The CyberWire Daily Podcast 1.11.18
Ep 513 | 1.11.18

Aadhaar updates. Fancy Bear doxes the Olympics. WhatsApp snooping vulnerability discussed. Spectre and Meltdown patching. US House reauthorizes Section 702. Bitcoin isn't Bitcoin Cash.

Transcript

Dave Bittner: [00:00:00:21] Thanks again to all of our Patreon supporters. You can find out how you can become a supporter at patreon.com/thecyberwire.

Dave Bittner: [00:00:10:20] The Government of India works on Aadhaar security, suspending many officials' access. Fancy Bear doxes the IOC. A WhatsApp snooping proof-of-concept is revealed. Spectre and Meltdown patching continues. The US House votes to reauthorize Section 702 surveillance (the Senate is considering its own version). On the FBI's unwanted list: jerks and evil geniuses (and they're scowling in the direction of Cupertino). And, conflating Bitcoin with Bitcoin cash could have been an e-commerce issue.

Dave Bittner: [00:00:48:02] Now, I'd like to share some words about our sponsor Cylance. You know you've got to keep your systems patched, right. Patching is vital. And, WannaCry, which hit systems that hadn't been patched against a known vulnerability, well that's exhibit A. But you also know that patching is always easier said than done. Cylance has some thoughts about how you can buy yourself time and breathing room if you went for modern end point protection. Think about protecting the end points from the threats you never see coming. Cylance endpoint security solutions will do exactly that. Bin the bad stuff off and do your patching quickly, but systematically. It's artificial intelligence, and it's a natural for security. Check out the Cylance blog, Another Day Another Patch, at cylance.com. And we thank Cylance for sponsoring The CyberWire. That's cylance.com for cyber security that predicts, prevents and protects.

Dave Bittner: [00:01:48:03] Major funding for The CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Thursday, January 11th, 2018.

Dave Bittner: [00:01:57:01] India continues to deal with breach concerns surrounding the country's Aadhaar database. Many in the press are calling the comprehensive national identity system too big to succeed, as it offers the ill-disposed a target so big, a billion-plus individuals enrolled, that it's impossible to resist. It also presents administrators with an attack surface arguably too difficult to defend. The apparent breach is thought to have arisen from abuse or misuse of privileged accounts. The government is sorting the system out. One early step in doing so has been suspension of some 8,000 officials' access to Aadhaar.

Dave Bittner: [00:02:37:23] We've seen many reports of South Korean companies being phished with well-timed and well-crafted Winter Olympics bait. But there are other capers being cut during the run-up to this Olympiad. The Rio games were afflicted with a lot of retaliatory doxing when Russian competitors were kicked out for doping.

Dave Bittner: [00:02:55:11] The South Korean Winter Games are apparently going to be no different. Fancy Bear is out of hibernation, and has been grubbing up International Olympic Committee emails and releasing them in what's evidently an effort to discredit the international athletic anti-doping program. And why? Well, last month the IOC banned the Russian team from competing, because it decided there was just too much performance enhancement going on. Clean Russian athletes are welcome to show up and compete as individuals under the five-ringed Olympic flag, but the white-blue-and-red Russian tricolor will be neither worn, displayed, nor paraded. Any Russian athletes who take gold will be celebrated on the stand with the Olympic anthem, "Bugler's Dream," and not "Russia Our Holy Nation," the melody of which listeners of a certain age will remember as "Indissoluble Union of Free Republics."

Dave Bittner: [00:03:48:10] This is, seriously, a shame, and it would be nice to have Russians compete as Russia. Expect more Fancy Bear sightings over the coming month, however, since Fancy doesn't tend to forgive and forget, letting bygones be bygones.

Dave Bittner: [00:04:04:01] Researchers at Ruhr University Bochum report that WhatsApp's group chats are vulnerable to infiltration and snooping by uninvited parties.

Dave Bittner: [00:04:14:12] NVIDIA has released patches for its GPU that are inspired by Spectre, but it also says that Spectre really isn't a problem for its system. IBM is carefully preparing Meltdown and Spectre patches with all deliberate speed, they should be out early in February. Microsoft warns that, now and henceforth, anti-virus software must be compatible with its Spectre and Meltdown patches. If not, systems with incompatible security products won't be getting updates from Redmond.

