A black market for insider information. Cisco studies data breaches. The Internet as a threat actor's R&D infrastructure.

Dave Bittner: [00:00:03:16] Criminals recruit insiders, and the black market trades insider information. Cisco studies the costs and causes of data breaches. The Internet as an R&D resource for threat actors. And, happy Groundhog Day.

Dave Bittner: [00:00:22:14] Time for a message from our sponsor Palo Alto Networks. You know, it's tough to find an enterprise that's not at least partially in the Cloud. Our sponsor, Palo Alto Networks, can keep your Cloud secure and happy - no matter what type it is - because as they'll tell you, a secure Cloud is a happy Cloud. You can go visit them at go.paloaltonetworks.com/secureclouds. Far more than just some convenient place somewhere out there to store stuff, the Cloud's become an integral part of all enterprise level organizations. Palo Alto Networks understands that your data and applications are distributed across the private Cloud, the public Cloud, software as a service environments, and any number of configurations in between. They'll ensure your data and apps stay secure and protected, wherever they are. Palo Alto Networks delivers the broadest, most comprehensive cybersecurity for private Cloud, public Cloud and software as a service environments. Learn more at go.paloaltonetworks.com/secureclouds. And we thank Palo Alto Networks for sponsoring our show.

Interviewer: [00:01:32:20] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner, in Baltimore, with your CyberWire summary for Thursday, February 2nd, 2017.

Dave Bittner: [00:01:43:23] The EyePyramid campaign, whose alleged perpetrators are now facing prosecution in Italian court, is thought to have been aimed at gaining illicit trading advantages; and the people behind that spyware aren't alone in looking for inside information. Many criminals, however, are attempting to recruit insiders directly, in various dark web forums. Researchers at RedOwl and Intsights have just released a report on recruitment of insiders by criminal traders. They describe such recruiting as "active and growing," with dark web forum discussions of it nearly doubling from 2015 to 2016. An effective black market that enables rogue insiders to readily monetize what they know about their companies. It's not always direct reporting, either; some of the more sophisticated criminals are inducing compromised insiders to install spyware into corporate internal networks.

Dave Bittner: [00:02:34:21] Some criminals appear to be selling the information to their "members", as opposed to using it directly themselves. The information on offer can be used for trading stocks, commodities, and foreign currencies. The promise is that you, the member, will, "know what's happening before the rest." The old promise of trading tipsters ever since stocks began being traded. RedOwl and Intsights take a detailed look at one forum with the demotic name, KickAss Marketplace, whose impresarios do a good imitation of an aggressive retail discount site, advertising, "accounts, dumps, CVVs, and more," and inviting potential forum members to, "apply for an interview today!" The insider trading racket is lucrative, at least according to the crooks managing the KickAss market. They say their members make more than $5,000 a month on illegal trades. Take that with the proverbial grain of salt, but there may be something to it since the forum managers charge a 1 Bitcoin cover fee for membership. That's just under $1,000.

Dave Bittner: [00:03:37:14] Another interesting report released this week is Cisco's 2017 Annual Cybersecurity Report. It focuses on breaches, why they occur, and what their true costs are. Breaches have become so lucrative an opportunity for criminals that we're seeing, Cisco says, a tremendous resurgence in "classical" compromise techniques, especially adware and spam. Spam in particular has surged to levels not seen since 2010 - some 65% of worldwide email traffic, according to Cisco. Cisco is also seeing the sort of professionalized black market RedOwl and Intsights found when they looked at insider recruitment. In particular, Cisco was struck by the way attackers mirrored the middle management of their targets. The effects of a breach on a business can be considerable. 22% of companies that suffered a breach lost customers as a result, and almost half of the ones who did lost more than a fifth of their customer base.

Dave Bittner: [00:04:33:14] Some organizations find the process of running an IT operation daunting and expensive, and choose to outsource their IT. Vadim Vladimirskiy is CEO of Adar Incorporated, provider of Nerdio streaming IT services.

