The CyberWire Daily Podcast 5.27.16
Ep 109 | 5.27.16

Crypto wars update, story stocks, AI, encryption, and the usual crime.

Transcript

Dave Bittner: [00:00:03:07] SWIFT transfer issues are under investigation in a dozen more banks, while SWIFT announces a five-point security strategy. Attacks on the private sector are seen as having national security implications. Other cyber threats to business, DDoS and ransomware, place availability of data and networks at risk. As leading companies report results, we take a quick look at the state of the cyber security sector, without, of course, offering investment advice. We talk with experts on artificial intelligence and encryption and, as far as nation-state attacks are concerned, again, signs point to Pyongyang.

Dave Bittner: [00:00:39:00] Today's podcast is made possible by clearedjobs.net. Find rewarding IT engineering opportunities in Maryland, tackling complex security challenges in the defense arena. Join G2, a growing company where creativity, curiosity, and playfulness lead to innovative problem-solving. Learn more at thecyberwire.com/clearedjob.

Dave Bittner: [00:01:03:16] I'm Dave Bittner in Baltimore, with your CyberWire summary and Week in Review for Friday, May 27th, 2016.

Dave Bittner: [00:01:10:21] The SWIFT funds transfer network remains in the news. It appears that the anticipated wave of attempts on other banks had spread beyond Bangladesh and Vietnam. Anonymous sources have told Bloomberg that "up to 12" banks have opened investigations into attempts at fraudulent transfers. There so far seems to be no evidence of actual losses. The affected banks are said to be in unnamed Southeast Asian countries, and also in the Philippines and New Zealand. FireEye, which is investigating the theft from the Bangladesh bank, is reported to have been retained by some of the newly affected institutions. Symantec reports finding connections between malware, found in Bangladesh and the Philippines, with the Lazarus cyber crime group.

Dave Bittner: [00:01:54:03] SWIFT maintains that none of its own systems have been compromised. Some observers see SWIFT-related attacks as an indication that criminals are turning their attention from banking customers to the banks themselves. But whether this represents a secular trend or merely the current opportunistic state-of-criminal-play remains to be seen.

Dave Bittner: [00:02:14:11] The national security implications of attacks on corporations was under discussion this week at Georgetown’s Cybersecurity Law Institute. Companies are often the targets of nation states. Iranian operators were indicted in the US over attacks on financial institutions, and US prosecutors have also charged officers of China’s People's Liberation Army with hacking manufacturers to obtain intellectual property.

Dave Bittner: [00:02:37:18] Some reports have linked the SWIFT attacks to a nation state, most commonly North Korea, in view of the similarity of some of the malware found in Bangladesh, to that used in other incidents attributed to the DPRK.

Dave Bittner: [00:02:51:04] STEALTHbits’ Senior Vice President, Adam Laub, commented on possible nation state involvement, by suggesting that defense against this sort of attack is "to fortify,” and by this he means going beyond perimeter defenses to protect “data, privileged credentials, and the end users.”

Dave Bittner: [00:03:09:20] Lastline’s Craig Kensek also commented, “This is another demonstration of the need for international cooperation against cybercriminals and attacks like this. The financial community knows no boundaries, and funds can be transferred (or) stolen within seconds. Without cooperation, identifying the perpetrators can be next to impossible.” He recommends looking into data loss prevention and anomaly detection.

Dave Bittner: [00:03:34:16] The SWIFT network continues to work on the security of its interactions with its partners. It has announced a five-point strategy for enhanced security. It includes: improving information sharing among the global community, specifically among the approximately 11,000 users of the SWIFT network worldwide; enhancing SWIFT-related tools for customers - these tools will be tailored to users' particular needs and circumstances; enhancing guidelines and providing audit frameworks, with particular attention to making compliance transparent to, and enforced by, counterparties, regulators, and SWIFT itself; supporting increased payment pattern controls, including faster stop-payment intervention; and enhancing support by third party providers - this would include "security software and hardware, consulting and training, implementation services, providers of fraud detection solutions, interface vendors, surface bureaus, auditors, and others."

Dave Bittner: [00:04:32:12] This CyberWire podcast is brought to you through the generous support of Betamore - an award-winning coworking space, incubator, and campus for technology and entrepreneurship, located in the Federal Hill neighborhood of downtown Baltimore. Learn more at betamore.com.

Dave Bittner: [00:04:59:00] Joining me is Malek Ben Salem. She's the R&D Manager for Security, at Accenture Technology Labs, one of our academic and research partners. Malek, we hear a lot about artificial intelligence and machine learning. Can you explain to us, what do those terms mean, and how do they differ from each other?

