The CyberWire Daily Podcast 9.30.16
Ep 196 | 9.30.16

Election hacking, journalist hacking, and the rise of TbpS DDoS. More reflections on the Yahoo! breach. Ransomware and other forms of extortion.

Transcript

Dave Bittner: [00:00:03:12] IoT botnets brings scunion across the Internet. Why security cameras are attractive to bot rustlers. InfoArmor's explanation of the Yahoo! Breach gains traction among observers. Europol warns that ransomware is on the rise. Zerodium raises its iOS 10 remote jailbreak bounty to a cool million and a half. US states continue to grapple with election hacking. And the Tofsee botnet is chumming for the lonely - click with caution.

Dave Bittner: [00:00:35:08] Time to take a moment to tell you about our sponsor, Recorded Future, the real-time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web, to give cyber security analysts unmatched insight into emerging threats. We read their dailies at the CyberWire and you can too. Sign up for Recorded Future's Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today to stay ahead of cyber attacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and it's on the money. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:36:09] I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, September 30th, 2016.

Dave Bittner: [00:01:44:07] The IoT botnets used against OVH and KrebsOnSecurity should, a Los Angeles Times op-ed says, "Terrify you." "Terrify" may be breathless, but the incidents represent a dramatic increase in criminal capability. Many of the devices herded into the botnets were security cameras.

Dave Bittner: [00:02:02:06] The threat posted by hacked security cameras isn't new. These cameras are widely deployed and, although people still tend to misleadingly call them "closed circuit TV", they're almost invariably networked.

Dave Bittner: [00:02:13:23] It's worth returning to a primer we received on cameras at the Jailbreak IoT Security Summit earlier this year. Our guide was Wesley Wineberg, a Senior Security Research Engineer at Microsoft. His premise was that security cameras were Internet-of-things devices before people generally recognized that there was such a thing as an Internet-of-things. The businesses that use them tend to link them to other systems, often physical security networks like those that control doors, and sometimes to building control systems like HVAC networks, or even to point-of-sale systems. People have gone after IP cameras for many reasons, Wineberg told us. They may want access to a video stream, they may wish to modify a video stream, they may seek persistent access to the security system or they may be interested in pivoting from the camera to other networks.

Dave Bittner: [00:03:01:20] His advice to users of security cameras included recognizing that while IP cameras protocols aren't themselves necessarily flawed, their implementation often is, and that, as he put it, "feature equals attack surface." Many of those attack surfaces are physical attack surfaces; an accessible compact false card port, Ethernet, video/audio input/output, and so on. So, if you must network your security camera, once you've paid due attention to implementation, you'd do well to restrict physical access to the camera itself, and to restrict the ways the camera can communicate.

Dave Bittner: [00:03:36:07] As DDoS attacks of the last two weeks have shown, the risks aren't restricted to the camera's users, and that's true of the IoT as a whole.

Dave Bittner: [00:03:45:02] InfoArmor's study of the Yahoo! Breach maintains those responsible weren't "state-sponsored" but rather criminals who subsequently sold their take to a nation-state. This explanation is gaining traction in the industry press. Some observers continue to point out that in some parts of the world there's often very little daylight between criminals and security services.

Dave Bittner: [00:04:05:14] Europol warns that crypto ransomware remains a big threat. The Princess Locker is one relatively new strain. Its demands show a distinctive and unusual escalation. The initial ask is three Bitcoin, but if you don't pony up by the deadline, the threats get uglier and the demand doubles to six Bitcoin.

Dave Bittner: [00:04:25:05] Plixer's CEO, Michael Patterson, told the CyberWire that he agrees with assessments that ransomware incidents will continue to rise in the coming months. The money's relatively easy. And big breaches like the Yahoo! Compromise have put a lot of credentials onto the black market, which makes for easier phishing of victims. He sketches a likely scenario, "Imagine purchasing the stolen 200 million Yahoo! email list for $1860 dollars and then targeting them with a phishing attack that looks as though it came from Yahoo!'s Account Recovery Team. Many of those 200 million recipients would be tempted to open the malicious email. Once they click, the ransomware encrypts the victim's files and the user is forced to make what could be a difficult decision."

Dave Bittner: [00:05:09:01] And, as always, the best line of defense against ransomware is secure, regular backup.

Dave Bittner: [00:05:15:02] And there are other forms of extortion online than crypto ransomware. Flashpoint continues to keep an eye on the unfolding attempt by thedarkoverlord to extort money from a Californian investment company, thedarkoverlord doxed. If thedarkoverlord isn't paid, he'll continue to dribble out increasingly sensitive files.

Dave Bittner: [00:05:34:10] In industry news, Zerodium has upped its bounty for an iOS 10 remote jailbreak to $1.5 million dollars. This is not a conventional bug bounty. Zerodium is a zero-day broker, and they're quite clear that they want exploitable stuff, not idle proofs-of-concept.

