Dave Bittner: [00:00:03:18] Black Hat is in the books, with lessons on automation and differentiation. Cyber espionage surges in the South China Sea. US concerns over the security of voting systems persist. ISIS and al-Qaeda continue to compete for jihadi mindshare. The HEIST exploit is troubling, but not yet in the wild (we think). The Rio Olympics get ready to open and banking malware is ready too. Apple announces a bug bounty. Cyber companies are said to prepare layoffs. And we think a security company is helping make Pokemon safe.
Dave Bittner: [00:00:37:11] Time to take a moment to tell you about our sponsor, Cylance. Are you looking for something beyond Legacy Security Approaches? If you are, and who isn't, you're probably interested in something that protects you at machine speed, and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily, and it protects your network with minimal updates, less burden on your system resources, and limited impact on your network and your users. Find out how Cylance is revolutionizing security with Artificial Intelligence and machine learning. It maybe Artificial Intelligence, but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. And even better, if you're at Black Hat this year, swing by Booth 11 24 and chat with the Cylance people. Cylance, Artificial Intelligence, real threat prevention. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:01:36:09] I'm Dave Bittner in Baltimore, with your CyberWire summary for Friday, August 5th, 2016.
Dave Bittner: [00:01:41:22] Black Hat USA 2016 is in the books, and its participants are headed home or wherever else Black Hat symposiasts go when the show’s over and it’s time to move on. We’ll have more on the conference over the course of next week, but if we might summarize the industry trends we’re seeing, we’d say that investors and customers are both looking for differentiation - point solutions, however elegant, are plentiful, and it’s difficult to get through the noise and hear the signal. So understand what problem you’re solving, and be clear on your value proposition.
Dave Bittner: [00:02:13:05] Those customers and investors are also looking for approaches to security that address the notorious shortages in skilled cyber professional labor. Not only do they want solutions that can automate security functions now performed by scarce human operators, but they also want solutions that easily integrate into the enterprise. Hard-to-deploy products that require a lot of maintenance and attention are non-starters. This is no doubt obvious, but the number of young companies offering the high-maintenance and the difficult-to-deploy suggests that it’s worth repeating.
Dave Bittner: [00:02:44:16] TechCrunch is running a nice summary of four concepts that tended to dominate talks in Las Vegas. The first is “Behavior Baselining.” This is regarded as essential for anomaly detection, and anomaly detection in its turn is seen as the alternative to the notoriously limited signature-based detection schemes long familiar in the industry. The next is “Active Response.” That is, faster, more highly automated response to incidents. This is not to be confused with “hacking back,” a concept finding less favor nowadays, especially since the lawyers have gotten wind of it. Next is “Security Analytics” especially when performed in the service of vulnerability recognition and management. And, finally, “Public Key Cryptography,” which of course you’re familiar with - and this conference was nothing if not crypto-friendly. A lot of companies are talking these up. Again, they’d do well to consider how they might differentiate their offerings from competitors with similar elevator pitches.
Dave Bittner: [00:03:43:07] Over at DefCon, DARPA ran its capture-the-flag competition for artificially intelligent systems yesterday. The winners will be announced later today, and then the machines will go on to compete against the naturally intelligent humans in a second round of capture-the-flag. DARPA doesn’t expect the machines to win, this time, but it thinks it’s demonstrated the future of security.
Dave Bittner: [00:04:04:13] Turning to news of international cyber conflict, F-Secure continues to track the NanHaiShu Trojan, implicated in collecting against China’s opponents in the ongoing dispute over rights to the South China Sea. NanHaiShu appears to be an espionage tool, probably operated by Chinese services.
Dave Bittner: [00:04:22:12] Recorded Future has added to the accumulation of circumstantial evidence pointing to Cozy Bear and Fancy Bear as the actors behind the Democratic National Committee hack and other related operations against political campaign networks. Cozy Bear and Fancy Bear are closely tied, respectively, to Russia’s FSB and GRU. There’s much dudgeon in the US over foreign attempts to influence November’s elections, and the Secretary of Homeland Security says his Department is looking into ways of improving voter security. Critics say that this involves some disingenuous reading of US intelligence operations, with NSA watcher James Bamford charging in a Reuters op-ed that the US is “the only country ever to launch an actual cyberwar,” a contention that would probably be disputed in Estonia, Georgia, and Ukraine, to name three places that have received the ministrations of a large neighbor over the past ten years. The cyber act of war Bamford is referring to is of course the deployment of Stuxnet against the Iranian uranium-separation centrifuges.
