level. What are the motivations for why someone
launches a DDoS attack? In the Krebs case, it was retribution, oddly enough, because he outed them as a DDoS syndicate. So that was simply retribution.
In reality, though, there are a host of motivations and they're very wide ranging. And it depends on
the business that you're in. If you are a carrier of large scale credit card transactions like the
TalkTalk, you might be attacked with DDoS for the purpose of distracting you for other forms of
breach activity that are going on in your environment. If you're a media property or
news property, you might be attacked for ideological reasons along the lines of political
leanings. If you're a gaming site, you will be attacked as, frankly, an accepted part of gaming activity. So the large
entertainment gaming operators, the multiplayer, massively multiplayer gaming, the users of the
games, the players of the games actually view it as legitimate to DDoS each other and the game
platform as part of the rules and engagement and strategies of the game. So you can see there's a
host of different reasons why, but the fact is that the tools are virtually free. And so anybody
with a reason, there's very little barrier to actually acting out your motivations by actually
launching a DDoS attack. So in this arms race, you know, between those doing the DDoSs and those defending against it, you know, what is our current state? Is there an upper limit, a practical limit for where this can go?
Yeah, unfortunately, we have arrived at a situation through what I would call undisciplined network architecture or not even that, just things that we allow to ingress into our network.
or not even that, just things that we allow to ingress into our network.
People have had the sense that you can always just out-capacity anything.
So when in doubt, add capacity.
The problem with that is that the big operators have added capacity,
and now there is tremendous capacity, and there is virtually no limit to the scale and size of an attack with IoT as a backdrop.
If there are billions of devices that can be incorporated
into bots, then the scale is literally limitless in terms of the attack size.
But there is a bright side to this. There are very, very simple things that people can do from
a network operator perspective that if implemented would take care of much of the problem. So there is a best common practice that is defined by the Internet Engineering Task Force, the IETF, called BCP38.
BCP38 is a best practice for ingress filtering that gets rid of spoofed IP addresses at the ingress to the operator networks.
Well, if I just got rid of that problem alone, which is rampant on the internet,
allowing spoofed IP addresses,
there's no reason to allow it.
It would cut down the amount of DDoS
by at least a factor of 10, if not higher.
So there are silver linings here.
These large-scale attacks are starting to wreck businesses.
They're starting to cause real problems for the operators.
And it is my expectation that they are now going to act.
So while the attackers have the upper hand now,
I expect that the operators are going to start to take
at least the obvious common sense measures like BCP38
to start getting rid of much of the spoof IP attack
that takes place in DDoS.
If you're an end user and you're connecting
to a carrier, ask them what their DDoS SLA is. Because I think what you'll find is that most
of the time the DDoS SLA is, well, if you come under attack, we promise that we'll start to do
something in 20 or 30 minutes. In the modern internet, that's not acceptable. Many of the
tier two and three operators are now adopting capability. Google clearly has the capability of dealing with instantaneous mitigation,
automatic mitigation. There is no reason to suffer DDoS. The technology exists,
the capability exists, and certainly the bandwidth capacity is there. You just need
to choose providers that are willing to give you a solution that will protect you from the problem.
That's Dave Larson from Carrero Network
Security. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your