Pentesting meets the gig economy. Stingrays, machine learning, and more.
Dave Bittner: [00:00:03:16] Guccifer 2.0, sockpuppets and Fancy Bears, oh my... Insights on machine learning, new revelations about Stingray surveillance deices and Snowden lands in US theaters.
Dave Bittner: [00:00:21:09] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely, because that's what you want, actionable intelligence. Sign up for the Cyber Daily email and every day you'll receive the top trending indicators Recorded Future captures crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:34:14] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday September 14th, 2016.
Dave Bittner: [00:01:40:19] The bears are busy again, or, at least, Fancy Bear is. More documents swiped from the US Democratic Party were released yesterday at the Future of Cyber Security Europe Conference in London. The documents were released with the appropriate stagecraft of hacktivist anonymity: the hacker or hackers addressed the conference, Russia Today reports, through "an unknown and remote transcriber." The 500 megabytes or so seemed to contain mostly information about party donors and some information going back to Vice Presidential Candidate Kaine's tenure at the head of the DNC.
Dave Bittner: [00:02:14:14] We should also note that the hackers continue to represent themselves as "Guccifer 2.0," which most people outside of Russia today regard as a sockpuppet for Fancy Bear. In any case, Guccifer 2.0 is quite miffed that people think he's, or she's, really Russian intelligence. It seems unfair to him, or her, that the Russian organs are getting credit for all that great stuff. So, he, or she, is angry, but, "then I realized the deeper they go this way the safer I am," that's what Guccifer 2.0 concluded with a smiley emoticon.
Dave Bittner: [00:02:49:08] Fancy Bear also seems behind the doxing of the World Anti-Doping Authority, or WADA. Medical records and drug test results for various western athletes were released. Russian authorities have been displeased by the disqualifications of Olympians for alleged doping and by the general cloud of suspicion that hung over its team in Rio this summer. The documents released don't appear to show anything terribly scandalous, but the hack was done in a clear spirit of you too. ABC News in reporting on the incident says the threat actor calls itself "Fancy Bear," but that's not exactly true. CrowdStrike called them that and the name stuck. Fancy Bear probably calls itself the GRU, only in Russian, gay-air-oo, like that.
Dave Bittner: [00:03:32:14] US officials continue to worry about election hacking and appear, we heard, at the Billington Summit yesterday, to have settled on a policy of offering help to state and local authorities without designating voting critical infrastructure or Federalizing elections.
Dave Bittner: [00:03:48:05] There's a new threat at the ATM. KrebsOnSecurity reports that the US Secret Service is warning people against "periscope skimming," a new technique in which a specialized probe connects to an ATM's internal circuit board and accesses card data from there.
Dave Bittner: [00:04:04:03] Machine learning continues to grow in importance as a tool for detecting and mitigating cyber attacks. We checked in with Raj Gopalakrishna, Chief Software Architect at Acalvio, a company that offers advanced threat defense, for his take on machine learning.
Raj Gopalakrishna: [00:04:18:11] So, machine learning is basically an order of various algorithms that have been designed over the last 20 years, which help us solve very complex problems, and today they're being largely used in, for example, in recommendation engines when you buy something on Amazon. It looks at people's behavior and purchase patterns, who has bought this item before, and user recommendations, that's an example of a machine learning algorithm.
Dave Bittner: [00:04:44:12] And how does this extend to the cybersecurity realm?
Raj Gopalakrishna: [00:04:46:18] So, the thing is that on the cybersecurity world, for the last couple of decades, most of the solutions on the market were basically made up of rules, you know, varied concepts and policies, they don't allow this, block this, white list, negative list, black list, things like that. So there's too much work for humans, and that was very error prone, very slow, and it only went back to what you know, as opposed to looking at what you don't know about. So, machine learning is now being widely adopted in the security domain, cybersecurity domain, you don't need a human being telling it the rules, it can actually drive and make its own rules as it thinks for longer.
Dave Bittner: [00:05:27:03] With machine learning, can the machines actually come back to the user with new, creative insights?
Raj Gopalakrishna: [00:05:34:07] Absolutely. So it can take a lot of different data and give feedback, and say, this is something I've never seen, for example, anomaly detection. And so they look for behavior of human beings, for example, on a machine. This machine typically, this laptop or server, tends to send this amount of data on a typical day or a typical hour in a day, and know these are baselines, and now the machine learning algorithms can start learning that automatically, it'll watch the data let's say for a month or a few weeks, and they know exactly what is normal on a Monday morning at 9:00 am on this laptop or on this network or on this website, so they know. So, if something looks different they can flag it and tell you this is anomaly is unusual, I didn't expect this, so do you want me to do something about it? So those are all examples of how people have started using it.
Dave Bittner: [00:06:23:14] So, can the bad guys use machine learning to streamline their operations as well?
Raj Gopalakrishna: [00:06:28:12] Absolutely, and machine learning of course requires a lot of theoretical knowledge. So, in my team for example, you have people with PhDs who have just started machine learning and data signs, for seven years, and so it's a lot of maths involved and then there is domain knowledge. So, they'll need to invest their time, certainly they can.
Dave Bittner: [00:06:49:03] Have there been any examples of that happening that we've seen out in the wild?
Raj Gopalakrishna: [00:06:52:22] There has been a little bit of that, for example, they tried to learn what attackers are looking for in reputation services, and they're trying to confuse it. But not a whole lot, it's still early days in the security space, I think there's only four or five in the parts of the security space have started using machine learning, it's because it's such a difficult domain, but a very powerful one.
Dave Bittner: [00:07:19:05] That's Raj Gopalakrishna from Acalvio.
