AUSA update. Mirai botnet shows risks of default IoT passwords. US-Russian tensions rise over imposition of costs.

Dave Bittner: [00:00:03:19] Cyber conflict and its place in the international order, including especially its place in Russian-American relations. The implications of the Mirai botnet and the release of its source code. Kaspersky breaks the MarsJoke crypto ransomware. Russia indicates a crackdown on cybercrime (maybe). Industry notes, and, from the black market, the Shadow Brokers still haven't found their ideal buyers.

Dave Bittner: [00:00:33:16] Time to tell you about our sponsor ClearedJobs.Net. If you're a cybersecurity professional and you're looking for a career opportunity, check out the free Cyber Job Fair on the first day of CyberMaryland, Thursday, October 20th at the Baltimore Hilton hosted by ClearedJobs.Net, a veteran owned specialist at matching security professionals with rewarding careers. The Cyber Job Fair is open to all cybersecurity professionals, both cleared and non-cleared. It's open to college students and cybersecurity programs too. You'll connect face-to-face with over 30 employers like SWIFT, DISA, and the Los Alamos National Laboratory. You can also tune up your resume and get some career coaching (all of it's free) from career expert and Air Force veteran, Patra Frame. To learn more visit ClearedJobs.Net and click Job Fairs in the main menu. Remember, that's ClearedJobs.Net. And we'll see you in downtown Baltimore. And we thank ClearedJobs.Net for sponsoring our show.

Dave Bittner: [00:01:35:24] I'm Dave Bittner, in Washington DC, with your CyberWire summary for Tuesday, October 4th, 2016. To state the obvious, cyber conflict doesn't occur in a political, military, or strategic vacuum. Its stakes and conditions are set by broader concerns: even especially the 400-pound hackers out there who live in meatspace (or perhaps baconspace), and retain some connection to the non-virtual world. Obvious as this may be, it's worth a periodic reminder that it's so. We're getting that kind of reminder this week, as we attend the 2016 Association of the United States Army Meeting and Exposition. It's been interesting to get the perspective of those whose business it is to think long and hard about the dangers of the world. We've been enjoying some interesting conversations with our hosts and colleagues in the Military Cyber Professionals Association. We had a chance today to talk at length with the author of NATO's Tallinn Manual, the best source known to us of thinking on international norms in cyber conflict. We'll have that interview tomorrow, so be sure to check it out.

Dave Bittner: [00:02:37:00] In today's news, much continues to be made of the recent Internet-of-things botnet-driven distributed denial-of-service attacks. The source code used to herd the Mirai botnet was released late last week, and it's been under inspection since. There's a good-news/bad-news angle to this particular story. That the code is out is bad news, since it's now available to other copycats and derivative hackers who will no doubt seek to make more use of it in the wild. The good news is that it's clear how the herding worked: it exploited default passwords carelessly left in place by users. 61 default passwords were enough to assemble what was at the time the largest DDoS attack on record.

Dave Bittner: [00:03:17:17] The victim of that attack, KrebsOnSecurity, has taken a look at the affected devices, and in conjunction with other researchers, has identified some of the hardware used in the attack. Many of the devices were older ones, and the news is in some respects encouraging: more companies, including such leading device manufacturers as Hikvision, Samsung, and Panasonic, are now requiring unique passwords by default. This isn't of course an infallible security measure, but it's a step in the right direction.

Dave Bittner: [00:03:47:17] The CyberWire heard from Rod Schultz, vice president of products at Rubicon Labs, who compared the modular, reusable code blocks found in IoT products to Lego. "These software lego can be stacked to rapidly create new products, but those products also share the same vulnerabilities," he said. They can also be rapidly exploited, and repurposed to hit different attack surfaces. "And that," according to Schultz, "is exactly what we are seeing with the Mirai IoT Botnet." He thinks we'll do well to prepare ourselves for more attacks of this kind.

Dave Bittner: [00:04:20:18] To return to some better news, there's some out on the ransomware front. Kaspersky has cracked the polyglot MarsJoke crypto ransomware, and they have a tool available to help comfort the afflicted. So, bravo Kaspersky.

