More stolen alt-coin is returned. Accenture reports minimal effects in the alleged LockBit attack. Home routers attacked. Source code for sale? PrintNightmare exploited in the wild. Extradition cases.
Dave Bittner: More stolen coin is returned in the case of the Poly Network cross-chain hack. Accenture says the incident it sustained had no significant effect and the LockBit ransomware gang who claimed responsibility released some relatively anodyne files. Home routers are under attack. Crooks are offering what they claim to be Bkav source code for sale on Raidforums. Magniber weaponizes a PrintNightmare flaw. Dinah Davis from Arctic Wolf shares stats on the state of women in cyber. Our guest is Peter Voss of Aigo.ai on what's missing in artificial intelligence. Two extradition cases proceed. And the Solarium Commission reports.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 12, 2021.
Dave Bittner: According to Reuters, the hoods who stole somewhere in excess of $600 million from DeFi provider Poly Network have now returned more than half of what they took - about $324 million, leaving some $268 million still outstanding. The Block reports that the attacker or attackers created a token saying, quote, "the hacker is ready to surrender," end quote and shortly thereafter, began returning the coin they'd taken. Why the criminals are returning their loot is unclear, but people claiming to be the attackers have begun saying that they hacked Poly Network to make a point about security or that they did it for the lols or for some other more or less good reason.
Dave Bittner: Security firm Elliptic, which has been keeping an eye on this incident, has been tweeting an auto-interview the apparent hackers have been posting. They ask their own questions, which they proceed to answer. It will surprise no one that the questions are softballs pitched to be easily knocked out of the park with a big swing of self-congratulation. He, she or they did it, first of all, for fun because cross-chain hacking is hot. So if you credit the auto-interview, they did it for the hack value. One exchange quoted in the Wall Street Journal exhibits a lofty disinterest in wealth combined with a didactic urge to educate the victims, effectively the hackers' students, for their own good. Says they, I am not very interested in money. I know it hurts when people are attacked, but shouldn't they learn something from those hacks? Another post says the attackers would like to give them tips on how to secure their networks.
Dave Bittner: Reuters suggests a more self-interested reason may have been in play - the hoods bit off more than they could chew. They may just have found that so much money was simply too difficult to launder. The BBC quotes expert opinion to the effect that the crook or crooks have also been spooked by the amount of attention their heist attracted. And the message the hacker is ready to surrender shouldn't be taken too literally. No one has actually shown up at a police station saying, take me in officer, I'm ready to face the judicial music. Where would the fun be in that?
Dave Bittner: The AP quotes Accenture as saying yesterday that it had identified irregular activity in one of our environments and immediately contained the matter and isolated the affected servers. The firm didn't say when the incident occurred or identify it as a ransomware attack, but it did say it had, quote, "fully restored our affected systems from backup. There was no impact on Accenture's operations or on our clients' systems," end quote.
Dave Bittner: LockBit operators claim to have hit Accenture and to have obtained some of the company's data in the course of their attack. The gang threatened to leak the files if they weren't paid and as their deadline expired, began doing so. The Record has published a screenshot of some of the files that have been dumped, but their assessment is that the data they contain don't appear to be particularly sensitive.
Dave Bittner: Less than a week after disclosure, a vulnerability in home routers from some 20 different vendors is under widespread attack, Threatpost reports. Attackers are adding the affected routers to a Mirai botnet suitable for conducting distributed denial-of-service operations. NakedSecurity has a guide on how to determine whether your device is affected and what to do about it. A good place to begin is Tenable's list of vulnerable devices.
Dave Bittner: VnExpress says that an offer of source code for some of Bkav's security products has been posted to Raidforums, where those who claim to have obtained the code are offering to sell it for $250,000. Bkav says it's investigating.
