CyberWire Daily - Daily: Youth and cyber make a bad-news-good-news story (it's complicated). Mirai DDoS may be the work of skids. ISIS adjusts its messaging.
Episode Date: October 26, 2016In today's podcast, we hear that Friday's Dyn DDoS may have been the work of skids and script kiddies, not high-end Russian spies. A recall of vulnerable IoT devices proceeds. Utilities see the DDoS a...ttacks as a warning shot—they should maybe start by getting rid of all those pagers? ISIS tweaks its online messaging to point out that the Caliphate is enduring a divinely ordained period of trial. CloudFanta malware harvests credentials via a cloud storage app. Emily Wilson from Terbium Labs weighs in on credit card fraud in the dark web. Edward Hammersla from Forcepoint reviews their study of Millennials in the federal workplace. And, fellow youths, there's some bad news and some good news about cyber Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Friday's dying DDoS may have been the work of skids and script kitties,
not high-end Russian spies.
A recall of vulnerable IoT devices proceeds.
Utilities see the DDoS attacks as a warning shot.
They should maybe start by getting rid of all those pagers?
ISIS tweaks its online messaging to point out that the caliphate is enduring a divinely ordained period of trial.
Cloud phantom malware harvests credentials via a cloud storage app.
And, fellow youths, there's some bad news and some good news.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, October 26, 2016.
Last Friday's wave of DDoS attacks that took down the servers at DNS provider Dyn,
on which so much internet traffic depends, especially in the United States, Last Friday's wave of DDoS attacks that took down the servers at DNS provider Dyn,
on which so much internet traffic depends, especially in the United States,
now looks more like the work of skids doing it for the lulz than a nation-state security service.
U.S. Director of National Intelligence James Clapper said yesterday that it appeared to be the work of criminals and not, as many experts and non-experts speculated over the weekend,
Russian intelligence. Clapper did indicate that it appeared the hackers were a multinational group,
but beyond that, well, the investigation is proceeding.
Flashpoint has published a study that suggests the attackers were, as CSO calls them,
a bunch of amateurs, script kiddies, and dark web lurkers without specific political or criminal motivation.
If correct, this assessment is not reassuring, since it implies such attacks are well within the reach of many.
Other reports that the nations contributing the multinational hoods were Russia and China are also disturbing, if correct,
in that both of those countries have exhibited a degree of willingness to either co-opt, use, or hire criminal hacking elements.
The distributed denial-of-service attacks were mounted using Internet-of-Things botnets controlled by the Mirai Trojan.
Security cameras and home routers were particularly implicated in the attacks, DVRs not so much,
but these and most other consumer-grade IoT devices are comparably vulnerable.
One major manufacturer, Hangzhou Shoumai Technology,
is recalling devices sold in the United States before April 2015.
It says its current firmware is no longer vulnerable to Mirai-style exploitation.
The company is also threatening to sue journalists blaming it for the DDoS outbreak.
That's defamation, they say.
A note to Hangzhou Shoumai Technology, we're not blaming you, okay? Utilities, especially electrical
utilities, were spooked by Friday's attacks. As Imperva told Energy Wire, quote, what the attack
lacks for in sophistication it makes up for in pure volume, end quote. It's also been noted that the Ukraine
grid hack began with low-grade criminals and was co-opted by a capable nation-state,
Russia of course by most accounts, and the same could happen with IoT vulnerabilities.
Trend Micro points out one problem with the electrical power sector. Too many of its
personnel still use pagers. Pagers don't encrypt their traffic,
and researchers find it relatively trivial to access that traffic. Such interception is useful
during pre-attack reconnaissance, and attackers can also relatively easily interject spoofed
messages into the network. Given the role social engineering played in the western Ukraine grid
hack, utility watchers find this unsettling.
There are also some direct risks in the industrial IoT. Security firm Indigee has found a remote
code vulnerability in the Schneider Electric software widely used in programmable logic
controllers. Why might criminals be interested in DDoS? Well, someone is renting 100,000 Mirai-infected bots on the black market for just $7,500,
so the attack could serve as a marketing demonstration.
And of course, there's always the lulz.
While apparently not so far implicated in the Mirai-DDoS stampede,
Russia does not appear to be idle in cyber conflict.
As is usually the case, its alleged activities are deniably conducted through a third party.
The Syrian Electronic Army, with Russian backing, says the victim,
has defaced sites of the Belgian newspaper Newsblad
to protest Belgian participation in airstrikes against Syrian targets.
Wikileaks continues to release discreditable stuff
purloined from the emails
of those in or close to the Clinton presidential campaign. Researchers at SecureWorks have found
evidence of how the Gmail accounts were compromised, spear phishing with bogus
bitly links in bogus security warnings. U.S. officials continue to be more worried about
information operations than direct, let alone global, hacking of voting machines.
State authorities are being asked to be on their guard against attempts to influence turnout or confidence in election results.
What success any such vigilance will have remains to be seen.
There's more than enough suspicion and ill will to go around.
Netscope has released a report on the CloudFanta credential harvesting malware.
It uses the SugarSync cloud storage app for distribution,
and it tends to go undetected by most network security solutions
because it cloaks its malicious dynamic link library, that's DLL files, as PNGs.
CloudFanta has been most active against Brazilian targets,
but it's not confined to that country.
As foreseen, ISIS is now attempting to adjust its messaging to deal with loss of key territories.
It's doing so by looking for scriptural evidence that such setbacks are foreordained
and in no way compromise its legitimacy.