Malek Ben Salem: [00:05:13:22] In a nutshell, machine learning is one branch of artificial intelligence. Machine learning is data-driven, is the ability to have a machine be able to learn new knowledge, by exposing it to new instances of data that it can learn from, just like a human being. Artificial intelligence is much larger. It includes, obviously, machine learning, but it also covers things like expert systems, that can reason and make deductions. It covers things like information retrieval - the ability to retrieve information related to specific concepts, such as search, for example. It covers natural language processing. It covers robotics, automated vision and perception, as well as the automation of movement, and ingestion of surrounding information. So, artificial intelligence, as a field, covers much more than just machine learning, which is really focused on the ability to learn through data.

Dave Bittner: [00:06:34:07] So is machine learning a subset of artificial intelligence?

Malek Ben Salem: [00:06:37:08] That is correct, yes.

Dave Bittner: [00:06:39:04] So explain to us, what are some of the applications for machine learning when it comes to security?

Malek Ben Salem: [00:06:43:21] Machine learning has been applied to a number of security topics, or problems, for example, analytics at the network level, looking at network traffic, automatically detecting anomalies within the traffic, and perhaps linking those anomalies to security attacks. It has been used to profile user behavior, how people interact with computer systems and using that knowledge, or those profiles of how people behave, as ways to authenticate users. Another way of applying it is the ability to automatically classify data as sensitive or non-sensitive, based on instances of sensitive and non-sensitive data. So, building an algorithm that can automatically predict how sensitive a piece of data is, based on previous instances of data that it has seen before.

Dave Bittner: [00:07:47:20] Alright, interesting stuff. Malek Ben Salem, thanks so much for joining us.

Dave Bittner: [00:07:54:21] This CyberWire podcast is brought to you by Recorded Future, the real time threat intelligence company whose patented web intelligence engine continuously analyzes the entire web, to give information security analysts unmatched insight into emerging threats. Sign up for free daily threat intel updates at: recordedfuture.com/intel.

Dave Bittner: [00:08:24:10] This week saw another executive taken down in the wake of a cyber incident, as a fraudulent transfer, with no relation to SWIFT, prompted the board of Austrian aerospace firm FACC to remove the company’s CEO. The incident here is being called a case of “presidential impersonation,” a kind of business email compromise in which a spoofed email, purporting to be from a corporate officer, prompts company personnel to transfer funds or give up sensitive data.

Dave Bittner: [00:08:51:18] Other business concerns this week involved the two longstanding threats to network and data availability: DDoS and ransomware. Domain-name-service provider, NS1, was hit by denial-of-service attacks that slowed DNS delivery in the Americas, Europe, and Asia.

Dave Bittner: [00:09:07:14] With respect to ransomware, Locky is back. A Javascript exploitation campaign is distributing it to the unwary.

Dave Bittner: [00:09:15:10] ThreatTrack Security shared some advice for businesses on how to deal with the threat of ransomware. First, back up your data, either to external hard drives or to a solid cloud-based option. Second, get on a schedule. ThreatTrack recommends backing up daily. Third, educate yourself and your people about phishing. Fourth, practice safe computing, by keeping your systems patched and up-to-date; and fifth, keep work and personal data separate.

Dave Bittner: [00:09:42:01] We might add to the notes on DDoS and ransomware two points made this week at Georgetown’s Cybersecurity Law Institute. Both of these threats make use of botnets. Researchers who made a solid contribution to botnet control would be doing the world a service, and every enterprise should have a well-conceived, well-drilled incident response plan in place.

Dave Bittner: [00:10:03:07] To the point made about the importance of patching, it’s worth noting that an Office bug Microsoft patched last year continues to yield opportunities for cyber espionage. CVE-2015-2545 is being exploited by Danti, which is active against the Indian government; Platinum; APT16; Ke3chang, and other campaigns. Unpatched systems afford an uncontested attack surface.

Dave Bittner: [00:10:29:19] In industry news, Palo Alto’s results disappointed investors last night, as did Splunk’s, which, in fairness to Splunk, didn’t represent a loss, merely a less-than-spectacular gain. But analysts, as a group, seem disposed, again, to view cyber as a story-stock sector. See, for example, Sophos, whose shares saw a small gain even after reporting a loss. And FireEye’s story appears to be looking good to investment advisers, too.

Dave Bittner: [00:10:56:06] And finally, since we’ve been talking about threats from nation states, it’s only right to close by observing that the official website of South Korea’s Air Force was shut down for about two weeks. Access has now been restored. There’s no attribution, but the world, in the style of the Magic Eight Ball, seems to say in unison, “signs point to Pyongyang.”

Dave Bittner: [00:11:29:16] One of the foundations of cyber security is, of course, encryption. Brent Waters is a Professor of Computer Science at the University of Texas at Austin, who's recently been honored with an early career award from the Association of Computing Machinery for his contributions to encryption, specifically his work in what's known as functional encryption. I asked Brent to explain what led him, and his research partners, to their breakthroughs in functional encryption.