Vadim Vladimirskiy: [00:04:47:18] There are these core five things that every business that relies on any kind of IT leverages, and they are, you know: the servers that generally host the data; they're the desktops, which is the end users sort of mission control - that's where they're on their applications and write their emails and things like that; but then there's, in every environment there's typically a, a messaging and collaboration and productivity suite, something, you know, like email and, and Skype for business, or, or Google Apps, as well as the office product - the Google docs - to, to actually generate documents and spreadsheets. And then the other two services are: backup and disaster recovery; and then finally security. And obviously security has been very much at the forefront recently, but having good data protection measures - things like anti virus and spam filtering and firewalls and, you know, a host of other services - is very important.

Vadim Vladimirskiy: [00:05:44:00] So, so those are the core five technologies that are, are really common across all environments. And what IT as a service does, is it allows you to create a, a package integrated, comprehensive view of all of these technologies, where they can be all managed together, they can play nicely with each other - when one gets upgraded, the other things don't break - and just gives you a very, a very nice, comprehensive, cohesive view of the fundamental IT components of any small, mid-size business's organization.

Dave Bittner: [00:06:18:12] And, and so, you know, beyond these offerings, if I have additional things that I need to run, you know, within my system, there's, there's possible integration with, with other tools as well?

Vadim Vladimirskiy: [00:06:30:05] Absolutely. I mean, you know, any good IT system starts with a foundation, but just the foundation doesn't provide much value. You know, most businesses have accounting software, ERP software, you know, creative suite type products. It's a stable platform that has all the fundamentals taken care of and then the organization can go in and add their own line of business applications, add their own data, and run any platform, any software application on top of an IT as a service platform, like Nerdio.

Dave Bittner: [00:07:02:23] And is there a particular, you know, range of sizes of business that this is most suitable towards?

Vadim Vladimirskiy: [00:07:09:00] You know, what we've found is that the organizations in, you know, ten to about 400 or 500 employees generally see the most value out of a comprehensive IT as a platform. You know, for smaller companies, you know, there are lots of really small business oriented tools that are not as comprehensive as a private Cloud may be; and then for larger companies, they tend to have a much more hybrid type of deployments, where they have their own data center, they have some applications that absolutely have to stand premise, and they don't want to move them out into the Cloud. So what we've found is sort of the, you know, the mid to large size of the S and the low end of the M market, you know, is where this makes the most sense and delivers the most value.

Dave Bittner: [00:08:03:16] That's Vadim Vladimirskiy. He's the CEO of Adar Inc. They provide the Nerdio streaming IT services.

Dave Bittner: [00:08:12:03] It's long been noticed that the Internet provides threat actors with a ready-made research, development, and acquisition capability of a calibre formerly accessible only to nation-states. This is why, FUD or no FUD, security experts fret constantly about how the bad guys are ahead of us, that the good guys are being out-innovated, and so on. Some ISIS documents recently captured in Mosul may help flesh out how this works. They indicate that the Caliphate is taking an interest in adapting commercial drones as weapons. This latest bit of information warrants a look back at a 2008 Naval Research Advisory Committee study that predicted exactly this development, in pretty much exactly this form. The Committee, which was working on a topic posed by the US Marine Corps, concluded, quote, "Credible threats to Marine capabilities and gaps can be developed from imaginative combinations of commercial products. These products can be acquired via the Web and distributed by the global supply network. Commercial technologies are readily adaptable into systems or devices that can threaten Marine forces. The internet functions effectively as both an R&D resource and supply chain for irregular forces throughout the world. Commercial technologies pose a real threat, and enduring threat, to Marine forces." End quote. And we're seeing this played out, almost a decade later. You can go to nrac.navy.mil for that report, that remains surprisingly topical.

Dave Bittner: [00:09:36:23] As Russia's FSB purge continues, defense intellectuals continue to apply their game-theory tools to analysis of US-Soviet--rather, US-Russian great power competition. It's almost as if we're reliving the Cold War, but then today is Groundhog Day. And, of course, if you haven't already heard by now - and we hope you've been following the story as closely as we have - early this morning Punxsutawney Phil saw his shadow when he emerged from his den on Gobbler's Knob. That's six more weeks of winter. We hear it starts for us in Baltimore this weekend. Thanks a lot, Pennsylvania. And for the rest of you, happy Groundhog Day.

