CyberWire Daily - Daily: Yahoo! hackers seem to have been crooks (who sold to other crooks, and to government(s)). Toxic data and credential problems. Election hacking.
Episode Date: September 29, 2016In today's podcast we hear predictions that terabit-per-second DDoS attacks may be on their way toward becoming the new normal. We consider the real threat that lies in the IoT. (A hint: security came...ras are to the Internet what squirrels are to the power grid.) More concerns about election hacking surface in the US. Dr. Charles Clancy from Virgnia Tech's Hume Center explains software defined networking. Netsparker's Ferruh Mavituna shares advice on securing content delivery networks. InfoArmor looks into the Yahoo! breach and finds more crooks than spies. But the crooks may be fencing data to the spies. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Terabit per second DDoS may become the new normal.
The real threat in the IoT? A hint?
Security cameras are to the Internet what squirrels are to the power grid.
InfoArmor looks into the Yahoo breach and finds more crooks than spies, but the crooks may be fencing data to the spies.
Toxic data, sock puppets, security questions, and even Major League Baseball.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Thursday, September 29, 2016.
The very large distributed denial-of-service attacks sustained by investigative journalism site Krebs on Security
and French hosting service OVH seem to have abated,
but they've shaken confidence in Internet users' ability to ride out such attacks.
When these DDoS attacks are described as very large, that's perhaps an understatement.
Krebs on Security received 620 gigabits per second of attack traffic,
which dwarfed what DDoS mitigation specialists at Akamai believe was the former record, set in June 2015.
That was 363 gigabits per second. But the OVH attack makes
what Krebs on security suffered look puny. OVH says it was hit with 1.1 terabits per second.
Both attacks were conducted through Internet of Things botnets, which is itself very troubling.
Many of the devices herded into the botnets were routers and security cameras.
the devices herded into the botnets were routers and security cameras. Ars Technica says that 145,000 cameras were involved in the attack against OVH. That such devices can be exploited isn't news,
nor is it surprising. Security arrived relatively late to the IoT design party,
and many of the devices themselves are computationally impoverished, difficult to patch,
owned by poorly resourced users, and themselves
near, at, or beyond their own end of life, and thus often unpatchable, even if the users were
willing and able to do so. Consider security cameras. We still tend to call them closed circuit,
but that hasn't been true for a long time. They're networked. And many of them are securing mom and
pop businesses. And remember, mom andpop work hard, have low margins,
no IT staff beyond maybe a kid or a grandkid,
and probably can't quite recall how long ago they set that camera up.
Mom-and-pop aren't negligent, stupid, or lazy.
Probably quite the opposite.
But you've got to have reasonable expectations about their security awareness
and, above all, about their resources.
Akamai told Ars Technica that terabit-per-second attacks may become the new normal.
There has been much sensationalist fear, uncertainty, and doubt
talked up around the Internet of Things,
much of it the beware your refrigerator may be out to kill you
or your coffee pot may have murder in its semiconducting heart.
But here's the real near-term issue.
may have murder in its semiconducting heart.
But here's the real near-term issue.
Poorly secured but well-networked IoT devices can be herded into DDoS botnets
that can take down significant portions of the grid.
There's an analogy here to vulnerabilities
in other kinds of networks.
We hear much, for example, of the risk
that the electrical power grid could be hacked
and the disparate nature of the power grid,
which we've heard people from NERC describe as a hodgepodge,
and they mean that in a good, resilient way,
a hodgepodge is difficult to take down across a country or a continent.
So an ice storm, a failed transformer,
or even a misplaced squirrel or snake won't take out a continental grid.
But storms, squirrels, and snakes can still have major local or even regional effect.
So can attackers.
The other network people in the United States at any rate are worrying about
is the network or more properly networks used to conduct voting.
This one really is too disparate to count as a single grid
or anything remotely resembling a system of systems.
It's a mix of online, air-gapped electric and manual systems, all run
by each of the 50 states. The FBI has warned Congress this week that there may have been more,
presumably Russian, attempts to access state voter registration databases. The FBI is also
investigating an apparent Russian attempt on Democratic Party politicians' phones.
Thomas Poore of Plixer commented to the Cyber Wire that we need to
remember how much we've come to depend upon our phones for our connection to work. Campaign
staffers and party officials are no different, he observed. Embarrassing leaks are one thing,
but there is even more sensitive information on the phones than that. Quote, phones of staffers
also contain real-time information sources such as GPS coordinates, microphones, and cameras for
surveillance opportunities, end quote. Content delivery networks are an effective way of
increasing the performance of your website, but they're not without risks. We checked in with
Farah Madvituna from NetSparker about the security of CDNs and protecting them with
sub-resource integrity checks. CDN as a concept became quite popular recently.
We had Amazon kind of delivery networks and we have so many other delivery networks.