Dave Bittner: [00:04:34:19] In the US, concerns about election hacking and voter influence persist, and Russia is the source of those concerns. Relations between the two countries are not growing warmer, and conflict in other areas is likely to spill over into cyberspace. US-Russian relations grew noticeably colder this week as Russia formally withdrew from a bilateral plutonium-control accord in response to sanctions the US has levied against Russia over the past two years. Those sanctions were put in place largely in response to Russian encroachment into Ukraine. The Russian point, being made quite explicitly in public statements this week, is that US imposition of costs (a centerpiece of American cyber policy) will itself have costs for the Americans.

Dave Bittner: [00:05:18:09] There's another development in Russian policy that has some direct implications for cybersecurity. Russia will now treat cybercrime as theft, and not fraud, as it had formerly done. This is regarded by many observers as a positive development—theft is prosecuted more aggressively than fraud, and it carries more severe penalties.

Dave Bittner: [00:05:39:19] When it comes to defending against malware, there's no shortage of solutions on offer. And there's a spectrum of philosophies on how to best spend your resources. Igor Volovich is from ROMAD Cyber Systems and he maintains that if we're going to succeed, it's time to reconsider traditional approaches, like, for example, signature based systems.

Igor Volovich: [00:05:59:07] Well, a signature is like a fingerprint, right. You have a specific set of criteria and attributes that describe a file. Typically, there is a hash associated with that file which has its unique cryptographic signature and you can go off of that. There's also some behavioral characteristics, so what we used to call puristics, back in the day, that you can employ. But, by and large, it's a one-to-one relationship. There is a single malware sample and then there is a specific signature design to detect that sample. It is a string matching pattern, matching function. That's been the traditional way to look at things. For every new exploit, we had to go find a new signature. So that one-to-one signature based relationship, it was no longer sustainable. It still is not, yet there are very few solutions that really address that problem.

Igor Volovich: [00:06:52:07] We're looking at it from a cybercriminal value chain. How is malware monetized? And who makes the money and when? Well it turns out everybody's making money in that chain, from the original person who's discovering the vulnerability to the guy who weaponizes it, to the guy who creates the exploit kit, to the guy who monetizes it at the very end, the person who's actually spamming out or sending out phishing emails, sending out ransom emails. Everybody in that chain is making money. Now the guy at the top of that chain, that's the guy I want to get to. Unfortunately, the industry has focused on these kind of law enforcement based attribution models, is what we call them. But we want to find who's doing it, raid their house, find out which ISP is supporting them, go knock them down, put them in jail, etc. You know, FBI likes to release big press releases and talk about the busts that they've made, and those are great things and they need to happen. Unfortunately, that's not scalable.

Igor Volovich: [00:07:45:22] So, without going on a cyber whodunit hunt every time we have a new family and new exploit kit released, how do we just focus on the tradecraft? And it goes to the very root of the problem. Finding out the immutable characteristics of malware families, not just strains, but actual big families, and then focusing on that trade craft, detecting it in real time, and then blocking its execution. On the end point in a cloud, or possibly across the network.

Dave Bittner: [00:08:16:17] Is it an all or nothing thing? Is there still a place for signature matching?

Igor Volovich: [00:08:21:12] Well, it's like hygiene, right. You know, you wanna wash your hands before you get a meal, right. There are basic things, best practices that we've followed for a long, long time. There are some great notions in this industry, and we've sort of conditioned the market to accept anti-virus as a very basic foundational or fundamental part of the security stack, as we call it. The portfolio of services and tools that we have on the enterprise. So, from a psychological perspective, I think a lot of folks are very tied to the hip to the idea of anti-virus needing to be there. And, if that's the barrier to entry for these new technologies, so be it. We're not trying to upset the apple cart, so to speak, but we should not be accepting the eventuality of compromise, the notion that everybody's gonna get breached whether you know it or not. And we think we need to move beyond that.

Igor Volovich: [00:09:10:04] So, what is the next evolutionary step? The next evolutionary step is actually disrupting cyber crime and cyber criminal trade craft. Elevating our thinking, evolving our thinking and then demanding that the industry evolve with us to provide the solutions that can actually deal with this capability to the enterprise and to the public at large.