Dave Bittner: [00:05:51:16] The tally of states experiencing "hacking attempts" in the US is now up to 20. For the most part, the attempts as reported amount to reconnaissance, or sometimes theft of not particularly highly sensitive, and sometimes publicly available anyway, voter data. There's growing awareness that one need not corrupt an election's data nationwide to affect its outcome. Carbon Black thinks attending selectively to Pennsylvania precincts could do the trick. Of course, the prime persons of interests in election hacking remain the two bears, Cozy and especially Fancy.

Dave Bittner: [00:06:25:14] And, finally, for all the worries about the Internet-of-things and its potential for botnet rustling, many ordinary botnets are also still out there, so it's not all IoT all the time. The Tofsee botnet, for example, is newly active and "aggressive" reports Talos. Tofsee is spamming out phishbait consisting of what's euphemistically called "adult dating" opportunities, mostly involving claims that Russian and Ukrainian beauties are looking for you, Mr Lonely Heart. Don't be fooled. Ludmilla hasn't discovered you as a soulmate and Ludmilla might not even be Ludmilla. For all you know, Ludmilla is actually Vladimir, all 181.437 kilos of him, and working not from his parent's basement, but perched in a lawn chair in front of a wading pool and a MiG. Think before you click. Remember the MiG.

Dave Bittner: [00:07:16:15] Did we mention 181.437 kilos? That's 400 lbs, or as we like to say around here, one hackerweight.

Dave Bittner: [00:07:29:17] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company, whose patented technology continuously analyzes the entire web. To develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily, and if it helps us, we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:08:23:15] Joining me once again is Markus Rauschecker. He's the Cyber Security Program Manager at the University of Maryland Center for Health and Homeland Security. Markus, I saw a report via Reuters that New York has issued some cyber regulations for banks and insurers. What can you tell us about this?

Markus Rauschecker: [00:08:40:23] Yes, this is big news. New York actually proposed regulations for cyber security so they're not in force yet, these regulations, but they are proposed by New York State. These regulations would affect businesses and the banking sector, insurance sector, and financial sector. This proposal has been getting a lot of attention because of a lot of the best practices that we talk about in cyber security. It would actually become part of the regulation here,and companies that would be under these regulations would now be forced to implement some of these best practices. That includes, among other things, that companies would have to nominate a CISO, a Chief Information Security Officer. They would also have to have written cyber security policies in place. They would have to do regular risk assessments and they'd have to have other written policies and procedures applicable to cyber security practices.

Markus Rauschecker: [00:09:41:09] They'd also have to start using encryption and carry out internal and external cyber audits. On top of everything else, they not only would have to be concerned about their own cyber security, but they would have to have knowledge about the cyber security status of any third parties that they deal with. There is a lot that has been packed into these regulations and we'll see if they actually go through.

Dave Bittner: [00:10:06:23] So, there's a 45 day comment period before anything happens. Is there any feeling on how the banks and other organizations that are under these regulations are responding to this proposal?

Markus Rauschecker: [00:10:19:19] Right. So whenever there's talk of regulations, businesses generally speak out against the regulations. As you can imagine, regulations traditionally or, as the traditional argument goes, would increase costs for businesses and would increase the burden on businesses. So I'm sure we are going to hear a lot of the same kind of responses to these proposed regulations. My guess is that larger companies, companies with a lot of resources, are probably already doing most of the things that are in these regulations. So there probably wouldn't be much of an additional cost or burden on these companies to implement or continue to do the things that are contained in the regulations.

Markus Rauschecker: [00:11:04:13] However, these regulations could become problematic for some mid or smaller sized companies who don't necessarily have the resources to do everything that they would now be required to do. Certain companies are going to be exempt from these regulations. If we're talking about smaller sized companies, companies with fewer than a thousand customers for example, or companies that make less that $5 million in gross annual revenue - those companies, those smaller sized companies would be exempt from these regulations.

Dave Bittner: [00:11:36:19] And New York, obviously, is in a leadership position when it comes to the banking and insurance industries. So, is this the sort of thing where other states would follow suit after New York's lead or would that even be necessary? Would enough things be covered just by New York having these regulations?

Markus Rauschecker: [00:11:54:02] I think by New York coming forward and proposing these regulations, they are really taking a leadership role here, and I think a lot of other states are going to be very interested to see how things develop in New York. I think it might be a sign of things to come. There's been talk about regulation for a long time now. Here we have an instance now where they're actually being implemented, so everyone's going to pay close attention, and I think it might be a sign of things to come in other states as well.

Dave Bittner: [00:12:22:05] Markus Rauschecker, thank you for joining us.

Dave Bittner: [00:12:26:14] I want to take a moment to tell you about an exciting event coming to the mid Atlantic region. It's Cyber Maryland on October 20th and 21st in Baltimore. The theme this year is Leading the Cyber Generation and the Cyber Maryland Conference is full of opportunities for networking and information sharing. There's the Hall of Fame dinner, industry showcase, cyber job fair and the cyber teeny cocktail party. Plus, an impressive lineup of keynote speakers and presenters. It's Cyber Maryland and you don't want to miss it. Search for Cyber Maryland Conference online to get all the details. Cyber Maryland and we'll see you there.