Dave Bittner: [00:05:23:16] ISIS is working hard to assert itself over Boko Haram’s leadership in Nigeria, not altogether to the liking of local jihadi opinion. Boko Haram has been, in the ISIS view of things, too bloodthirsty in its attacks on moderate Muslims and their mosques. The drive to control Boko Haram is part of ISIS’s recent determination to woo co-religionists it had hitherto been willing to attack. ISIS competitors in al Qaeda and various Taliban factions are similarly engaged in recruitment and inspiration campaigns online.
Dave Bittner: [00:05:55:24] Researchers described an exploit they’re calling “HEIST” (which stands for “HTTP Encrypted Information can be Stolen Through TCP-Windows”). An attack wouldn’t require a man-in-the-middle position to execute, the researchers say. HEIST has been demonstrated as a proof-of-concept but not yet, insofar as is known, encountered in the wild. We heard from Justin Jett, Director of Compliance and Auditing at Plixer, who told the CyberWire that, although we don’t yet know whether HEIST will develop into a significant threat, “Users should be ever-vigilant.” One way to protect yourself against threats like HEIST, he said, “is to use ad blocking software like the EFF’s Privacy Badger. This would prevent the script from running on an infected site, thus preventing the attacker from being able to determine details from TCP response sizes.” We’ll be watching more for news of HEIST-like exploits.
Dave Bittner: [00:06:49:01] The Olympics open in Rio tonight amid heightened physical and cybersecurity. A banking Trojan, “Panda Banker,” has been observed spiking in host country Brazil.
Dave Bittner: [00:07:05:00] It's time to thank our sponsor E8 Security. You know the old perimeter approach to security no longer protects against today's rapidly shifting cyber threats. You've got to address the threats to your network once they're in your networks, and E8 Security's behavioral intelligence platform enables you to do just that. It's self-learning security analytics give you early warning when your critical resources are being targeted. The E8 Security platform automatically prioritizes alerts, based on risk and lets your security team uncover hidden attack patterns. To detect, hunt, and respond, you need a clear view of the real risks in your business environment. That's what E8 gives you. Visit e8security.com/dhr and download the free white paper to learn more. E8: transforming security operations.
Dave Bittner: [00:07:55:02] And joining me once again is Malek Ben Salem. She's the R&D manager for security at Accenture Technology Labs. Malek, I know an area of research for you is the security implications when it comes to software defined networking.
Malek Ben Salem: [00:08:08:02] Right. So software defined networking is an approach to design built-in managed networks, that separates the network control from the forwarding plane of the network, which enables basically a more network control, enables the network to be more programmable and the underlying infrastructure to be abstracted for appliances and network services. It enables more innovation, so that's why some companies are adopting this approach, but it also has its own security implications. One of them is that, by virtualizing the network, security admins, or network admins no longer have visibility into the underlying infrastructure and into what's happening exactly in the network. And that creates basically new security challenges for them.
Dave Bittner: [00:09:06:08] Explain to me what you mean by that. Why would having the network be software-based take away that visibility?
Malek Ben Salem: [00:09:13:15] So basically they're adding a new layer on top of the infrastructure layer, which is this control layer that they interact with, which abstracts everything underneath. So they lose that visibility. They only see what's happening at the control layer, without having the visibility of what's going on in the physical layer. That's one challenge. The other challenge is by creating the separation, everything basically becomes centralized into one point through the central defined network controller, and that in and of itself creates new threat models for the company, because the SENcontroller becomes a single point failure for the network. But there are also even security advantages, such as, for example, the ability to direct malicious traffic to a high net, creating high nets quickly and directing any malicious traffic towards those high nets to collect more information about the adversary.
Dave Bittner: [00:10:20:08] All right, Malek Ben Salem, thanks for joining us.
Dave Bittner: [00:10:26:04] Time to thank our sponsor, VMWare. You're heard of VMWare, the global leader in Cloud infrastructure and business mobility. Of course, we all have. But if you're a security software architect or engineer, you also know them as world leaders in virtualization. So think about them as a career destination, especially, now because VMWare is looking for experts to be part of an empowered and innovative security team that builds on VMWare's industry leading virtualization technology to deliver a new model of IT, that combines flexibility and quick deployment with world class security. If you're a security professional looking for a career with an innovative industry leader, committed to making the networked world a place that's not only secure, but also easy to work in, then navigate on over to careers.vmware.com and see what you and VMWare might have to offer one another. The visit will be worth your time. That's careers.vmware.com, and we thank VMWare for sponsoring our show.
Dave Bittner: [00:11:32:22] In some industry news that broke at the end of this week, Apple announced its intention to join a growing industry trend and start a bug bounty program. Only invited bughunters will participate at first (“a few dozen,” says Cupertino), but the company’s head of Security Engineering and Architecture, told people at Black Hat that they’re not setting up an exclusive club. Other researchers may submit flaws they discover and so be considered for admission to the program. Bounties will range from $25,000 to $200,000 and Apple says it’s willing to double the bounties paid to hunters who donate the proceeds to charity.