Dave Bittner: CrowdStrike reports that the operators of the Magniber ransomware have weaponized the twice- or thrice-patched PrintNightmare remote code execution vulnerability that afflicts Windows systems and are now using it in the wild, for the most part against targets in the Republic of Korea. The Record points out that there are two vulnerabilities known colloquially as PrintNightmare. The one CrowdStrike is seeing undergoing active exploitation is CVE-2021-34527.
Dave Bittner: A Canadian government lawyer told the Vancouver court hearing Huawei CFO Meng Wanzhou's extradition case that Meng had committed fraud. The U.S. is seeking her extradition, and court proceedings are now entering their final phases. The AP reports that China's sentencing of Canadian entrepreneur Michael Spavor to 11 years in prison for spying and the imposition of a death sentence on Canadian Robert Schellenberg, convicted of drug trafficking, are widely viewed as retaliatory attempts to pressure Canadian authorities into releasing Meng.
Dave Bittner: In another high-profile extradition case, The Washington Post reports that Britain's high court granted the U.S. broader grounds on which to appeal a lower court's earlier denial of a request to extradite WikiLeaks proprietor Julian Assange to face espionage charges in the States. That case also continues.
Dave Bittner: And finally, the U.S. Cybersecurity Solarium Commission has issued its 2021 Annual Report on Implementation. The report is broadly encouraging. The commission wrote, quote, "last year, we concluded that attaining meaningful security in cyberspace requires action across many coordinated fronts. We have seen a great deal of progress in implementing the original 82 recommendations from the report, as well as the recommendations we added in white papers along the way," end quote. Some of the recommendations, of course, remain works in progress, including codifying the concept of systematically important critical infrastructure and establishing a collaborative environment. These are complex and challenging goals, the commission says.
Dave Bittner: Some of the recommendations are being addressed in legislation that remains pending in Congress. The Cyber Diplomacy Act, which has yet to pass the Senate, would implement the commission's recommendation for a cyber-focused bureau at the State Department. And some have yet to gather enough support, specifically the establishment of permanent select committees on cybersecurity in the House and Senate, and the passage of a national data security and privacy protection law, which the commission says are unlikely to move forward in the near future. But the commission says it remains hopeful and that it intends to ensure that its recommendations are ready when the time comes.
Dave Bittner: Let's talk chatbots. Perhaps I'm just old-school, or maybe I've had one too many bad experiences with them, but I would put myself in the category of chatbot skeptical. When I see a chatbot on a website, my tendency is to shut that thing down right away. Peter Voss is founder, CEO and chief scientist at Aigo.ai, developers of what they describe as a second-generation intelligence engine. He joins us with insights on what AI can bring to chatbots and why maybe folks like me need to give chatbots a second chance.
Peter Voss: The technology that's typically being used in chatbots today is, basically, you have some AI-trained system that will try to make sense of what the person is saying, and then somebody writes a response to that. So it's like a stimulus response. The problem with that approach is that there isn't really any deep understanding and there isn't any, you know, memory or history or learning of what the conversation is all about. So that's sort of the current state of chatbots that don't have a brain. And, of course, you know, our innovation is that we've added a brain to the chatbot infrastructure that actually can have a deep understanding, remembers what you said earlier, and so you can have a real conversation.
Dave Bittner: You know, I have to say that - and maybe this is just a result of me being in that generation that came up before texting was the thing that it is today. But, you know, if I see a chatbot on a website that I'm going to visit, generally, I'm not all that happy about that. I'm skeptical when it comes to the level of interaction I'm going to get from something like that. Is that a common response that you all have found?
Peter Voss: Yes, absolutely. And, you know, we talk to a lot of large corporations, you know, whether it's banks or retail or insurance or medical, and, you know, they've all implemented these chatbots. In some cases, they've implemented them and then abandoned them because of, you know, the limitations that I just spoke about. Now, of course, you also have to understand that a chatbot can be connected to a live agent, you know, so - but you don't know that typically when you see a little, you know, window pop up for a chatbot, it doesn't usually tell you whether that's an automated system or whether you're actually talking - you know, whether somebody - a real human is responding to it.
