ISIS coordinates online inspiration campaign with terror attacks. APT10 spearphishing. IE zero day. Twitter won't sell Kaspersky ads. UK sentence in Crackas with Attitude case.

Dave Bittner: [00:00:00:00] A quick thanks to everyone who stopped by the Akamai booth last week at the RSA Conference to say hello. It was great meeting you face to face. And also a reminder that you can support us on Patreon. It's patreon.com/thecyberwire. Or you can leave us a review on iTunes. It really is a great way to help people find our show.

Dave Bittner: [00:00:20:01] ISIS returns to its grim inspiration. China's APT10 collects against Japan. An Internet Explorer zero-day is reported undergoing exploitation in the wild. Twitter won't sell Kaspersky any more ads, but doesn't have any specific explanation for why not. There's some bad but expected news about router security. We cover ZTE's regulatory troubles. And the Cracka with Attitude will do time.

Dave Bittner: [00:00:51:19] It's time for a message from our sponsor Recorded Future. You've heard of Recorded Future, they're the real time threat intelligence company. Their patented technology continuously analyzes the entire web, to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting and collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email and every day you'll receive the top results for trending technical indicators that are crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel and subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and the price is right. It's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:59:03] Major funding for the CyberWire Podcast is provided by Cylance from the CyberWire Studios at DataTribe. I'm Dave Bittner with your CyberWire summary for Monday, April 23rd, 2018.

Dave Bittner: [00:02:10:19] ISIS has resumed its online presence. The terrorist group has claimed credit for a mass murder in Kabul, where a bombing at a voter registration site killed at least 57, with well over 100 injured. The Sunni group ISIS in this case made an explicitly sectarian claim. Its Amaq news agency said that the bombing had targeted Shi'ites, whom Amaq characterized as apostates. ISIS represents a rival to the Taliban for Islamist pride-of-place in Afghanistan and bombings and claims of credit can be expected to remain a principal form in which ISIS will seek to both inspire and recruit.

Dave Bittner: [00:02:51:13] The group also threatened Iraqi polling stations in upcoming elections. ISIS has been largely expelled from the Iraqi territory it once controlled, but the group threatened, late Sunday, to attack polling places during next month's parliamentary elections. Anyone who voles, says the terrorist group, will by that act have made themselves apostates. The prominence of Shi'ite Muslims in the Iraqi government is, of course, another occasion of ISIS enmity toward that government.

Dave Bittner: [00:03:21:13] FireEye says that a Chinese threat group, probably APT10, has been collecting against Japanese networks in order to obtain intelligence about Japan's policy with respect to North Korea. The incursions into various networks were generally accomplished, according to FireEye, by spearphishing. The phishbait was a lecture on defense delivered by the former head of UNESCO, Koichiro Matsuura. The nature of the bait is regarded as suggestive of a motive, China's interest in understanding Japan's point-of-view and likely actions concerning nuclear tensions on the Korean peninsula. APT10 is generally thought to be specially charged with developing intelligence on regional security issues.

Dave Bittner: [00:04:05:13] Chinese security firm Qihoo 360 reports finding a Microsoft Internet Explorer zero-day being exploited in the wild. They're calling it Double Kill and it's transmitted by infected Office documents. Users are advised to avoid opening documents forwarded from unknown or otherwise suspect sources until a patch is in place. Qihoo 360 seems to be strictly following sound disclosure practices, so technical details are sparse, but Redmond appears to have them.

Dave Bittner: [00:04:38:04] Twitter has banned Kaspersky from purchasing advertising on the social media platform. Their rationale is essentially, Kaspersky's perceived ties to Russian security services. As Twitter explained, pointing in the general direction of the US Department of Homeland Security's ejection of Kaspersky products from Government systems, their, quote, "Decision is based on our determination that Kaspersky Lab operates using a business model that inherently conflicts with acceptable Twitter Ads business practices," end quote.

Dave Bittner: [00:05:08:16] Ad or no ads, Kaspersky isn't taking the ban lying down. Eugene Kaspersky has sent an open letter to Twitter CEO Jack Dorsey in which he tweaked the social media platform for what he took to be the incomprehensibility of the ban. Referring to Twitter's statement that Kaspersky's business model inherently conflicts with Twitter's notion of acceptable business practice, Kaspersky wrote, "Huh? I read this formulation again and again but still couldn't for the life of me understand how it might relate to us. One thing I can say for sure is this, we haven't violated any written or unwritten rules, and our business model is quite simply the same template business model that's used throughout the whole cybersecurity industry. We provide users with products and services, and they pay us for them," end quote.

Dave Bittner: [00:05:57:10] He goes on, in the nicest way possible, to accuse Twitter of hypocrisy with respect to its declared commitment to freedom of expression. In a subsequent tweet, not of course a paid Twitter ad, just a tweet, he clarified that, quote, "No matter how the situation develops, we won't be doing any more advertising on Twitter this year. The whole of the planned Twitter advertising budget for 2018 will instead be donated to the Electronic Frontier Foundation. They do a lot to fight censorship online," end quote. Kaspersky Lab spent roughly $93,000 on Twitter ads last year.

Dave Bittner: [00:06:34:16] Twitter hasn't had much to say in response or clarification, no posts on their blog, for example address the ban. A spokesperson repeated the "inherent conflict with acceptable Twitter Ads business practices" line to CyberScoop, and then pointed CyberScoop toward the September 2017 Department of Homeland Security directive telling Federal agencies to remove Kaspersky software from their systems. That directive expressed concern that Kaspersky was too close to the Russian government, and that besides, Russian law compels Russian companies to provide assistance to security agencies. Gizmodo received a similar reply.

