The CyberWire Daily Podcast 11.3.16
Ep 219 | 11.3.16

Sources say FBI is confident foreign intelligence services penetrated former Secretary of State's private email server. WikiLeaks says it's not a Russian tool. Notes on industry; notes on cybercrime.

Transcript

Dave Bittner: [00:00:03:20] Fallout from the FBI investigation of former Congressman Weiner continues to drop onto the Clinton campaign. WikiLeaks' Assange says he'll continue to dox, but denies he's doing so with Russian help. IoT-driven DDoS fears continue. A new exploit kit is replacing earlier stars in the criminal firmament. NIST issues a cybersecurity workforce framework, NSA promotes its Day of Cyber, and the SINET 16 are introduced in Washington.

Dave Bittner: [00:00:35:18] Time for a message from our sponsor E8 Security. You know the old perimeter approach to security no longer protects against today's rapidly shifting cyber threats. You've got to address the threats to your network once they're in your networks. E8 Security's behavioral intelligence platform enables you to do just that. Its self learning security analytics give you early warning when your critical resources are being targeted. The E8 Security platform automatically prioritizes alerts based on risk and lets your security team uncover hidden attack patterns. To detect, hunt and respond, you need a clear view of the real risks in your business environment. That's what E8 gives you. Visit E8security.com/dhr and download the free white paper to learn more. E8, transforming security operations and we thank E8 for sponsoring our show.

Dave Bittner: [00:01:32:07] I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, November 3rd, 2016.

Dave Bittner: [00:01:38:20] More continues to emerge on the FBI's renewed investigation of emails that allegedly found their way from former Secretary of State Clinton's private server to a laptop belonging to former New York Representative Anthony Weiner. It's thought that they are on the laptop because of Wiener's connection to his now estranged wife, Huma Abedin, a close aide of Ms Clinton. The number of emails is very large, in the hundreds of thousands, and machines used by key Clinton advisors that were thought to have been destroyed are now reported to be under "active exploitation" by the FBI.

Dave Bittner: [00:02:11:06] Sources are telling various news outlets that FBI investigators have high confidence that five unnamed foreign intelligence services succeeded in compromising the former Secretary's now decommissioned and presumably not replaced private server. We leave speculation about which five nations are suspected as an exercise for the listener.

Dave Bittner: [00:02:31:11] WikiLeaks continues to make good on its promise to release discreditable documents related to the election, with a particular animus directed at the Clinton campaign. More are expected before next Tuesday's election. Most of the recently released emails have been associated with campaign manager Podesta, and the general climate of opinion holds that they were taken by Russian intelligence services. But WikiLeaks' leader Julian Assange denies that he's getting those documents from Russia. Where he's getting them he isn't saying, but the releases do seem generally aligned with Russian interests.

Dave Bittner: [00:03:05:14] Concerns, of course, about Russian influence on US elections continue. Among those concerns are the prospect of distributed denial-of-service campaigns against election-related targets. DDoS fears have risen since the Mirai Internet-of-things botnet attacks last month. Bitdefender reports finding an exploitable vulnerability in widely used web cameras that would render them susceptible to botnet herding.

Dave Bittner: [00:03:30:08] Looking back at the DDoS attacks sustained by Dyn two weeks ago, the Online Trust Association says that the attacks could have "easily" prevented with better secured IoT devices. That's no doubt true enough but, in, fact such devices are widely deployed and haven't been securely provisioned. And mopping up so very large a number of insecure devices is a far from trivial challenge. Many observers have discerned signs of ISPs becoming more willing to take an active role in combating IoT-based DDoS, but others raise doubts. Net neutrality policies and regulations are thought by many to be likely to inhibit ISPs from doing so. Analysts think such companies would assume non-negligible regulatory risk.

Dave Bittner: [00:04:15:02] Hacktivism and state-sponsored cyber activity may have bulked large in the news recently, but it would be a mistake to think that more conventional cyber crime had gone into any temporary eclipse. The Angler, Neutrino and Nuclear exploit kits have been put down, but the Sundown exploit kit is increasingly occupying their niche in the criminal ecosystem. Hospitals in the UK continue their recovery from a criminal attack they sustained over the past week, and news has broken of a major data breach among New Zealand nursing services.

