CyberWire Daily - Mirai, "Botnet #14," hits Liberian networks. Anonymous doesn't much care for either jihad or the Man. A new security company forms with acquisition of Cryptzone, Catbird, Easy Solutions, and Brainspace. Election hacking updates.
Episode Date: November 4, 2016In today's podcast, we hear about how Liberia has sustained a significant DDoS attack (Mirai is behind it). Linux/Moose is also on the IoT loose. Hospitals in the UK continue to recover from ransomwar...e attacks. Anonymous doesn't like ISIS, but it also doesn't like the governments who are fighting the Caliphate. Exaspy malware targets business leaders' Android phones. A new joint venture is poised to become a mid-major in the cyber security sector. Accenture Technology Labs' Malek Ben Salem explains developments in redactable blockchain. AT&T CSO Bill O'Hern provides his perspective on current and coming cyber security challenges. And an update on election hacking—it's more of the same, with more coming. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Liberia sustains a commerce-clogging DDoS attack, and Mirai is behind it.
Linux moose is on the loose.
Hospitals in the UK continue to recover
from ransomware attacks. Anonymous doesn't like ISIS, but it also doesn't like the governments
who are fighting the caliphate. Exaspi malware targets business leaders' Android phones. A new
joint venture is poised to become a mid-major in the cybersecurity sector. And an update on
election hacking. It's more of the same with more coming.
I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, November 4th, 2016.
Liberia is sustaining a massive nationwide distributed denial-of-service attack,
and e-commerce in the country is described as having ground to a halt. The Mirai Internet of Things botnet, which some in the security
industry are calling botnet number 14, is again implicated. Attribution remains unclear,
although it's worth recalling that the U.S. intelligence community attributed Dynes'
takedown by Mirai to some unspecified non-state actor.
Whoever's behind the attacks, some fear that it and other recent Mirai activity constitutes a test and rehearsal of a cyber warfare operation.
Thomas Poore, Plixer's director of IT and services,
told the Cyber Wire that testing weapons historically has two main purposes.
It can serve as a scare tactic to dissuade a potential enemy, and it can
also obviously be undertaken to reveal and help correct design flaws in a weapon or its operational
concept. He thinks the Liberian attack was designed to prove a concept and not to frighten.
Quote, issuing large-scale volumetric attacks for short durations against Liberia could indicate
that it is weapon testing, end quote.
The attacks were conducted in brief bursts and affected a smaller country,
whose troubles populations in larger, more powerful nations might be expected to overlook.
Quote, an attack of that size could definitely take a small country down,
and perhaps Liberia is just the testing ground for something larger, end quote.
Poore went on to say that if he's right,
the U.S. might expect to see some major sustained Internet outages before the end of 2016.
IoT botnets can be used for more than DDoS.
ESET and GoSecure describe Linux Moose,
malware that herds IoT bots for social media fraud,
specifically on Instagram.
And in industrial Internet of Things news, that herds IoT bots for social media fraud, specifically on Instagram.
And in industrial Internet of Things news, Booz Allen Hamilton has a new research report on 2015's hack of the power grid in western Ukraine.
Of particular interest is the attacker's patience.
The blackouts were two years in preparation, and the campaign was part of an extensive,
multi-pronged effort.
Booz Allen researchers conclude that the
campaign involved at least 11 distinct attacks against Ukrainian mining, television, railways,
electrical power distribution, and governmental archives. The investigators also find more
circumstantial evidence to support the consensus that Russian threat actors were directly involved.
In the UK, the Lincolnshire and Gould Trust, a national health service hospital system,
continues to recover from a cyber attack that forced it to cut back on planned operations
and divert major trauma cases to neighboring facilities.
It appears the attack involved ransomware,
which has proved particularly damaging to healthcare IT infrastructure this year.
Plixer's Thomas Poore also contacted the Cyber Wire about this incident
and offered an account of why the healthcare sector seems to see so much ransomware.
The real-time assistance healthcare providers give
and the obvious time sensitivity of their services
go a long way to explaining why cyber criminals would find ransomware
particularly attractive to use in attacks on hospitals.
It's harder for them to ride out an attack when patient health and safety are on the line.
Turning to hacktivism, Anonymous remains predictably double-minded about ISIS.
On the one hand, the anarchist collective doesn't like violent jihad.
On the other, it also doesn't want to get co-opted by the man.