Dave Bittner: [00:04:43:14] EY recently released the latest version of their annual global information security survey. Shelley Westman is a Principal at EY in cyber security, and she joins us to run the numbers.

Shelley Westman: [00:04:54:14] Most organizations feel they're at increased risk today versus 12 months ago, and that's for several reasons. First of all, cyber attacks are getting more sophisticated, as we know, those of us in the industry. But, on top of that, organizations are being more connected than ever when we look at things like IOT and digital. In fact, what's very interesting is that the World Economic Forum rated a large scale cyber security breach as one of the five most serious risks in the world.

Shelley Westman: [00:05:29:19] So, with that as a little bit of backdrop, what we find is that the mounting threat requires a more robust response. And this year's GISS revealed that many organizations are continuing to increase their spending on cyber security. 59% of those surveyed say that their budgets have increased versus 12 months ago. 87% say they need up to 50% more budget than they have. But, here's the important number, only 12% expect to get an increase of more than 25%.

Shelley Westman: [00:06:06:07] What we found from the survey is quite troubling, is that many organizations are waiting until the worst happens to get an increase in budget. 76% said a breach that causes damage will allow them to get increased resources. But, 64% also said an attack that doesn't appear to cause harm would be unlikely to increase the budget. This is higher than last year and concerning, because damage will be done in attack, whether or not it's apparent at first glance. These attacks could be a way to test the set up of a company, or to take attention away and divert it from another attack that's going on.

Dave Bittner: [00:06:51:19] One of the things that caught my eye was a statistic that only 32% of boards have sufficient cyber security knowledge for effective oversight of cyber risks. Now, that's interesting to me, because something I've heard in the past certainly year or so, is that cyber security is getting more attention from boards. But the numbers here don't bear that out.

Shelley Westman: [00:07:14:03] First of all, only 50% of the organizations that we surveyed report up to the board. Boards still can be intimidated to ask a question on cyber security. Some boards have CSO that's coming in and reporting to them, "Hey, we stopped 10,000 attacks today." Is that good? Is that bad? Was there 10,001? Was there 15,000 attacks that needed to be stopped, and 5,000 of them got through? So, some boards are still not finding enough courage, if you will, or gumption to ask the hard questions of the CSO, and ask them to put that into English, and that could be a problem. In fact, 89% of the respondents in this survey have said that the security function in their organization doesn't fully meet the organizational needs. And then you couple that in with what we're seeing around the board, and that can definitely lead to ramifications.

Shelley Westman: [00:08:10:07] One of our top pieces of advice is you've got to make sure you've planned out crisis management. When you think about it, if there's an emergency going on, if there's firefighters running to a fire, if there's doctors and nurses that know what to do, they know how to do this, because they've actually prepared for a breach. Companies that don't prepare for a breach, or that just have a plan written down, but not practiced, do not do well when a breach actually occurs, because they waste too much time figuring out what to do.

Shelley Westman: [00:08:45:03] One of our top recommendations is really make sure you're rehearsing what to do. What do you do if all of your networks go down? Do you have written cards that tell you where to find someone's phone number? All of us rely on the network to look somebody up. If that's not there, how do we get in touch with them? Who's going to talk to the media? Who's going to alert the board? How quick can the board be pulled together? If there's ransomware involved, who's going to decide whether you're going to pay the ransomware? All of these scenarios have to be thought out in advance, because when you're facing a breach, there's simply not enough time to do that.

Dave Bittner: [00:09:22:00] That's Shelley Westman from EY. You can dig into all the numbers and find out more about their global information security survey on the EY website.

Dave Bittner: [00:09:31:22] The US House of Representatives today passed its version of Section 702 surveillance reauthorization. The Senate will soon take up its own; should that be passed, as most observers expect, a conference would determine a final version.