Dave Bittner: [00:04:48:13] As technology evolves, one area that's grown in sophistication is telecommunications, with most new subscribers choosing voiceover IP over traditional landlines. There are generally cost savings and productivity gains to be had, but also concerns about reliability and attack service. We checked in with Edward Fox from telecommunications provider MetTel to get his perspective on secure telecommunications.

Edward Fox: [00:05:12:20] Out in the wild there's many carriers and just for the simple fact that many enterprises and end users, just like we're talking on Skype today, we're mixing data and voice, we're having a great connection, but if something was to happen in between and if that particular attack in the path of where our voice is going, it can be affected. We try to keep the voice and data networks as segregated as possible although, you know, I have to say 85% of our customers that we serve today have converged last miles but usually the last mile is not, when you're talking about DDoS, usually the last mile is not where the biggest issues are. So we do that as well as we keep trusted versus untrusted networks and that allows us to keep the untrusted side beefier and, you know, able to take on traffic that it's not ready for and protect the trusted side of the network. We spent a little extra money doing it but it's, on the voice side, it's an architecture that has saved us multiple times.

Dave Bittner: [00:06:18:04] Can you dig into that a little bit more, what are we talking about when we're talking about a trusted and untrusted network configuration?

Edward Fox: [00:06:24:14] Yes, so just as an example, on inner voice network, we have proxies or session border controllers that face different networks and we have those completely segregated on completely different networks and we have those that register end points and talk to our customers and talk to their PBX's and polycom phones on their desk. And then we have those which talk to the rest of the world and we treat those very differently in how we broadcast IP addresses and where we actually put them in the network.

Dave Bittner: [00:06:57:07] So let's say I'm someone starting up my own organization and I know I'm going to need telephones and I'm going to need Internet, what would you advice be for someone in that situation in terms of the kinds of things they should be looking for?

Edward Fox: [00:07:08:04] I would advise to look for a partner that may not necessarily be the underlying, you know, last mile provider like your Cablevision or Comcast or someone of that nature. You want to look for someone who can give you the benefit of that pricing and that band width but can give you the overlay and the service around cloud firewalling and cloud or hosted voice. You know, someone who has taken the time and the initiative to do things like sandbox and offer that as a service. DDos protection, you know up in the cloud and as well as, you know take your voice network and make sure that there's a trusted part of it and there's an untrusted part of it. And only expose you to the outside untrusted part when you're making outbound calls, which can be routed all over the world today. So, that would be my advice.

Dave Bittner: [00:08:02:09] That's Edward Fox, he's Vice President of network services at MetTel.

Dave Bittner: [00:08:08:19] In industry news, Microsoft says it will have a patch ready on Tuesday for the Windows zero-day Google recently disclosed. Sophos has acquired Irish security analytics shop Barricade. A much larger acquisition has also been announced: Broadcom is buying Brocade for $5.5 billion. Speculators expect to see a wave of mergers and acquisitions in the broader IT sector.

Dave Bittner: [00:08:33:07] NICE,the National Initiative for Cybersecurity Education, is meeting this week in Kansas City. NIST has been using the occasion to launch not only its CyberSeek jobs map, which we mentioned in yesterday's Daily News Briefing, but also a draft Cybersecurity Workforce Framework. This may be expected to draw considerable attention and attract considerable comments. Your suggestions and reactions can be communicated to NIST by emailing them. Comments are open until January 6, 2017.

Dave Bittner: [00:09:03:24] Also at the NICE meetings, one heard about NSA and its LifeJourney partner, who are offering a Day of Cyber for students: registrations have already passed the 5,000,000 mark.

Dave Bittner: [00:09:15:17] Finally, a couple of our stringers are down in Washington today for the annual SINET Showcase. We will have a full report in upcoming issues of our daily news brief. The SINET Showcase always features the SINET 16. 16 innovative startups selected from a field of hundreds. We'll close today by congratulating all of them. This year's winners are, in reverse alphabetical order, Vera, ThreatQuotient, SafeBreach, Risksense, Protectwise, Prelert, Post-Quantum, PhantomCyber, Passages, Menlo Security, Interset, Digital Shadows, DataVisor, CyberX, Contrast Security, and Blackridge Technology. Congratulations to them all. Their predecessors have established a terrific track record. And, again, that list was in reverse alphabetical order. You're welcome, Vera.