On the other, it also doesn't want to get co-opted by the man.
Anonymous hacktivists have sought, with unknown success, to disrupt ICE's presence on social media especially,
but not all the collective's operators think the attempt a good thing.
Motherboard held a Skype interview with Discordian, regarded as a longtime member of the collective,
complete with a Guy Fawkes mask, who's decidedly on the stick-it-to-the-man side of the question. Discordian calls the internal division a civil war. He doesn't like ISIS, he says, but he
also doesn't think ISIS can be fought through censorship, and he thinks anonymous cooperation
with security agencies is opening the group up to infiltration. SkyCure reports on Exaspi, Android malware used in highly targeted attacks against
business executives. Exaspi masquerades as a Google Play app, and it has some unpleasant
capabilities. It collects chats and messages sent and received via SMS, MMS, and popular email and
IM apps, including Gmail, Facebook Messenger, Skype, and WhatsApp.
It records both audio and telephone calls.
It can collect pictures and take screenshots.
It scoops contacts, browser histories, and calendar entries.
And finally, it exfiltrates all this stuff to a remote server controlled by the hoods who run it.
This week has seen some significant industry news.
CenturyLink, which is itself in the process of buying Level 3,
has just announced that it's selling its data centers and co-location business
to a joint venture led by BC Partners and Medina Capital.
That new security company, it hasn't yet got a name,
but it will immediately become at least a mid-major player in the sector,
has also acquired four complementary cybersecurity shops,
CryptZone,
Catbird, Easy Solutions, and BrainSpace. We'll watch developments with interest.
Finally, the U.S. elections approach, with much overheated trepidation about vote hacking.
At this point, such fears will probably serve as inspiration to incite whatever enthusiasts,
activists, bullies, trolls, intelligence services, and the whole tribe FBI Director Comey tends to characterize as
screwed-up individuals to do their level skid best to be a nuisance. If Fancy Bear is as
interested in messing with the election as Fancy Bear appears to be, well, Fancy Bear can probably
just take the week off and kick back. More WikiLeaks dumps are expected, but don't expect the FBI to wrap up renewed investigations
into State Department emails and pay-for-play foundation allegations before Tuesday.
It will take time to sift through those half-million-plus homebrew server emails on Mr. Wiener's laptop.
on Mr. Wiener's laptop.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
Joining me once again is Malek Ben-Salem. She's from Accenture Technology Labs.
Malek, you all made some news recently with some announcements about redactable blockchain.
Fill us in on what's going on there.
Sure. As you know, blockchain is a technology that supports Bitcoin, which is a permissionless or open cryptocurrency.
And immutability is the basis for trust in that system.
However, there are many issues with the misuse of the immutability of the Bitcoin blockchain,
such as now it contains inappropriate and illegal material, including links to pornography.
In real-world uses of the blockchain, there may be needs for making a change.
And while in most cases the immutability characteristic of the blockchain is really important,
there may be other cases where you may need to make changes,
particularly when we're talking about permissioned or private blockchains.
So that's what Accenture has worked on in collaboration with Stevens Institute.
And we've announced what we called the redactable blockchain,
which creates a mechanism for doing just that, making a change to the blockchain
in specific cases. How does this not bump up against one of the sort of core foundations
of how blockchain works? So if we're talking about the core foundation, meaning that immutability,
then obviously it does violate that because this is creating a way to change the blockchain, to edit the blockchain.
However, it's very controlled.
Basically what happens is the blocks of data in a blockchain are linked back to the previous blocks by a hash.
And a hash is the output of an algorithm that turns data into
a fingerprint of the data, if you will. If the data changes in any way, the hash would change
in an unpredictable way. Now, these hashes are organized into something that's called a Merkle
tree or a hash tree. And the hash of the transactions are organized into pairs of twos
linked together in a chain. Then they are hashed again. So the hash at the very top of the tree
is called the Merkle root, and that Merkle root is placed into a block's header along with the
hash of the previous block and a random number called a nonce. This creates all of the information that keeps the blocks of data cryptographically linked in a chain.
To enable the blockchain redaction capability, a padlock is added in the links between the blocks
with a key using a special hash function, what we call a chameleon hash.
key using a special hash function, what we call a chameleon hash. And if you have the key, you can unlock the link between the block to be edited and its successor block without breaking the hash
chain. With the capability, you can change the blocks at the transaction level because you can
change the contents of a block and you can consolidate and edit all of these changes and
delete any information that you may want to delete and then recreate the link with this chameleon
hash and close the lock again. Now again this capability should be only given to a governing
body of that private blockchain and is to be used in special cases
where some private data has to be redacted
or some illegal information
that is not supposed to go on the blockchain,
like pornography or things like that.