Dave Bittner: [00:13:03:00] My guest today is Doctor Eli David. He's the Chief Technology Officer at Deep Instinct, a company that claims to be the first to apply the concept of deep learning to cyber security. Doctor David is one of the leading researchers in the field of computational intelligence. We wanted to learn more about Deep Learning and how it applies to cyber security.

Eli David: [00:13:22:22] It is the closest we have got in computer science to creating something that mimics our brains or, more accurately, it takes inspiration from our brain. Deep learning has obtained amazing results in all the fields it has been applied to. In computer vision, we have seen 20 to 30% point improvements in all the benchmarks. Similar improvement with speech recognition, a big improvement in text understanding and, in all these fields, deep learning is a complete diagnostic to the domain, processing just raw data, without any future engineering or pre-processing.

Eli David: [00:13:57:24] Cyber security is a very tough problem since it is very easy to create new malware and it's very difficult to detect them. So the underlying idea was that, if deep learning has been so successful in the other fields, especially when tackling challenging problems, then it should be successful here too.

Dave Bittner: [00:14:19:18] So help me understand - when does artificial intelligence cross over and become deep learning?

Eli David: [00:14:26:16] Actually deep learning is a sub-field of machine learning, which is in itself a sub-field of artificial intelligence. Since the early 2000's, machine learning has been the most successful field within AI. The idea of machine learning is, instead of we humans trying to find smart heuristics and code it, we just gather data and give it to the machine, so that the machine would learn by itself by observing an example. This is traditional machine learning. However, the problem with traditional machine learning is that, in every problem that you apply, you first need to perform future extraction, future engineering. For example, if the problem is face recognition, you need to bring image processing experts to analyze the problem domain, and tell it that the most important features are distance between pupils, distance between nose and the mouth, proportions of the face, etcetera.

Eli David: [00:15:22:08] This is now, in traditional machine learning, the raw data, in our example images, is converted into a list of a few tens or, at most, a few hundred values. When you look at someone, and you recognize their face, you're not calculating the distance between their pupils and multiplying it by the proportions of their face, hopefully. You're just receiving the raw data, the raw pixels, and your visual cortex, by having learned what faces look like, immediately provides a prediction. Deep learning is the first method of machine learning that completely skips that future extraction phase. So, in deep learning, we have many layers of artificial neurons. In our brain, we have real neurons, in deep learning, we have deep neural networks, artificial neurons, and they're connected to each other via synapses and we have hundreds of millions of synapses in tens of layers of neural networks in typical artificial neural net.

Eli David: [00:16:21:06] So, back to analogy, if you're applying deep learning to face recognition, the input would be just raw pixels, no pre-processing whatsoever. In text understanding, it would typically be the raw characters, not even words, characters and, in our case, in cyber security, we train our brain by training it on data sets of many hundreds of millions of samples of malicious and legitimate files and the input is just the raw bites. So, in Deep Instinct we look at the computer file exactly as if it is an image, but with bites instead of pixels. So we have complete diagnostics of the five-four math in which you do static prediction. We even don't care about the operating system. This is how deep learning is much more versatile than traditional machine learning, which is in itself the most successful field within AI.

Dave Bittner: [00:17:19:03] So is there a penalty to pay in terms of computational overhead?

Eli David: [00:17:24:10] Deep learning is very cumbersome to train. You do require special purpose hardware. The reason is that deep learning is a family of several tens of algorithms. Complex to understand, difficult to implement, but the most challenging part is that, even if you do have a full implementation, you still have to re-implement everything on GPUs - Graphical Processing Units - which are, in our case, up to a hundred times faster than CPUs for training purposes. So deep learning is very cumbersome for training, very fast in prediction mode, it takes a few milli-seconds - the slowest CPU or mobile device that you can imagine for the prediction to work. This sounds a bit counter intuitive but, in fact, it's very similar to how our brain works. It takes us many years to learn a new language but, when we learn it, it takes a few milli-seconds to remember what a certain word is called.

Eli David: [00:18:24:12] I would say that, within our life's time, some say ten years, some say 30, 40 years, we will most probably see near human level artificial cognition. What we think is that the more neurons we're capable of adding to our deep learning module, the better results we obtain. Similar to the evolution of homosapiens. More brain, more neurons, better recognition. So we do think that we are approaching the level that, in the next few tens of years, computers will be virtually indistinguishable from humans as far their cognitive capabilities are concerned.

Dave Bittner: [00:19:07:00] That's Doctor Eli David. He's the Chief Technology Officer at Deep Instinct.

Dave Bittner: [00:19:16:02] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. Our Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe. I'm Dave Bittner. Have a great weekend everybody.