Dave Bittner: [00:09:47:18] The US FBI continues its relatively lonely counteroffensive in the crypto wars. This time Apple is the target, as a senior Bureau official says Apple is a bunch of "jerks" and "evil geniuses" for encrypting iPhones in hard-to-break ways. Apple seems to be less jerky when in China. It's moving Chinese iCloud account data to servers in the Middle Kingdom.

Dave Bittner: [00:10:11:02] Coincidentally or not, FBI takedowns of cybergangs dropped significantly in 2017, by about 90%. No reason for this is given, and the Bureau has declined comment on what the import of the drop may be. But it has said that on balance it's pleased with the progress it's made in building cyber law enforcement capability.

Dave Bittner: [00:10:32:09] Finally, a tip for those of you who are buying and selling with cryptocurrencies: Bitcoin and Bitcoin Cash are not only not the same currency, but they have very different valuations. Overstock and Coinbase have fixed a website glitch that could have enabled people to buy things for pennies on the dollar: their site had briefly confused the two. It was, as we say a glitch, an oversight, since e-commerce and coin sites do know the difference, but it could have been costly. At the time of the oops, Bitcoin's volatile and swiftly fluctuating value was pegged at around $14,000, while Bitcoin Cash was at the same time worth only about $2,400. So, traders and techno-libertarians, buy, sell, and speculate, but caveat emptor, and caveat vendor, for that matter. Hold onto your digital wallets.

Dave Bittner: [00:11:28:09] Now a moment to tell you about our sponsor, ThreatConnect. On Tuesday, January 23rd, at 10am Pacific, and 1pm Eastern time, they're teaming up with DomainTools for a webinar on Mapping Connected Infrastructure. As you know, the more information you have about a potential threat, the better you can defend against it. In order to stay ahead of malicious actors, it's crucial that security teams add context and enrichment to their threat data. The combination of the ThreatConnect threat intelligence platform and DomainTools Iris investigative platform empowers security professionals to hunt APTs efficiently and effectively. Join Director of Product Integrations at DomainTools, Mark Kendrick, and Threat Intelligence Researcher at ThreatConnect, Kyle Ehmke, to learn how to same techniques can help network defenders and incident responders efficiently protect their own organizations.

Dave Bittner: [00:12:21:11] In addition, get an inside view into how ThreatConnect and DomainTools work together to enable thorough domain actor and IP investigations. Sign up today at threatconnect.com/webinar. Once again, that's, threatconnect.com/webinar. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:12:46:18] Joining me once again is Rick Howard. He's the Chief Security Officer at Palo Alto Networks. He also heads up Unit 42, which is their threat intel team. Rick, welcome back. We want to touch on machine learning and artificial intelligence, and all of the fears we have of Skynet becoming self-aware and so forth. But, before we do, let's just start with some definitions. What's your take on the difference between ML and AI?

Rick Howard: [00:13:11:24] Well, you got that right, you know, it appears that AI and Machine Learning are the two latest favorite squares for your cybersecurity marketing bingo cards. [LAUGHS] But, with all the hype, you know what the one question that nobody is adequately addressing? You know what it is? You mentioned it in the intro. Is when is Skynet going to activate and kill all the humans? That's what I'm worried about.

Rick Howard: [00:13:35:22] For the unenlightened non sci-fi few, let me explain what that is. Skynet features prominently in the Arnold Schwarzenegger Terminator movie franchise. And that all started back in the early 1980s. In the beginning, Skynet was a computer system designed to automatically control the military's response actions during a crisis. But, at some point, it becomes self-aware and decides that not only that humans are not necessary and we might be harmful, and we need to be wiped out. So that's the basis of the entire franchise.

Dave Bittner: [00:14:04:18] We've got modern people like Elon Musk are sounding the siren that perhaps this is a serious concern.

Rick Howard: [00:14:11:08] Exactly right. That's why everybody's talking about it. Stephen Hawking, Elon Musk and Bill Gates have all said we need to be careful about this kind of potential future and they say it's in eyesight. Probably before 2050 we might see real artificial intelligence systems. So, we need to explain what that really is. We can understand why they are alarmed by applying a very simple test. It's a thought experiment, if you will. It was devised by Alan Turing, it's called The Imitation Game. Did you see the movie?