That's when this approach is to be used.
All right. Interesting stuff, as always. Malik Ben-Salem, thanks for joining us.
My guest today is Bill O'Hearn. He's a Senior vice president and chief security officer for AT&T, the largest
telecommunications company in the world. AT&T just wrapped up their 18th annual cybersecurity
conference in New York City. And after the show, we caught up with Mr. O'Hearn for his take on the
industry and the part big players like AT&T have to play. You know, it strikes me, you know,
obviously AT&T is one of the largest communications companies in the world,
but at the same time, you have a challenge where you need to be nimble.
Yeah, exactly, and software-defined networking helps us get there, right?
If you think about the evolution of capability here,
traditionally you have software and hardware combined into appliances, and typically from a security perspective, you're putting as you decouple that hardware and software
and then you real-time enable the software functionality in the network, it becomes a
really cost advantage and speed advantage for you to employ and deploy new security functionality. But I think the real benefits come from when you think about strong authentication
and what that means and what we need to do in the network
and leverage capabilities like our mobile key functionality.
When you think about security function virtualization
and all of the orchestration that needs to occur to tie and integrate those platforms together.
And then I think the biggie is, you know, as we get into this and we get into micro-segmentation, it drives a lot of data. And getting real-time threat analytics in a way that it creates intelligence or actionable intelligence
that the network can then provision controls, I think that's really key to it.
And those are all areas that we're doing a lot of innovation around
and trying to push that into the next generation networking.
Obviously, in the news, we've seen this Mirai botnet attacking Krebs on security,
hitting Dyn, you know, affecting much of the internet in North America and Europe. As a large
scale provider like AT&T, how do you prepare yourselves to defend against those types of
attacks? Yeah, Dave, this is a growing issue, and I think there's several
things that we need to think about this. First off, the problem exists primarily because
OEMs are not really security conscious, and neither is the user base. So I think the first
thing we've got to do is think about what types of standards need to be in place for products that are connected to the Internet.
And by standards, I don't mean regulation.
What I'm really talking about is, you know, something similar to, like, Underwriters Laboratory.
And I think collectively as a, you know, as a community,
we need to think about that and ensure that these OEMs have some level of standard
that they're implementing
at the security level. When I think about the scale of AT&T and the fact that, you know,
your company has so many devices, so many products at really every level of technology, from, you
know, consumers connecting to the network on their iPhones to large enterprise
concerns. Does that scale give you certain advantages to offer sort of a holistic view,
a high-level view of security at every level? Well, I think it does. And you think about
all the things that you mentioned, whether it's our wireless base
or our large enterprise base, right? There's nobody in the world that has the visibility
that we have into running big global networks. So, you know, we play at everything from,
you know, retail operations to consumer operations to business and government,
you know, across the board. So what's really important for us in our
threat analytic platform is to be able to digest all of that data, look at the trends, look at the
threat landscape, and to the extent that we can really capture that information, understand what's
going on, and think about the protections that we're going to put in place. It's really on a scale and scope that's unparalleled anywhere in the world.
And, you know, we ingest that and process that through our platforms in a way that we can then take action to help protect our services.
As we head towards 2017, what do you see as being the biggest challenges facing the cybersecurity industry?
So I think there are a couple.
I think we're going to see a lot of consolidation.
I think customers are at a point where they can't sustain buying a new service or product for every new threat that comes out.
So I think what that leads us down the path more so of is creating this virtualized ecosystem
of capability whereby utilizing APIs and integration and software-defined networking,
we can just embed security in the core connectivity services,
and customers don't have to go out and work with, you know, 40 or 50 different vendors
and manage a whole bunch of different boxes.
I think the real challenge here is let's integrate that capability, let's bring the community together,
take the best of breed, and push that capability, let's bring the community together, take the best of breed,
and push that capability right into the network so customers get to a point where security becomes
effortless. It's in there, it's embedded, the capability is there, it's real-time,
and it's learning, and it's provisioning security capabilities on the fly.
That's Bill O'Hearn, Senior Vice President and Chief Security Officer at AT&T.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.