Dave Bittner: [00:10:19:03] Time for a message from our sponsor, CyberArk. Are you in the Cloud? Sure you are. So let's take a moment to tell you about our sponsor CyberArk, the only security company focused on eliminating the most dangerous of cyber threats: abuse of insider privilege. The Cloud promises both efficiency and flexibility, but the Cloud also has its distinctive challenges - especially the way it uses new and powerful credentials to provision, configure and manage thousands of machines from a single console. CyberArk builds privileged account security into the Cloud, with automatic provisioning and seamless integration during migration and management. Their holistic solution lets you enjoy the benefits of the Cloud, while reducing the risk of privileged account abuse. Visit cyberark.com/cyberwire to learn more on how you can secure the cloud with CyberArk, the company that secures privilege from the endpoint to the cloud. Once again, that's cyberark.com/cyberwire. And we thank CyberArk for sponsoring our show.

Dave Bittner: [00:11:21:21] Joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland, and director of the Maryland CyberSecurity Center. Jonathan, you were one of the authors of a paper that was recently released called All Your Queries Are Belong To Us: The Power of File Injection Attacks on Searchable Encryption. Tell us about searchable encryption.

Jonathan Katz: [00:11:41:03] Well, searchable encryption allows a client to upload encrypted files - you can think about emails as an example - to upload these encrypted files to a server. And normally, if you just encrypted your files and uploaded them, the server would have no idea about anything stored in those files, and in particular would be unable to search for keywords in those files. But searchable encryption is a specifically modified form of encryption that makes sure that the client can still issue queries and do searches over their encrypted files, without revealing too much information to the server.

Dave Bittner: [00:12:13:04] So what's the status of the research when it comes to searchable encryption?

Jonathan Katz: [00:12:16:24] So one of the things that's been really interesting here, is that if you imagine trying to leak nothing to the server while still allowing the client to do searches, it turns out to be very hard and even in some senses impossible. So what a lot of researchers have been doing over the past few years is designing systems that leak just a little bit of information, kind of you can imagine the minimal amount possible, while still allowing the client to perform searches. And what's been interesting here is that it's sort of unclear, and it's sort of been a little bit of a cat and mouse game to figure out the implications of that leakage. And so one of the things our paper was showing, actually, is that some of the schemes that had been proposed in the literature are actually very vulnerable. And even though they only admit a very small amount of leakage to the server, an attacker could exploit that and learn lots of information.

Dave Bittner: [00:13:00:22] So let's dig in on that a little bit. What can you tell us about the attack?

Jonathan Katz: [00:13:04:06] Well in our particular case, we were looking at a server who was malicious and wanted to learn information about the different search terms that were being queried by the client. And what we observed is that the server can actually act as a sender, as a legitimate sender, sending emails to the client - whether, you know, under it's own name or whether by just opening up a fake email account and sending emails. And the point is that when the client then encrypts his emails and uploads them to the server, if the client ever searches for a keyword that happens to also be in one of those files, then that information is going to be leaked to the server, and that allows the server to figure out something about the query that the client is issuing. And so what we showed basically is different trade-offs in which the server could inject different number of files to the client and, without the client even noticing that anything was going on, eventually learn all of the client's search terms. So really what this shows is that we don't really have a good handle yet on what the implications of this leakage are in the real world, and obviously we need more work to try to find the right balance between efficiency of the scheme and the leakage that they have.

Dave Bittner: [00:14:09:00] All right, interesting stuff. Jonathan Katz, thanks for joining us.

Dave Bittner: [00:14:14:24] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary, and more visit the thecyberwire.com. Thanks to all of our sponsors for making the show possible, especially to our sustaining sponsor Cylance. For more information about how Cylance can help protect you, visit cylance.com. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik, our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.