Dave Bittner: [00:07:11:18] Eugene Kaspersky has a tweet on that too, out yesterday, quote, "Fun fact: Twitter justified the ad ban against KL with DHS decree, which is based on questionable media reports, which are based on anonymous sources, speculations and false allegations. Censorship in action?" end quote.

Dave Bittner: [00:07:33:02] With concern running high about Russian ability to exploit vulnerabilities in unpatched Cisco routers, results of a survey by BroadbandGenie are discouraging but unsurprising. Most people, survey says, don't update firmware, don't change their router's default credentials, and are unfamiliar with ways of securing their devices.

Dave Bittner: [00:07:55:01] ZTE remains unhappy, to say the least, about a US Commerce Department ban on selling ZTE parts or software. The company said at the end of last week that the move threatened its very survival

Dave Bittner: [00:08:08:10] And finally, the British mastermind, so to speak, of the Crackas with Attitude, has received two years in a British juvenile facility for his role in hacking various US officials. Teenaged boy Kane Gamble will be 20 when he gets out. His slightly older Carolina colleagues, Justin Liverman and Otto Boggs, are presently on sabbatical in Club Fed.

Dave Bittner: [00:08:37:16] I'd like to give a shout out to our sponsor BluVector. Visit them at bluvector.io.

Dave Bittner: [00:08:44:10] Have you noticed the use of fileless malware is on the rise? The reason for this is simple. Most organizations aren't prepared to detect it. Last year BluVector introduced the security market's first analytic specifically designed for fileless malware detection on the network. Selected as a finalist for RSA's 2018 Innovation Sandbox Contest, BluVector Cortex is an AI driven sense and response network security platform that makes it possible to accurately and efficiently detect, analyze and contain sophisticated threats. If you're concerned about advanced threats like fileless malware, or just want to learn more, visit bluvector.io. That's b-l-u-v-e-c-t-o-r.io. And we thank BluVector for sponsoring our show.

Dave Bittner: [00:09:40:15] And joining me once again is Malek Ben Salem. She's the R and D Manager for Security at Accenture Labs. She's also a new America's Cyber Security Fellow. Malek, welcome back. Obviously artificial intelligence, we speak a lot about here on the CyberWire and-- but it's not all good news. You wanted to point out there's the potential for malicious use of AI.

Malek Ben Salem: [00:09:59:21] Exactly, yeah, we talk a lot about artificial intelligence and in particular about its use for security, right? Whether it's for the early detection of cyber attacks. We've been using that in intrusion detection systems for a while. We are currently more and more using it to assist stock analysts and insurgent response, obviously in security analytics, others more use of machine learning also to authenticate users based on their behavior using behavioral biometrics. There's a wide range of applications for artificial intelligence for security. But we don't talk a lot about how malicious actors could misuse AI technology and the potential ways we can mitigate those threats.

Malek Ben Salem: [00:10:48:18] There are a number of challenges that AI can pose for security and the first one is that it lowers the cost of conducting many existing attacks. The fact that the attack can become scalable by the use of AI systems automatically means that it can expand the setup actors that can carry out that attack. It can increase the rate at which the attack can be carried out. And it can increase the number of potential targets.

Malek Ben Salem: [00:11:19:09] Let me give an example. You know, think about the automation of social engineering attacks, victims' online information can be used to automatically generate custom malicious websites or links that are sent to them that they are likely to click on. It can be sent from addressees that impersonate their own contacts, using even the writing style that mimics the writing style of those contacts. So that increases basically the likelihood that person will become a victim of that attack and it increased the veracity of the social engineering attack.

Dave Bittner: [00:11:59:08] When we've talked about AI and the potential for bad actors to use it, it's often come up that the expense would keep them from adopting it. Are we heading towards a time when that's no longer the case?

Malek Ben Salem: [00:12:10:11] I think so. I think there are more and more libraries that are available, machine learning libraries that are readily available to leverage by attackers. As they are readily available for, you know, AI researchers. As we as cyber defenders increase our capabilities, obviously malicious actors are also increasing their own capabilities. The second challenge that AI technology poses to security is the fact that it creates new threats and vulnerabilities. Obviously AI technology is software, so it has its own software vulnerabilities. But also it has another type of vulnerability related to data. There are attacks that can be performed against AI, in particular machine learning based technologies, things such as poisoning attacks where the malicious actor can introduce training data that causes the machine learning system to make mistakes.

Malek Ben Salem: [00:13:12:00] That's one type of attack. There are other attacks by giving an input, or adversarial input that is designed to be misclassified by the machine learning system. So I mentioned earlier the behavioral biometric approach for authentication. Let's say we're using keystrokes to profile users' behavior and use that as a way to authenticate that user. The malicious actor can mimic the typing behavior of that user in order to impersonate that person.

Malek Ben Salem: [00:13:45:00] So that would be another way of exploiting a machine learning based system. So basically these are new classes of vulnerabilities. It's not the buffer overflow, it's not the SQL injection attack that we're used to against regular software, regular scripts. This is an entirely new class of attacks that is data driven and that companies have to account for when they're evaluating AI technology for their own defenses.

Dave Bittner: [00:14:16:03] Alright, the game of cat and mouse continues. Malek Ben Salem, thanks for joining us.

Malek Ben Salem: [00:14:20:22] Thanks, Dave, always a pleasure.

Dave Bittner: [00:14:25:07] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence visit cylance.com. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:14:47:12] The CyberWire Podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:14:57:10] Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.