Dave Bittner: It also seems to me that, for those of you who are offering up these sorts of things, that there's a very limited window of forgiveness there. You know, like, I'm happy to interact with the chatbot. But, boy, the minute it gets something wrong or the minute it causes me frustration, I'm going to bail.
Peter Voss: Yeah, absolutely. And, you know - and so you should. So...
Peter Voss: You know, the customer experience should always be good, you know. And if it isn't, I mean, either it should, you know, transfer you to a live person who can handle it if it's something that's beyond the capabilities of the chatbot. But in the first instance, it should just be, you know, much better. It should understand what you're saying. And, you know, you should be able to have a meaningful conversation and get done what you want to get done.
Dave Bittner: What about the difference between a chatbot that that makes use of AI, the way that yours does, versus a search window, say, on a website? Is it a matter of having both things available so that people can choose the way that they prefer to interact with, say, a website?
Peter Voss: Oh, yes, absolutely. And, you know, companies do that. I mean, they do offer off search. But, you know, search has the same kind of limitations - in fact, in a way worse - in that it doesn't remember. For example, you can't really easily tell the search window that, you know, you're not interested in a particular product or you've already looked up a certain answer and you're not interested in that. So even the simplest of chatbots today that are offered, the companies will advertise them as using AI. So that by itself doesn't really tell you very much. You know, it might have some pattern-matching. Or it might - whatever it has, you know, typically, every vendor will tell you they're using AI.
Peter Voss: But the difference is, does it really have a cognitive engine, or what we call a brain? Can it remember what you said earlier on in the conversation? Does it have deep understanding? Does it have reasoning? You know, can it ask for clarification if, you know, you say something ambiguous? So that's kind of why we talk about a chatbot with a brain. You know, they all claim to have AI. So does it have a brain? Does it have a cognitive engine, or does it not have a cognitive engine? And you know, that really is a huge difference.
Dave Bittner: That's Peter Voss from Aigo.ai
Dave Bittner: And I'm pleased to be joined once again by Dinah Davis. She's the VP of R&D operations at Arctic Wolf. Dinah, it's always great to have you back. You know, I know something that is near and dear to your heart is helping women in cybersecurity. And you've recently - you've - you gave a talk recently, and you also did a survey recently on this topic. What can you share with us today?
Dinah Davis: Yeah. I was actually fortunate to give a talk at Halifax BSides recently, and they asked me to do a talk about women in cybersecurity. And I thought to myself, OK, well, you know, I can tell my story. I can tell kind of the things I think we should do to make it better. But then again, in the same way that I created Code Like a Girl, it's always better when it comes from multiple voices and different perspectives. So I thought, well, maybe I should just, like, send out a survey. Right? Maybe I'll get, you know, 15, 20 responses and see what people think.
Dave Bittner: And how did that go?
Dinah Davis: I actually got over 50 responses. I was...
Dave Bittner: Wow.
Dinah Davis: ...Really impressed. Yeah, I know it's still a small number, but I was pretty happy with that.
Dave Bittner: Yeah. And what'd you learn?
Dinah Davis: Yeah. So one thing that I had a hunch on was that cybersecurity wouldn't be their first career. And so I asked that question very specifically. Like, is cybersecurity your first career? Seventy-five percent said no. And I think I would love to kind of find out those answers from men as well because I think a lot of people come into cybersecurity that way. But it feels to me like this would be maybe even a bit higher than the men. But I don't have any real data about that, just a gut feeling (laughter).
Dave Bittner: But to go down that path, you know, with your gut feeling - 'cause you're no rookie when it comes to these sorts of things - do you have a sense or a guess as to why that might be?
