Facebook comes to Washington. Research ethics? IoT threats. Switch bug exploited in the wild. Criminal misdirection. Russia and the West, again. And what do cybercriminals earn?
Dave Bittner: [00:00:03:22] Facebook begins facing the Congressional music today. What are the rules for online research, professors? Experts say they're worried about weaponized IoT hacks. Hoods exploiting Cisco switch vulnerability in unpatched systems. Named threat groups and bugs as insider misdirection. As relations between Russia and the West worsen, some in Moscow call an end to Peter the Great's experiment. Verizon's annual data breach investigation report came out today; we'll talk to one of the report's authors. And how much do cybercriminals make, and what do they spend it on?
Dave Bittner: [00:00:43:06] Time to share some words from our sponsor, Cylance. Are you headed to RSA? Don't forget to look up Cylance while you're there. Drop by booth 3911 in the North Hall and meet up with their expert professional services staff, or attend one of their featured conference sessions. If you're in a festive mood, you can connect with them at the Digital Shadows Security Leaders Party. Wherever you make your connection, they look forward to talking with you. You can ask them about AI and machine learning, or ask about their industry-leading research into threat actors who threaten our power grid. You can learn more about their presence at RSA by searching join cylance@rsaconference2018, and we thank Cylance for sponsoring the CyberWire. That's join cylance@rsaconference2018, and be sure to connect with the company that's making a difference in security, and we thank Cylance for sponsoring our show.
Dave Bittner: [00:01:42:02] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 10th, 2018.
Dave Bittner: [00:01:54:06] As Facebook CEO Mark Zuckerberg appears on Capitol Hill to testify about a range of topics, mostly related to the privacy concerns surrounding his company's platform, another quasi-research organization, Cubeyou, is said to have scooped up users' data by inducing them to take various quizzes.
Dave Bittner: [00:02:13:08] Cubeyou is a market research firm, of course, and quizzes and surveys have long been used to collect information destined to be used for marketing. Some other research projects that have drawn adverse attention and comment, however, have been more academic in nature. We've got a question for university review boards. Has this sort of issue surfaced in the course of human subjects' research reviews, and how do research review boards handle them? It's easy to think of these boards as confined to biomedical research, but behavioral and social scientific studies are also often submitted for consideration, and how's that working out?
Dave Bittner: [00:02:53:14] Verizon published the 2018 version of their Data Breach Investigations Report today, one of the most anticipated and respected cybersecurity reports. Gabriel Bassett is a Senior Information Security Data Scientist at Verizon, and one of the authors of this year's DBIR. He joins us to share the results.
Gabriel Bassett: [00:03:12:11] We've always seen large attacks using social actions, things like phishing or pretexting, but this year we saw concerted attempts to get tax information, the US W-2 information. And I think that's a substantial trend it's really interesting, because I like to think about the attackers as always looking for the best value proposition. They're shopping around, and when we see a new attack, I kind of see it as the attackers having found a better deal. And so when we see something like attacks on tax information, W-2 thefts, come up, it's like the attackers have found this new, better deal. And it makes sense, right? Because now, when they send a phishing email, they're not just stealing one person's data, they're stealing a whole bunch of people's, and then they can use that to go and commit tax fraud on an entire slew of people at the same time.
Gabriel Bassett: [00:04:04:14] Another trend that we saw rise substantially was ransomware. Ransomware breaches doubled again, year over year, and, and that makes sense. There's more and more people getting in this game, and I think the reason that attackers are jumping onto this is, again, it's a good value proposition for the attacker. It's low risk, you know, it's not like physically stealing a laptop where you have to physically be near your target. You can target people all over and then, once you target, it's really easy to monetize, right.
Gabriel Bassett: [00:04:32:23] With the incorporation of cryptocurrencies, it's very easy to get paid no matter where you are in the world. It used to be that the cryptography was the hard part of the equation, but now attackers can simply purchase or lease out that portion of the attack chain, and that gives them the opportunity to make this a very easy and quick attack. The hardest part now is really the customer service, right. They have to be able to educate people who are probably otherwise unaware of how to use Bitcoin or decrypt systems on just how to use their tools.
Dave Bittner: [00:05:09:24] And one of the things the report points out is that the human factor is still critical. You had some interesting statistics when it came to phishing.
Gabriel Bassett: [00:05:17:00] Yeah, I think some of our statistics around social attacks and phishing were really interesting, and especially from our non-incident sort of data because, in addition to the half a million security incidents we have - and when we say incidents, we mean a compromise of confidentiality, integrity or availability, not like an alert on your SIM. So we have half a million incidents, but we also analyzed half a billion records of non-incident data, and that would be things like malware or phishing tests or such.