Brent Waters: [00:11:55:13] You can trace when it first started to when I was a grad student at Princeton University. I heard of something called Identity-based Encryption, which was innovated by Dan Boneh and Matt Franklin, who had the first solution to it. What it was, was you could encrypt to someone only knowing their identity. Let's say your identity is like your email address. At the time, I had this idea that well, what if, instead of an identity being an email address, what if it could be a fingerprint or some type of biometric that you could encrypt to? The tricky thing with biometrics is, sometimes, when you measure them a couple of different times, you might get a slightly different identity, like a scan of a face or your fingerprint might look a little different. So I wanted to come up with a form of identity-based encryption that would be tolerant to this, so we called it fuzzy identity-based encryption. I took this idea to who would become my co-advisor, Amit Sahai, and we published it.

Dave Bittner: [00:12:56:03] This notion of fuzzy encryption led Waters and his team to another form of encryption, called attribute-based encryption.

Brent Waters: [00:13:02:19] We usually think of decryption as an all-or-nothing type of operation - either you have the private key and you can get the message, or you don't have it and you don't learn anything. So what attribute-based encryption did was it was the first thing to challenge this pre-existing way of thinking of encryption, in that I could label my data with a set of attributes, let's say like a surveillance camera, and we could label it with the attributes of, let's say, the GPS location and the time of day, and then later on someone might get a policy saying, "Well, you can look at all data that meets this criteria."

Dave Bittner: [00:13:38:04] His work with attribute-based encryption made Waters wonder, what if you could keep your data encrypted, keep it secure, but still perform meaningful calculations or functions on the data? That question led him and his collaborators to functional encryption.

Brent Waters: [00:13:52:07] Functional encryption is a new way of thinking of encryption. So in functional encryption, let's say we'll encrypt some data and, let's say, if you go to an authority you can get a private key which will not so much decrypt the data and let you see it in the clear, instead you could learn a function of the data. So, maybe, I could go to an authority and say, "You know, I know I'm not allowed to see all the student records, but I think I should have the ability to learn what the median BPA is for students that, let's say, are in a certain major or graduated by a certain date." So then, if I apply my private key to it, it doesn't let me see the data in the clear, instead it lets me see whatever my function is on the data.

Dave Bittner: [00:14:37:14] Brent Waters is quick to point out that functional encryption is still in the early stages of development, and there's still work to be done.

Brent Waters: [00:14:44:03] The current candidates for functional encryption actually have two limitations. There is multilinear maps, there's both performance considerations, and they're not built on what we call standard assumptions in cryptography. To prove something's secure, we always prove it relative to some assumption, like, "My cryptosystem is secure as long as it's hard to factor large numbers." We like the assumptions to be minimal, or ones that have been tested out for as long as possible like, for example, the factoring assumption has been used, or at least thought of in cryptosystems since 1978, whereas these multilinear maps are very new and perhaps a little more dangerous. One goal of my research is to bring it from these multilinear map assumptions to things we're more familiar and comfortable with. This is a really exciting research challenge because I think this is what is needed to establish these new systems as being really secure.

Dave Bittner: [00:15:46:13] Waters warns that, while it's understandable that some people confuse functional encryption with homomorphic encryption, there are important distinctions between the two.

Brent Waters: [00:15:54:24] So let's say that, suppose, for example, I wanted you to filter my email for me. Let's say I have a bunch of encrypted email coming in, and you're, let's say, a proxy or server in between me and my mobile phone. I have a certain function which detects spam, and if it's spam I just want you to throw it away and not even bother sending it to my phone. I also have certain other criteria for marking an email as urgent - let's say it comes from a set of urgent people, or has certain keywords. So pretty much I want you to, for a normal email just send it onto my phone, for urgent emails send it to my phone and also give me a text saying, "There's an email, you might want to look at it," and for spam just drop it. Now, suppose I wanted you to do that on my encrypted email, but without knowing anything other than these labels - I don't want you to see these labels. So functional encryption is something where I could do this. I could give you a function which decrypts the email, looks at it, but only lets you know the answer. So that's what functional encryption could do.

Brent Waters: [00:16:51:15] With homomorphic encryption, you can compute on encrypted data, but the person doing the computation never learns an answer. So if you get in encrypted data, and you have homomorphic encryption, you can do a bunch of computations on it, but the third party doing the computation never learns anything, which can be a problem if I want you to know whether it's spam or not spam, but nothing else.

Dave Bittner: [00:17:16:00] Our congratulations to Brent Waters, and his research partners, and the University of Texas at Austin, on the award and for the important work they're doing.

Dave Bittner: [00:17:27:23] And that's the CyberWire. For links to all of today's stories, along with the interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. We help you stay on top of the news in cyber security and information assurance. We can also help you get your product, service, or solution in front of an informed audience of influencers and decision makers. Visit thecyberwire.com/sponsors to find out how.

Dave Bittner: [00:17:51:09] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. I'm Dave Bittner.

Dave Bittner: [00:17:57:07] We'll be observing Memorial Day on Monday, but we'll return to our regular schedule on Tuesday. In the meantime, join us in sparing a thought, and more than a thought for the fallen, and thanks for listening.