Dinah Davis: Yeah. I think it's just not encouraged. Like, it's just not even seen - so even if we think about - like, one of the interesting pieces of data that I polled was like, how long have you been in cybersecurity? Right? And so how long have these women been in cybersecurity? And, like, 54% of them had been there for under five years. And that was also including a number of students that were going through a cybersecurity program that filled this out. And then you even look at it, and only, like, 18% were 15 years-plus. And so I think there's just been this explosion, right? So before this explosion of cybersecurity that really started, I think, in about 2017 with WannaCry and NotPetya, when it became, like, an actual, you know, super visible thing that people started to actually care about.
Dave Bittner: Right.
Dinah Davis: It was this little niche field in computer science that, you know, had this, like, connotation of only, like, weird guys, like, doing it. Right?
Dave Bittner: (Laughter).
Dinah Davis: Not like - like, that maybe, you know, in...
Dave Bittner: Don't hold back, Dinah. Don't hold back.
Dinah Davis: Yeah - that maybe in another life would have liked to be hackers. This is the perception. I'm not saying this is the reality. This is the perception.
Dave Bittner: OK. Right, right.
Dinah Davis: This is not the reality. I mean, I've been in security since 2001, so I'm (laughter)...
Dave Bittner: Yeah.
Dinah Davis: ...Putting myself in those buckets.
Dave Bittner: So are you saying that, like, the perception was to get to cybersecurity, first you had to go through computer science.
Dinah Davis: Mmm hmm, yep.
Dave Bittner: And that's quite a jungle to make your way through.
Dinah Davis: Yeah, it absolutely is. And what I think we're seeing because of the need for this is there's people jumping in from all different places. So one of the interesting things I asked them was like, what did you do before cybersecurity? Right? And a lot of them said IT. But like, some of my favorites answers here are culinary arts, a chemist, veterinary, hospitality, sales. Right?
Dave Bittner: Mmm hmm, mmm hmm.
Dinah Davis: These are all things they did before. And I think I've even listened to some of your career notes where people have come from - there was a lady who came from library sciences. And I'm like, oh, that...
Dave Bittner: Right.
Dinah Davis: ...Makes so much sense. Right?
Dave Bittner: Right.
Dinah Davis: Because I think this - cybersecurity has so many different roles. And they're - you know, you're able to do so many different things. But there's this perception that you must be almost as good as a hacker to work in cybersecurity, which is just not true.
Dave Bittner: Any other interesting tidbits that came out of the survey?
Dinah Davis: How did you discover cybersecurity? - was a question that I asked. And I got some typical answers like job, entertainment, news. My favorite answer, by far, and it was - more than one person answered it - was that they got hacked. They got hacked.
Dave Bittner: Oh.
Dinah Davis: Yeah.
Dave Bittner: Oh (laughter). So they got hacked, and then they got even.
Dinah Davis: They got hacked, and they got interested in it...
Dave Bittner: Right.
Dinah Davis: ...And started to, like, go down the path of, like, well, I want to do this. Like, I want to stop this from happening to other people. That was, by far, my favorite.
Dave Bittner: Wow. Isn't that interesting? I mean, overall, based on the information that you gathered here, what is your sense? Is there - do you feel as though we're headed in a good direction? To what degree is progress being made here?
Dinah Davis: I think we're making a lot of progress, actually. I think there's more progress in the last five years than we saw in the previous 20. And so that's - you know, that's a good thing. I still think there's a long way to go (laughter).
Dave Bittner: Yeah.
Dinah Davis: My favorite quote these days is one from Ruth Bader Ginsburg. Someone asked her, you know, how many women is enough women on the Supreme Court? And she said, when there's nine, because right now or before, when there was nine men, no one even questioned it.
Dave Bittner: Right.
Dinah Davis: So for me, when is it enough? - when you have full teams of C-level women running companies and nobody thinks that's unique.
Dave Bittner: Right, right. Yeah. Nobody thinks twice about it. It just is.
Dinah Davis: Right.
Dave Bittner: All right. Well, interesting stuff for sure. Dinah Davis, thanks for joining us.
Dinah Davis: No problem.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.