Gabriel Bassett: [00:05:45:12] Seventy-eight percent of people don't click a single phishing email all year, or at least phishing testing, right. And so, a good portion of your company is doing a great job. On the other hand, on any given test, the median is for 4% of the people that are tested to click, and one of the things we found analyzing data, is that the more times someone clicks, the more times they're likely to click in the future. And so if you have someone that clicks five times, they're more likely to click six times. If they click ten times, they're more likely to click 11 or 12, and that means that you can go and find who the people in your organization are that are likely to click phishing emails. And that's great news right, because now you know where to look for the threat, and it's not because these people are in some way worse at security.
Gabriel Bassett: [00:06:31:07] There's a lot of people in our companies that have to open attachments from people that they don't know as part of their job. So, if you're in the legal department and someone sends you a PDF and says it's important to your job, you'd have to open that. If you're in the marketing, the PR department, and someone sends you a PDF, whether or not you know the sender, you need to open that attachment. You know, it's not that they are necessarily making bad choices, but they're trying to do their job in the context of security.
Gabriel Bassett: [00:06:56:22] And so find those people and say, "Look, you know, do they really need a full computer?" For me, as a data scientist, I've got all this data science software, but you know they're probably using kind of the standard Office applications, you know, and web browsing tools. And so they'd be fine with just a sandbox operating system, a sandbox Windows system, or an iPad or a Chromebook. Would they be happy with that? And then you get the benefit of security and they get the happiness about this nice, streamlined system.
Dave Bittner: [00:07:26:16] When you look at this year's report, is there any good news? Is there any areas where we're gaining on the problem?
Gabriel Bassett: [00:07:32:19] It's like two different questions there, right. There's, there's, is there any good news? And is there, are we gaining on the problem, like is it improving? Because it's certainly good news. Like, the very small number of the breaches in our corpus are ever related to vulnerabilities. Rather than take that to mean that somehow vulnerabilities are unimportant, I like to think that we're doing a good job of fixing vulnerabilities. And there's always going to be these kind of shotgun type attacks, you know when a new CMS - Content Management System - a vulnerability comes out, and the majority of people patch and some don't. For those of us that care about security, I think we're probably doing a good job, and we're, we need to keep up doing what we're doing when it comes to vulnerabilities.
Gabriel Bassett: [00:08:13:08] Another area of improvement is in malware. The median amount of malware on an organization's worst day in the data that we got was seven pieces of malware. On the worst day of the entire year, they got seven pieces of malware. And so, organizations don't necessarily need to sit and think, "Oh my gosh, you know, malware's gonna just be hitting me and hitting me and hitting me," it's like even on the worst day, for most companies, the median company, it's not a whole lot. Most companies only have six or fewer days per year where they even receive any malware. Only less than 2% of companies receive malware even half the days of the year.
Gabriel Bassett: [00:08:49:08] A lot of these problems, we have a tendency in security to look at the worst case, look at the terabit attack, look at the thousands of our day, but that doesn't represent the median company. For the median company, for the median company, the problem is, I think, within that realm where we can handle it.
Dave Bittner: [00:09:07:00] That's Gabriel Bassett from Verizon. The 2018 Data Breach Investigations Report is available on the Verizon Enterprise website.
Dave Bittner: [00:09:17:23] There's growing alarm over ongoing exploitation of insecure Internet-of -things devices. They've been deployed for years. Experts are concerned that neither policies nor the devices themselves are ready for threats that appear poised to weaponize IoT vulnerabilities and cause kinetic effects. Others warn that industrial control systems present distinctive problems. They may have vulnerabilities that render them susceptible to destruction and to malfunctions that could compromise safety as well as operations.
Dave Bittner: [00:09:49:10] The vulnerabilities in Cisco switches used by apparent hacktivists to deface Russian and Iranian sites is now being widely exploited against unpatched systems by Russian hackers, mostly criminals.
Dave Bittner: [00:10:03:06] A High-Tech Bridge study suggests that the notoriety of named threat actors and well-marketed vulnerabilities is being used as misdirection by malicious insiders interested in covering their tracks. As in, "Hey boss, it was like that when I walked in. Do you think it was, like, that Spectre thing?" "What, we lost data? Wow, must've been that Fancy Bear you've been reading about, eh, boss?"
Dave Bittner: [00:10:27:05] Russian President Putin's advisor, Vladislav Surkov - Putin's "Rasputin" - sees 2018 as marking the end of Russia's attempts to turn westward, terminating aspirations that go back to Tsar Peter the Great. US Intelligence Community insiders differ over whether the US actually has the political will to punish Russia for misbehavior in cyberspace and elsewhere. Whether economic sanctions announced last week are hurting Moscow or not, they're being felt in London, where the City is nervous about disruption to Russian investment. Many millions have found their way into London's financial exchanges and, for that matter, real estate markets. If the oligarchs flee back to Russia, what becomes of those markets?