People use them either for performance or just simply include a JavaScript
from a well-known content delivery network to hope that their visitors have that content in their cache and
therefore their website will be faster. So what are some of the security issues when it comes to
content delivery networks? The problem with content delivery network, you effectively trust a third
party. We talk about vulnerabilities such as cross-site scripting. When an attacker can execute JavaScript on your
website, that effectively means when you trust a third party to deliver your JavaScript,
you completely trust it. Because if this third party by themselves or if they got hacked and
changed the content of this file, they can start executing JavaScript on your
website. And that means they now there is a cross site scripting. And even though your
website is completely secure, you have done everything in your power, you get pantas that
you have done everything. But because your content delivery network got hacked, you get
hacked automatically. And the nature of these trust relationships
obviously also makes content delivery networks
is a prime target for attackers.
Because if you can hack a content delivery network,
now you hack thousands of websites by design.
You control here, you can put something in there, and it will get executed in thousands
of websites. So describe to me, what is sub-resource integrity, SRI?
So sub-resource integrity, so the way it works, it's supported on the browsers,
so it's a client-side protection. So with subresource integrity, while including a reference such as a JavaScript file,
such as a jQuery library, you say,
okay, here is the content of this library.
Here is the hash of it,
which is like a signature of this file.
And if any part of it,
even if it's one character of that content is changed,
that signature will be changed.
So you create that signature by hashing it.
And then in your website, you say,
okay, get jquery library from this content delivery network
and the signature must be this.
Now, when your browser calls that JavaScript library,
it checks the signature.
If the signature of that file
doesn't match to what you are expecting, what you are declaring while calling that file,
browser will not load that file. But by doing so, by providing this signature,
you will make your website secure against these threats.
That's Farah Mavituna from NetSparker.
InfoArmor has published an extensive report on the Yahoo breach.
They conclude that two distinct criminal hacking groups were involved,
along with a third black market reseller.
The groups that stole the data, InfoArmor says, sold them at least three times,
once to a state-sponsored actor.
It's worth noting that state-sponsored can include a wide variety of groups
in addition to government agencies and services themselves.
Sympathizers, activists, terrorist organizations, crime syndicates,
and an array of hired guns can all, under the right circumstances,
legitimately be considered state-sponsored.
Thus, criminal and state-sponsored are far from mutually exclusive,
and states are using more fronts and cutouts in cyberspace
in an updated form of traditional information operations and espionage tradecraft.
Finally, we turn to one more lesson being drawn from the Yahoo breach.
If an organization can avoid collecting names, addresses, mothers' maiden names, first pets,
the middle school you attended, the name of your favorite baseball player when you were a kid,
that would be all the good.
Observing the way security questions were compromised in the Yahoo breach,
Wired suggests it's time to start telling lies.
So we recommend that our editor change his answer from Wad Swoboda to Ed Cranepool.
As any old Mets fan would know, both Cranepool and Swoboda were amazing.
Besides, probably marvelous Marv
Throneberry is already taken. So as the Major League Baseball wildcard race comes down to the
wire, we'll just say, let's go Mets. But even more so, how about demos, hon? We're predicting a rematch of 1969.
match of 1969. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And I'm joined once again by Dr. Charles Clancy. He's the director of the Hume Center for National Security and Technology at Virginia Tech.
Dr. Clancy, I know an area of research for you is software-defined networking.
We're talking about that. What do we mean?
Software-defined networking is a relatively new concept.
It's sort of come out over the last five years.
But it's this notion of decoupling the control plane of a network
from the data plane of a network.
So right now, in a typical enterprise network,
and even in the core of the Internet itself,
you have things like routing packets that are commingled with user traffic.
And this has created sort of a fundamental property of the Internet
and networks that we know today.
Software-defined networking decouples these two and creates a separate control plane isolated from the data plane, which allows the
control plane to actually reconfigure the data plane because it's no longer dependent upon it.
This enables a lot of different applications, such as load balancing and traffic engineering,
but also fundamental changes in the network topology as a function of real-time traffic
that's been observed. So lots of exciting things going on in this
community. One particular protocol, OpenFlow, is most commonly associated with
software-defined networking and is generally being embraced as at least one
standard in this emerging ecosystem. And so what are some of the security
opportunities and challenges that we'll face with this technology? Well first
I'll talk about the opportunities.
By being able to rapidly reconfigure the data plane of your network,
there's lots of opportunity for new active defense countermeasures
in both enterprise networks and core Internet itself.
So this gets to this notion of moving target defense,
where the topology of the network and the structure of the network
can be constantly changing.
So, for example, you may be able to more quickly react to attacks. You may be able to identify a particular distributed denial of service attack that's attacking your network
and reconfigure your network to block that traffic at the source rather than at the destination.
Or you may be able to identify botnets at scale and be able to block command and control channels
for botnets.
So it gives you one more tool in terms of building an active network defense.
On the downside, though, obviously there are new protocols being developed.
This control plane is not really best practices around how to protect the control plane,
in particular the OpenFlow standard itself.
The original standard had TLS as required for
security, but the newer versions have made TLS optional, which makes it easier to deploy and
easier to provision, but at the expense of potential security. So far, I haven't seen any
major intrusions into OpenFlow networks, but if you're able to get access to the OpenFlow controller,
then you really have the crown jewels of the network at that point, because that's where all the control
for the entire network is happening. All right, Dr. Charles Clancy, thanks for joining us.
And now, a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.