Dave Bittner: [00:09:27:07] That's Igor Volovich from ROMAD Cyber Systems. In industry news, Carbon Black is said to be preparing for an IPO. It's also partnering with IBM to take on competitors in the endpoint security market. In the long-running discussion of what induces boards to take cybersecurity seriously, it turns out that the easiest risk for a board to understand is compliance risk, at least according to a study Osterman Research conducted on behalf of Bay Dynamics. That's mixed news at best, since it would seem to cede standards development to regulators, and to reinforce tendencies toward a check-the-box approach to security.

Dave Bittner: [00:10:07:10] And, finally, the Shadow Brokers still haven't found any takers for those Equation Group zero-days they say they have for sale. So hop to it, zero-day shoppers—there are bargains galore.

Dave Bittner: [00:10:22:23] Time to take a moment to tell you about our sponsor Net Sparker. Still scanning with labor intensive tools that generate more false positives than real alerts? Let Net Sparker show you how you can save time and money and improve security with their automated solution. How many sites do you visit, and therefore scan, that are password protected? With most other security products you've got to record a login macro, but not with Net Sparker. Just specify the username, the password, and the URL of the login page, and the scanner will figure out everything else. Visit netsparker.com to learn more. And if you'd like to try it for yourself, you can do that too. Go to netsparker.com/cyberwire for a free 30 day, fully functional trial version of Net Sparker Desktop. Scan your websites and let Net Sparker show you how easy they make it. That's netsparker.com/cyberwire. And we thank Net Sparker for sponsoring our show.

Dave Bittner: [00:11:18:24] And I'm pleased to be joined once again by Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, the Department of Justice is asking for an amendment to Rule 41. This has some significant repercussions for online privacy and cybersecurity. Let's start at the beginning here. Explain to us what are we talking about with Rule 41?

Ben Yelin: [00:11:40:21] Sure, so rule 41 is under the Federal Rules of Criminal Procedure, and it allows the Federal Bureau of Investigation, or the FBI, to go ask the judge to allow them to install malware to hack into computers that are believed to be connected to various criminal activities. So, generally, we're talking about, you know, some of the most heinous things that could be on the internet: chatter, social media chatter among terrorists; child pornography; drug trafficking. Currently there's a significant limit to Rule 41, in that judges can only authorize intrusions into computers within their own jurisdictions. And the reason that's a limit is because oftentimes we don't know exactly whether the individual putting the information on the internet is actually within that judge's jurisdiction. I mean, with all the complications, with routing and IP addresses, it's very hard to identity whether a particular individual is putting information on the internet within a particular judge's jurisdiction. So, the DOJ is proposing to change the rule to limit that restriction.

Ben Yelin: [00:12:45:10] And they also are trying to expand the reach of authority of Rule 41 by authorizing the Federal Government to get permission to hack a number of computers. This article that you sent me, Dave, quoted up to a million computers, with just a single warrant. And that presents major constitutional concerns. I mean, one of the reasons we have the Fourth Amendment, and one of the reasons that the Founding Fathers were so adamant about it, is that we descended from a system in England where they had general warrants, where the police could basically come into a person's house looking for not a specific piece of information, but just granting them the ability to find what they could find and charge based on whatever they could find in a person's house. And I think courts and judges have been very reticent to these kind of broad general warrants that aren't specified based on probable cause against an individual.

Ben Yelin: [00:13:38:13] So, there's been an effort in the United States Senate, led by a couple of the lead civil libertarians in the Senate: Senator Ron Wyden of Oregon and Senator Rand Paul of Kentucky, to try and stop this amendment. It's scheduled to go into effect in December. If I had to guess, I don't think that A, there's an appetite for some sort of legislative fix to this amendment and, B, with all the distractions with the Presidential Race and some of the must pass pieces of legislation now before Congress, I just don't think this is an issue that Congress is gonna take up in the next three months. So, I think it's very likely that we do see these new rules go into effect.

Dave Bittner: [00:14:17:09] Alright, Ben Yelin, thanks so much. We'll talk to you soon.

Dave Bittner: [00:14:22:16] And that's the CyberWire. If you're at the AUSA Conference, come on by and say hello. We are at the Cyber Pavilion, hosted by the Military Cyber Professionals Association. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. The executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.