Dave Bittner: [00:07:23:08] In the US, Congress is again taking up surveillance legislation. The intelligence community, including the NSA Director, this week testified in favor of strong encryption. The US Government is also mulling some reorganizations to its cyber agencies, among them the possible separation of NSA and Cyber Command (Senator McCain says he'll block that particular reorg) and the possible separation of NSA itself from the Department of Defense. Defense Secretary Carter is said to be considering if NSA might not be better off as an independent agency like the CIA.
Dave Bittner: [00:07:56:10] Finally, Edward Snowden says he thinks he deserves a pardon, that his leaks did a lot of good. President Obama appears to dissent from this view, strongly, but then he might not have seen Oliver Stone's eponymous "Snowden" flick. Wired has, however, and they've got a review. Read the whole thing if you're not averse to spoilers, and in this case, why would you be? The reviewer suggests the film has a clear point of view, it, "takes about 90 minutes to bleach out the last shades of gray in its black and white biopic." So, not as complex a narrative as, say, Captain America Civil War, or so the kids tell us. On the other hand, the kids would like City Escape from Sonic the Hedgehog to become the national anthem. Oh these kids today.
Dave Bittner: [00:08:43:18] And I want to take a moment to tell you about our sponsor, E8 Security. You know, once an attacker's in your network there's a good chance they'll use command-and-control traffic to do the damage they have in mind. Could you recognize it? E8's analytics can. Here's what malicious C2 traffic might look like: newly visited sites, visits to a website that doesn't have the features a legitimate site usually does, like a high number of pages, a fully qualified domain name or a distinct IP address, or the association of a website with a limited number of user agents. That's tough for a busy security team, but it's easy for E8's behavioral intelligence platform. For more on this and other use cases visit e8security.com/dhr and download the white paper. E8 Security, detect, hunt, respond. And we thank E8 for sponsoring our show.
Dave Bittner: [00:09:35:20] And joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland's Center for Health and Homeland Security. Ben, you and I have been keeping our eye on these so called Stingray devices, these cell phone tower simulators. There's been a couple of developments lately when it comes to Stingrays, bring us up to date.
Ben Yelin: [00:09:53:22] Sure, so, last month a group of civil rights leaders here in Baltimore complained to the Federal Communications Commission over the Baltimore Police's use of this technology known as Stingray, and we've talked about this before, but these are cell site simulators. So, law enforcement sets up devices that are able to trick phones into revealing location identifying information. The use has been particularly widespread in Baltimore City, and I think because of the potential that it's being used disproportionately in some minority neighborhoods, and because it's actually led to a significant number of arrests, that there has been that concern. So we're not exactly sure how the FCC is going to come down on this, the case is still pending. So the FCC hasn't commented necessarily, but this is an interesting development in civil rights groups trying to use the regulatory process to perhaps curb the use of this law enforcement tool.
Ben Yelin: [00:10:50:20] The other recent development I think is perhaps even more interesting, earlier this week there was a manual released from one of the manufacturers that produces these so called Stingray devices, and that's the Harris Corporation.
Dave Bittner: [00:11:06:09] And this is an operator's manual?
Ben Yelin: [00:11:09:09] This is an operator's manual, that's correct, and it was revealed, you know, parts of the program had been revealed under previous freedom of information act requests, that there have been a lot of redactive information. But this week, the manual was leaked to a website known as The Intercept, that's the website you may be familiar with that's run by Glenn Greenwald, in a large part, who was at the center of the Snowden disclosures, and it revealed some pretty staggering information about how these Stingray devices work. They're particularly powerful, I mean, one of the things that was revealed is that the device can impersonate up to four cell towers at once, and it can monitor up to four provider networks simultaneously and can also monitor 2G, 3G, 4G communications, and I'm sure as the technology changes and we get to 5G this technology will adapt as well.
Ben Yelin: [00:12:05:13] Based on the manuals provided and some of the analysis I've seen, is it looks like it's relatively easy for law enforcement to use on a wide scale without any particularized technological knowledge. That presents significant civil liberties concerns. We saw a Maryland court earlier this year say that people should have a reasonable expectation of privacy, that their location is not going to be revealed to these cell site simulators, meaning that law enforcement is going to need a warrant, potentially, to do these types of searches. The highest court in Maryland hasn't yet come down on it, but I think it's going to be crucial that there's some finality to this decision now that we know the scope of information that can be retrieved from these devices, and how easy they are for law enforcement to employ.
Dave Bittner: [00:12:57:05] I guess what always puzzled me about this is that presumably any cell service provider needs a license to set up their towers, and so you would think even law enforcement wouldn't be allowed to set up a rogue transmitter receiving device, that the sole purpose of it is interfering with the flow of information on a regular cell tower.
Ben Yelin: [00:13:21:16] Right, so there is an interesting principle, and I think this cuts across various areas of cyber law, the government is its own entity, and some of the tactics that are legal on the private sector and that require licenses in the private sector, the government is often immune from those if they're using them for uniquely government functions, such as law enforcement or domestic security or international surveillance. So I think that's something the FCC is going to have to grapple with. Is this a unique circumstance where the government needs a unique capability, and, you know, something like revealing that they're getting these types of licenses might hinder their law enforcement services, or, do they not get a pass and do they have to go through the same rigorous process that all the other cellular providers have to go through? So I think this is an open question for the FCC.
Dave Bittner: [00:14:16:15] Alright, Ben Yelin, we will continue to keep an eye on it, thanks for joining us.
Dave Bittner: [00:14:23:04] And that's The CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media, the Editor is John Petrik, our Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.