You're listening to the Cyber Wire Network, powered by N2K. Grabbing the holidays by the bowels with Duluth, step one, hire a mall satter to handle snow removal. Ho, ho, ho, ho, ho, why sciatica? Step two, hit Duluth trading and load up on fire hose pads, buck naked underwear, pocket-packed bibs, free swinging flannel, and all kinds of ingenious gear you won't find anywhere else. Grab the holidays by the bowels and shop Duluth trading, online and in-store. Hey everybody, Dave here. I want to talk about our sponsor, LegalZoom. You know, I started my first business back in the early '90s, and oh, what I would have done to have been able to have the services of an organization like LegalZoom back then. Just getting all of those business ducks in a row, all of that technical stuff, the legal stuff, the registrations of the business, of the taxins, all of those things that you need to go through when you're starting a business, the hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there. Well, LegalZoom has everything you need to launch, run, and protect your business all in one place, and they save you from wasting hours making sense of all that legal stuff. Launch, run, and protect your business to make it official today at LegalZoom.com. You can use promo code Cyber10 to get 10% off any LegalZoom business information product, excluding subscriptions and renewals that expires at the end of this year. Get everything you need from set up to success at LegalZoom.com and use promo code Cyber10. That's LegalZoom.com and promo code Cyber10. LegalZoom provides access to independent attorneys and self-service tools. LegalZoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm, LegalZ Legal Services, LLC. A look at ISIS online community, possibilities and limitations of social media as sources of intelligence, Microsoft addresses flash player issues in IE and Edge, national cyber laws and policies considered, and industry analysts forecast a very big 2016 for cyber security. I'm Dave Bittner in Baltimore with your Cyberwire summary for Wednesday, December 30, 2015. Officials in the U.S. and U.K. continue to warn of ISIS intentions to attack critical infrastructure, even as they deprecate the Caliphate's technical capabilities to do so. ISIS remains far more active in social media than elsewhere in the cyber domain. War on the Rocks has an account of ISIS's Twitter usage. It's the familiar story of a "factitious communities" appeal to the disaffected. Recruits find fellowship and transcendence as they're drawn into ISIS chatter. Prosecutions of ISIS adherence in London and Texas highlight both the possibilities and limitations of monitoring social media for clues to terrorist activity. Such monitoring is proving useful in investigation and prosecution, but when authorities attempt prediction, the signal-to-noise ratio is frustratingly low. New accounts of U.S. intelligence collection against foreign targets appear. The most recent cases under discussion involve monitoring Israeli official communications during nuclear negotiations with Iran. The operations are said to have had collateral collection of U.S. parties to electronic conversations, notably some members of Congress as their side effect. The Wall Street Journal provides historical context, describing Cold War rules that continue to govern aspects of foreign intelligence collection. Windows 10's recovery feature sends user encryption keys back to Microsoft. Several observers offer suggestions for working around what's generally unwelcome functionality. Devotees of Apple mobile devices continue to enjoy the safety of the company's app store, but some users are bypassing those protections, even with non-jailbroken iOS devices, downloading unvetted apps from rogue marketplaces using what Proofpoint calls "dark side loaders." Microsoft has issued an emergency advisory for Edge and Internet Explorer that addresses vulnerabilities recently discovered in Adobe Flash Player. In industry news, FBR Capital forecasts very high demand for cybersecurity products and services in 2016. It also foresees a wave of mergers and acquisitions in the sector. U.S. cyber legislation remains controversial as its implications are digested. India deliberates information sharing in Internet sovereignty. Businesses worldwide consider the effects of China's new security laws. But when it comes to baked in surveillance, no government on Earth can hold a candle to North Korea's Red Star operating system. With the blue lemon, the real gift happens when they're living in it. When you give the fan favorite everywhere belt bag, the real gift is. And when the ultra soothing rest feel slides are the gift, you're really giving them. This holiday, Blue Lululemon makes it easy to give little luxuries that go beyond. Open the moment, shop now at lululemon.com. And now a word from our sponsor, No Before. It's all connected, and we're not talking conspiracy theories. When it comes to InfoSec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. No Before, provider of the world's largest library of security awareness training provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. No Before's Security Coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike, and Cisco, 35 vendor integrations and counting. Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real-time coaching campaigns targeting risky users based on those events from your network, endpoint, identity, or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack, or email. Learn more at nobefore.com/securitycoach. That's nobefore.com/securitycoach and we thank No Before for sponsoring our show. Imagine this. Your primary identity provider goes down, whether it's a cloud outage, network issue, or even a cyber attack. Suddenly, your business grinds to a halt. But what if it didn't have to? Meet Identity Continuity from Strata, the game-changing solution that keeps your business running smoothly no matter what. Whether your cloud IDP crashes or your on-prem system faces a hiccup, identity continuity seamlessly shifts authentication to a secondary or even tertiary IDP, automatically and without disruption. Powered by the Mavericks Identity Orchestration Platform, Identity Continuity uses smart health checks to monitor your IDP's availability and instantly activates failover strategies tailored to your needs. When the coast is clear, it's a seamless switchback. No more downtime, no lost revenue, no frustrated customers. Just continuous, secure access to your critical applications every single time. Protect your business from the high costs of IDP outages, with Identity Continuity from Strata, downtime is a thing of the past. Visit strata.io/cyberwire to learn how Strata's identity continuity can provide seamless enhanced capabilities to your existing identity fabric and receive a free set of AirPods Pro. (music) Joining me now is Andre Poda. He's the technical director of the security research team at CyberPoint International. Andre, I want to talk about DDoS attacks. So, let's just start with the basics. What does DDoS stand for? And how do I know if a DDoS attack is happening? Distributed denial of service. Generally, a DDoS attack is when multiple nodes will attack one single node and try to exhaust that node's resources. So, that exhaustion can be either like a memory or resource exhaustion. So, doing a lot of requests for the same webpage that might take a long time to load or it might just be simple bandwidth exhaustion. And the idea of a DDoS is that it's coming from so many different IP addresses and different locations that you can't just simply block one IP address and then not have the attack continue because it comes from a lot of different locations. It's kind of like a death by a thousand cuts. Are there ways to mitigate that sort of attack? The most common DDoS that is really out there is one that's for web servers. So, somebody wants to take down Yahoo.com or one of the major websites. What they'll do is a DDoS and they'll have a bunch of different nodes, whether they're people firing up software or they're botnet or one of these other large node systems. They're going to start exhausting the resources of that site by making very large requests to that web server. So, what a lot of people will do is they'll use content distribution network CDNs for short. There's a couple example companies like CloudFlare that would do that. What that does is it no longer puts your website is not being served by one single node now. It's almost distributed in itself. So, when people go to Yahoo.com they're actually going to Yahoo server. They're going to an optimized server in the UK if they're nearby or they're going to a CloudFlare server in San Francisco if that's where they're at. So, it pushes the content out on the web so that it kind of fights distribution with distribution. So, how do DDoS attacks end? Is it a matter of the attacker giving up or moving on to a different target? Yeah, generally. So, they just get bored and walk away. Sometimes it might get caught. So, whenever they're actively attacking, there's always that threat that they might get caught themselves. They're the ones that are issuing commands. So, they might close the attack so that they kind of close their exposure. So, help me understand, how does a DDoS attacker organize themselves to be able to come at you from so many different directions? Yeah, generally for those single attacker with multiple nodes is a botnet. So, they'll harvest a whole net network of bots either by going after vulnerable websites or doing drive-by exploitation and basic malware installation. So, they can get up to 10, 20, 30,000 nodes pretty easily and then create those different networks and then task them all on Thursday next week. I want you all to go attack a certain website. Fondre Protos Technical Director of the Security Research Team at CyberPoint International. Thanks once again for joining us. ♪♪ The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now, employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. ♪♪ And that's the CyberWire. We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening. ♪♪ ♪♪ And now, a word from our sponsor NordPass. NordPass is an advanced password manager from the team behind NordVPN. Designed to help keep your business safe from data leaks and cyber threats. It gives your IT professionals control over who has access to your company's data and makes it easy for everyone else on your team to use strong passwords. Right now, you can go to www.nordpass.com/cyberwire for 35% off the NordPass business yearly plan. Don't miss out on that. ♪♪ [BLANK_AUDIO]