Dave Bittner: [00:14:45:24] No, but I'm certainly familiar with Mr Turing.

Rick Howard: [00:14:48:01] The movie is excellent. If you want a great explanation of what artificial intelligence is. Benedict Cumberbatch plays Mr Turing and I thought he nailed it. Go watch it. I recommend it highly.

Rick Howard: [00:14:59:15] So here is the game. A judge asked a question of two subjects behind a screen. One subject is a human, and the other is a machine. If the judge can't tell which subject is the human and which one is the machine, then the machine, for all practical purposes, can think. So, in the modern day, we see examples of machines starting to pass the Turing test in very specific knowledge domains, such as commercial flight auto-pilots, video game opponents, which is really cool I think, and online computer support. There are other domains where they're almost there, like self-driving cars, such as Tesla, and personal systems, like Amazon's Alexa. So, with these emerging AI's, humans can tell that they're not quite there yet, but we can all see that it will not be very long until they get there.

Rick Howard: [00:15:47:06] So, then what's the difference between Artificial Intelligence and Machine Learning? So, Machine Learning is a softer development technique used to teach a computer to do a task without explicitly telling the computer how to do it. I know that sounds weird, but that's what it is. So, when I learned how to program back in the day, I had to think of every possible outcome for my program, and then tell the program what to do for each case. It's one of the reasons I really sucked at being a programmer. I just was not good at it.

Dave Bittner: [00:16:16:09] Yeah, ten print, Rick, is awesome. 20 go to ten, right? [LAUGHS]

Rick Howard: [00:16:20:05] Exactly. That's what I remember. Got an A on that assignment. [LAUGHS]

Rick Howard: [00:16:25:03] So, today, developers are using big data techniques to search through large piles of data looking for patterns that a human would never notice. So, in other words, we teach the program how to discover all the outcomes, and the big data is the key. Now, this technique would not work without very large collections of data. It just turns out that right now, it's possible for us to get access to these large piles. As an example, at Palo Alto Networks, we use Machine Learning to discover malicious files. Files that bad guys send to victims in order to compromise and ravage their systems. So, Palo Alto Networks has been in the business for over ten years and we have a giant collection of file patterns that have passed through our customer's firewalls. I'm talking about petabytes of patterns. So, we divide them into two buckets; known benign patterns, and known malicious patterns and our engineers then set their machine learning algorithms on the two piles of data.

Rick Howard: [00:17:18:15] So, with an over 90% accuracy rate, and without a human knowing what the program is looking for, our Machine Learning algorithms can guess whether a brand new file that we have never seen before, is benign or malicious just by analyzing the characteristics of the file. So, that passes the Turing test with flying colors.

Rick Howard: [00:17:38:07] If we're going to get to a point where Skynet is possible, the singularity, it's called, from science fiction favorites out there, it will have to contain hundreds, if not thousands, of Machine Learning algorithms, running in conjunction with each other. Now, we are a long way from that being possible today, but we can see that the singularity is no longer just a sci-fi joke. It is something that may be possible within our lifetimes. Now, I'm not saying that Skynet will actually wake up and kill us, but as a society, we are rapidly approaching a time when the singularity will happen.

Rick Howard: [00:18:12:07] In the meantime, get your marketing bingo cards ready. The AI and Machine Learning squares will be around for the foreseeable future.

Dave Bittner: [00:18:20:08] Yeah, I think so. We've come a long way since I used to talk to Eliza on my Apple 2. Alright, Rick Howard, as always, thanks for joining us.

Dave Bittner: [00:18:31:10] And that's The CyberWire. Thanks to all of our sponsors for making The CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com.

Dave Bittner: [00:18:44:02] Thanks to our supporting sponsor E8 Security. Follow the behavior, find the threat. Visit e8Security.com to learn more.

Dave Bittner: [00:18:52:09] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:19:03:06] Our show is produced by Pratt Street Media, with editor John Petrik. Social media editor Jennifer Eiben. Technical editor Chris Russell. Executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.