Current setbacks are part of the period of, quote,
preparation, tribulation,
and difficulty, end quote, that always figure in the divine plan. Expect this trope to become
a leitmotif in the caliphate's ongoing information campaign. Wrapping up our coverage with some of
the people we met last week at Cyber Maryland, Edward Hammersley is chief strategy officer for
Forcepoint and president of their
federal division. Forcepoint just released a study called Millennial Rising, where they look at the
growing number of millennials in the federal workforce and how that affects security and
culture. So we started thinking about this trend where roughly seven percent of the current federal IT workforce is consisted of millennials,
and the projections are that that group known as millennials will be about 75% of the workforce in a few short years.
So we started thinking, what impact does that have both on hiring, training, and all kinds of other issues,
not only for our own company, but for the government and our customers?
issues not only for our own company but for the government and our customers. Typically there's a trend to trust technology more than perhaps the older
generations did. There's a feeling of you know gee I clicked the privacy button on
Facebook so I'm good. No worries about cyber right? That of course is changing
and that's particularly daunting in the areas of the government where DoD and
Intel community practices where cybersecurity is such a serious issue and taken very seriously across the board.
To me, what the finding drove home was how deep the sharing culture goes in the millennial
community. Everything from Uber cars to anything else, it's just things are meant to be shared.
And when confronted with an environment
where you're not supposed to share and you're supposed to do the opposite, it almost feels
like it goes against core values, you know. And so that's going to be an interesting challenge for
especially those parts of the government that deal in sensitive information. And I think rather,
I mean, of course, some training is going to be interesting and required, but rather than trying to change too much behavior,
I think we just need to think about our systems and our policies and how to adapt to those things.
That's Edward Hammersley from Forcepoint.
And finally, speaking of Forcepoint's study of millennials and cyber,
here's the bad news, fellow youths.
You're careless and you're all too willing to trade security for convenience.
But the good news is a lot of you would like to get good enough about security news, fellow youths. You're careless, and you're all too willing to trade security for convenience.
But the good news is a lot of you would like to get good enough about security to work in the industry. So we figure we've got that going for us, right? And if you'd like some encouraging
news about us, fellow youths, look to Passcode, which at the end of last week announced the
winners of its Capture the Flag competition and awarded the first passcode cup to a team from the University of Virginia.
Congratulations to them.
And congratulations also to the cyber prodigies passcode found in their search for 15 under 15.
One of the 15 under 15 is just 8 years old,
which ought to make millennials feel like, well, almost baby boomers.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Joining me once again is Emily Wilson.
She's the Director of Analysis at Terbium Labs.
Emily, all the work that you do in the dark web,
you see a lot of things,
you see a lot of questionable stuff going on in there.
I wanted to use credit card fraud as an example,
sort of give our listeners a window into that world.
What goes on when it comes to trading,
both for buyers and for sellers
of credit card information? Sure. Great question. And we do see a lot of credit card fraud. That's
one of the things that I think besides drugs, the dark web is best known for. What you can think
about for credit card fraud are kind of fundamentally two places where it will appear.
There are these large dark web markets, AlphaBay is one good example, that trade in any number of
items, whether it's
drugs or fraud or occasionally weapons, you know, counterfeit goods. And then there are sites that
are entirely designed to focus on credit card fraud, trading industry secrets, what banks are
the best, advertising new cards for sale. This is one of the interesting things about the dark web
is that a lot of vendor success is based on reputation. So you have vendors who have been
around for a while, though they're known to be trustworthy and they're known to have a good
stash of cards on a regular basis. And then you have new people who are trying to break into that
and they're offering up samples or freebies, trying to get people to vouch for them to build
credibility. The interesting thing about kind of credit card fraud, for example, is, say,
the price differential between a credit card and a debit card. So credit cards are, on average,
more expensive. They range, say, from $30 to $35 a card, whereas debit cards are more in the $10
to $15 range. And this makes sense for a few reasons. If you have a debit card, then you,
one, need to have someone's PIN, which you may or may not have. And two, you are limited by the funds available on
that account. With a credit card, however, really all you need is the number and the other card
information, perhaps. And then you are facing down someone's credit limit, which, depending on the
person, may be substantially higher than what they have in their bank account. That's interesting.
That's counterintuitive to me.
I would have thought that, I guess I just would have thought that with the actual money in a debit account,
that you're somehow getting, it's less likely that that money will be pulled back, you know,
but I guess the bad guys have ways around all that stuff.
It's interesting. There's a lot of tradecraft involved and people kind of trading tips and tricks.
You know, one popular way to test the validity of cards is actually a toy store, an online toy store.
You know, it's funny how these things shake out.
And then, you know, within a card, you have things like, you know, kind of your average credit card versus platinum versus gold, you know, and different credit card issuers and different banks.
And different kinds of cards go for different prices.
We see credit cards ranging up to, you know, two, three, four hundred dollars in some cases. And
those are real outliers, but they do exist. And how do they verify a buyer so that they,
for example, they know it's not law enforcement? That's interesting. Credit card vendors tend to
be less concerned about that than drug vendors because it's a digital good.
In the case of drugs, you're shipping a physical product, and so then you're a bit more concerned
about it. In the case of a credit card vendor, really, it's just an exchange of Bitcoin.
And so there's less of a concern there. All right. Interesting stuff. Emily Wilson,
thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks for listening. not only ambitious, but also practical and adaptable. That's where Domo's AI and data
products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.