Dave Bittner: [00:12:08:03] One of the technologies Apple is known for is Siri, the automated assistant on the iPhone that responds to your voice. Android has Cortana and Amazon sells their Echo with Alexa. We spoke with Galina Datskovsky, CEO of VaporStream about voice activated devices, and privacy concerns.
Galina Datskovsky: [00:12:26:07] If you look at the younger population today, let's say the kids, the teens, even the 20-somethings, they're typing a lot less and they're talking to their devices. They're speaking to the device and they want the answers or the finds read to them, as opposed to reading them. So there's a lot more human-like interaction with the devices. In addition to that, we're seeing quite a number of devices that are specifically voice activated, that might not even have a keyboard input at all. So for example, Alexa. If you look at Alexa, from Amazon, you talk to Alexa. You get answers from Alexa. You could play games with Alexa. There is no other way to interact with it. I think there's several assurances that we have to have from the manufacturers. So one is, is the device going to be listening even when I don't want it to be listening? Can the device be hacked to listen to me, right, and respond or report in time? Can somebody hack the storage of information?
Galina Datskovsky: [00:13:45:20] So if the information is I'm speaking and I am receiving, does that store somewhere? Is that identifiable to me? Can that be hacked? How is that used? How is it given to third parties? Can that be used for espionage, if I have this particular device in my office, right? And maybe in the boardroom. What if I wear a device that I'm speaking to. Maybe it's not a device that sits on my desk, but that it's a wearable, it's voice activated. Can somebody hack that? What kind of information is produced? So I think those are issues that first of all one should be concerned about, and secondly, I think the manufacturers need to make people comfortable with.
Dave Bittner: [00:14:38:07] These types of devices are easy to use and fun to use, and there's a natural tension between that and security.
Galina Datskovsky: [00:14:45:05] There's always that trade off of convenience versus security and privacy, and generally they happen to be at odds, right. So, in some ways, you don't want to overprotect the device, because you really want it to learn your voice signature, and the way you speak, and kind of use if like the fingerprint, right. So we are seeing the security on your phone now going to biometrics and finger scans, so you don't have to type in a code. But you could just do that, and presumably that is a lot safer, because you are less likely to forget or lose your fingerprint, and somebody else can't exactly duplicate it. So voice signatures are very similar, and you want the device to know that you've set your voice signature. Unfortunately, voice signatures in fact can be somewhat duplicated. And voice signature recognition is not absolutely perfect. Probably the device won't confuse you and me, but perhaps another deeper male voice could actually imitate yours, either on purpose or accidentally, especially if the phrase is relatively short.
Dave Bittner: [00:16:00:11] You agree to a certain set of privacy definitions when you click through the EULA, the end user license agreement. But what's not so certain is what happens with a device like this from a legal point-of-view, if it gets hacked.
Galina Datskovsky: [00:16:13:12] If something is recorded improperly. If you want to make an argument that you didn't wake up the device. It woke up based on the wrong word, right, or somebody hacked it. And now they're getting your information, and you're actually being illegally recorded if you will. And somebody is taking that illegal recording and doing something with it, which was not in the terms and conditions. Who is liable?
Dave Bittner: [00:16:44:08] That's Galina Datskovsky. She's the CEO of VaperStream.
Dave Bittner: [00:16:50:01] In other industry news, two sector leaders, FireEye and Fortinet, are reported to be preparing or conducting layoffs. FireEye has announced a round of layoffs in response to disappointing earnings, and Fortinet is rumored to have begun significant layoffs that will hit marketing heavily. Other unnamed companies are also thought to be considering headcount reductions. We’ll be watching to see if these rumors are confirmed by events.
Dave Bittner: [00:17:15:03] Finally, LookingGlass seems to have found a Pokemon-related revenue stream. Enterprises are telling them where Pokemon are unwelcome, and LookingGlass is working with Pokemon masters Niantic to exclude them. Some are calling this “killing Pokemon,” but to us it looks more as if LookingGlass is keeping Pokemon safe. No one, least of all LookingGlass, would be heartless enough to kill Pikachu, but anyone would like to keep him out of traffic, transformer stations, military bases and so on. Right, Chris?
Dave Bittner: [00:17:48:24] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors, who make the CyberWire possible. We help you stay on top of the news in cyber security and information assurance - we can also help you get your product, service, or solution in front of an informed audience of influencers and decision-makers. Visit the thecyberwire.com/sponsors to find out how.
Dave Bittner: [00:18:12:11] I'm back on the Grumpy Old Geeks podcast again this week, so be sure to check that out, too.
Dave Bittner: [00:18:17:07] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.