Dave Bittner: [00:10:10:06] Time for a message from our sponsor Delta Risk, a Chertoff Group company. Since 2007, Delta Risk has been helping organizations manage cyber risk to protect their business operations. Today they're offering a distillation of some of their expertise in technical security, policy, governance and infrastructure protection in the form of a white paper. Top ten cyber incident pain points, are you prepared? Download it today at delta-risk.net/topten. The conventional wisdom is that every organization will eventually have to deal with a cyber incident and in this case the conventional wisdom is right. Delta Risk can help you prepare for that incident with some sound planning. So thanks Delta Risk for explaining those incident response pain points. Once again visit delta-risk.net/topten and start planning. That's delta-risk.net/topten and we thank Delta-Risk for sponsoring our show.

Dave Bittner: [00:11:11:03] Joining me once again is Jonathan Katz. He's a Professor of Computer Science at the University of Maryland and also head of the Maryland Cyber Security Center. Jonathan saw an article come by Ars Technical about some Google researches who had set a couple of artificial intelligences to sort of team up together and try to come up with some cryptographic stuff. Explain to us what was going on here?

Jonathan Katz: [00:11:33:03] This was pretty interesting work actually. What the researchers did was they set up three neural networks corresponding to three different entities, Alice, Bob and Eve and what they did was they just programmed these neural networks to try to search for algorithms that would allow Alice to encrypt a message and send it to Bob, who would then be able to decrypt it and recover it, while simultaneously hiding the message from Eve. And then they basically just let these algorithms run until they converged on something where Alice and Bob were doing well, in terms of being able to recover the messages being sent, while Eve was not doing well, namely not being able to recover what was being sent. So essentially they just let the algorithms run, these neural networks run and discover algorithms on their own as it were.

Dave Bittner: [00:12:19:20] And were these novel algorithms that they came up with?

Jonathan Katz: [00:12:23:04] Well, they were definitely novel. I mean one of the things that's funny is that actually the researchers were not really able to characterize what algorithm Alice and Bob were using to communicate. So it was, you know, they could maybe discern some characteristics of it, but they didn't have really have a good representation of what the algorithm was doing. All they knew was that it was some algorithm that was allowing Alice and Bob to communicate while, correspondingly, Eve was not able to decrypt what was coming out.

Dave Bittner: [00:12:49:10] Was that a surprise that Eve's ability to decrypt the messages wasn't as good as Alice and Bob's ability to hide it?

Jonathan Katz: [00:12:57:14] Well, so first of all, I don't want to, you know, sound too over enthusiastic here, because what the research ended up showing was that Eve was not able to decrypt, but that doesn't mean that somebody more clever, who was looking in from the outside and using techniques other than those discovered by this neural network, might not have been able to decrypt. And, in fact, actually, the encryption algorithms they were using, I think the researchers said themselves in the paper, it would have been possible for somebody, for a researcher or for a cryptographer looking at it from the outside, to actually crypto analyze it. So the only security guarantee that they're giving for the encryption algorithm is that this neural network couldn't figure out how to break it. It doesn't mean that nobody can figure out how to break it. So from that point of view, you know, just because of the way they set the experiment up, it wasn't surprising that it converged on a situation where Eve couldn't decrypt very well. I think really it's just a fascinating idea and I'm sure it will be pushed a lot further in future work.

Dave Bittner: [00:13:50:20] Have these people never seen a Terminator movie?

Jonathan Katz: [00:13:53:06] You know it's funny, I was just at a conference last week and one of the big things people were talking about was machine learning and how powerful it's getting and the coming breakthrough in AI. And so it looks like that's the direction we're heading with everything. Fortunately, right now, cryptography is hard enough that AI hasn't cracked it but this might just be the start.

Dave Bittner: [00:14:14:04] Alright Jonathan Katz, thanks for joining us.

Dave Bittner: [00:14:19:00] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. If you consider the CyberWire podcast a valuable part of your day we hope you will take the time to write a review on iTunes. It really does help people find the show. And it's just the kind of support we would expect from a smart and attractive person like you.

Dave Bittner: [00:14:41:17] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.