Dave Bittner: [00:11:12:23] And finally, what do cybercriminals actually do with the money they collect? It seems, according to a report by Bromium, that they spend their ill-gotten but untaxed gains on the kinds of things regular working stiffs and suits do: paying bills, buying gifts, purchasing disposable diapers, reinvesting in the business, and diversifying into stocks, bonds and real estate. Bromium estimates that criminal bigshots pull in up to $2 million a year - good CEO wages. Middle management can make up to $900 million. Entry level hackers make around $42,000 which, come to think of it, is better than a lot of journalists with some years under their belt. But kids, don't turn to crime. In the long run, it really doesn't pay. Bromium says they'll have more on this at RSA, but hey, how do they know? Who are you talking to, Bromium? Mm.
Dave Bittner: [00:12:09:13] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption, and they'll round out what they can do for you with micro-segmentation and analytics. VMware's white paper on A Comprehensive Approach to Security Across the Digital Workspace will take you through the details and more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security: thecyberwire.com/vmware. And we thank VMware for sponsoring the CyberWire.
Dave Bittner: [00:13:09:14] And I'm pleased to be joined once again by Daniel Prince. He's a Senior Lecturer in Cybersecurity at Lancaster University. Daniel, welcome back. We wanted to talk today about clandestine data transmission, and things like network steganography, how people are sort of hiding data in plain sight. What do we need to know about this?
Daniel Prince: [00:13:27:20] Well, this is an area that's really close to my heart, having sort of grown up in my research career looking at network, network protocols and, and sort of how you construct networks. And it started to occur to me that, as the, the protocols that we're using and the systems we're using in networking are getting more and more complex, the opportunities for people to utilize that complexity to hide information is increasing.
Daniel Prince: [00:13:56:00] And so what I'm starting to look at now is how can we actually use things like the complexity inside the IPv6 protocol, or the complexity that, that, that is enabled through software-defined networking, as a mechanism to exfiltrate or send data in a clandestine way between two parties. With a view that if we can get ahead and start to think about things, we can create classifications and then mitigation approaches, so that if the bad guys further down the line start to develop similar tools, we've already got approaches that we think that we can use to, to disrupt that activity and so we're not starting from scratch.
Daniel Prince: [00:14:38:23] It, it's really interesting the ways in which we can hide data quite robustly within the technology. Here at Lancaster there's been a previous piece of work that's looked at this, sort of that we, we did and we published, and that can be found on the web. But the other thing that I'm really interested in is, the different rates at which we want to transmit information and the different uses. When you think about something like a command and control infrastructure for a botnet, that's not necessarily going to be very high bit rate; you just need to send small amounts of information to activate certain activities of, of the bots within the command and control infrastructure. But then you, if you want to wrap that up to maybe IP stealing and exfiltration from, from a network, you might need incredibly high data rates over a, a, a very short amount of time to be able to get that data out.
Daniel Prince: [00:15:26:05] So, it's not a kind of a one-dimensional problem. You know it's some techniques that are, are very easy to hide, very low bit rates. So you wouldn't use that for date, large volumes of data exfiltration potentially. Whereas you might need to develop high data rate techniques. So that's, that's the broad area that I'm, I'm very interested in.
Dave Bittner: [00:15:46:07] And, and where are we in terms of the ability to sniff out this sort of thing these days?
Daniel Prince: [00:15:51:13] So, obviously we've got a lot of tools and techniques out there, that own intrusion detection systems, that will pick up a lot of this type of, I mean a few of these types of techniques and, certainly, a lot of the older type of techniques such as hiding data within ICMP messages, for example are easily detected and, and well, well-known. But the advent of cryptographical techniques makes it harder to actually analyze the data. Where I'm interested is actually can we develop tools and techniques which allow us to transmit information within effectively what is legitimate traffic?
Daniel Prince: [00:16:31:18] So, even if we have the best tools and techniques out there to be able to spot this, the fact that it's legitimate traffic means it just makes it that much more harder. So one example of this could be sending messages to a range of IP addresses and underneath the control of a bad guy, and the reception of those messages to those particular IP addresses would indicate a data exchange. But the messages that they are sending are just fetching legitimate web pages. And it's the ability to be able to chain that together and multiplex that which can be really useful.
Daniel Prince: [00:17:11:07] And what we're seeing is now, you know, a lot of machine learning/AI techniques are being developed to drive anomaly detection within network traffic. But equally, you know, it's entirely possible to use machine learning and AI to drive the other end, to do the pattern-matching that is required in those complex cases of how do you align multiple IP addresses in a network communication which could send messages out of order, and all these types of things, to enable that data exfiltration. So, it's really interesting to see the potential use of these next generation techniques such as AI and machine learning on both sides of, of the, the attack equation.
Dave Bittner: [00:17:55:18] Daniel Prince, thanks for joining us.
Dave Bittner: [00:18:02:12] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor, VMware, creators of Workspace ONE intelligence. Learn more at vmware.com.
Dave Bittner: [00:18:24:05] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media. With editor John Petrik. Social media editor Jennifer Eiben. Technical editor Chris Russell. Executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.