The CyberWire Daily Podcast 6.5.18
Ep 613 | 6.5.18

DPRK hackers quieter in the run-up to the Kim-Trump summit. Russian EW. Cryptocurrencies and crime. Law firm social engineering. Dodgy World Cup Wi-Fi. Bad AI, a time-traveler's poly.

Transcript

Dave Bittner: [00:00:00:14] Just a quick reminder to head on over to patreon.com/thecyberwire, where you can find out how to support your favorite podcast. No, not Smashing Security; no, not Defensive Security; no, not Darknet Diaries; it's the CyberWire.

Dave Bittner: [00:00:18:21] The DPRK still seems to be leaving American networks more or less alone for now, however actively they're hacking elsewhere. Everything old is new again, at least with Russian EW. Cryptocurrency crime is a worry everywhere. A look at law firm hacks shows the counselors could use the help of some street-savvy hotel detectives! Beware of World Cup Wi-Fi. Apple's latest updates seem privacy-friendly. We've got some thoughts on AI, and the polygraphing of a time-traveler that sounds totally legit.

Dave Bittner: [00:00:53:22] Time to take a moment to tell you about our sponsor, Comodo. Here's the bad news: there is no way you will ever be able to stop malware from entering your network. The good news is Comodo renders malware useless, that's why Comodo customers can click on anything. Over 120 million new pieces of malware were created in 2017. So, even at 99%, you're still a target for 1.2 million pieces of malware. If you do the math, that's still over 3,000 problems per day that current solutions cannot solve. Comodo doesn't settle for 99% and neither should you. They put those 3,000 daily problems into a lightweight, kernel-level container, where the malware's rendered useless.

Dave Bittner: [00:01:35:06] With Comodo's patented auto-containment technology, they bulletproof you down to hour zero every time, solving the malware problem. So with Comodo you can say with confidence, "I got 99 problems, but malware ain't one." Go to enterprise.comodo.com to learn more and get a free demo of their platform. We thank Comodo for sponsoring our show.

Dave Bittner: [00:02:10:03] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 5th 2018.

Dave Bittner: [00:02:22:15] Covellite, the North Korean Internet-of-Things hacking group, seems to have grown quiet with respect to American targets during the run-up to the June 12th Kim-Trump summit. Covellite, tracked by industrial cybersecurity specialists at Dragos, is said to share considerable infrastructure and malicious code with the Lazarus Group, also known as Hidden Cobra.

Dave Bittner: [00:02:45:06] NATO members, and the US in particular, find themselves re-learning Cold War lessons about Russian electronic warfare capabilities. Russian electronic warfare operators have long enjoyed a reputation for deploying advanced, effective capabilities. The amount of attention the US has paid to those capabilities has tended to wax and wane with operational concerns. Those concerns are high now, especially with the recent demonstrated ability of Russian EW operators to affect US platforms operating in and around Syria. The big picture, and this has been a big picture for some decades, is that the Russian military works hard to integrate EW capabilities across their force, and that they do so in ways intended to secure an asymmetric advantage over Western, especially US, opposition.

Dave Bittner: [00:03:35:22] Russian authorities are said to share Western concerns over the increasing rate of criminal attacks on cryptocurrencies. An official spokesman of the Ministry of Internal Affairs says the problems they're seeing are related to the challenges of tracking the alternative currencies' ownership, the relative difficulty of blocking their transactions, and their attractiveness to fraudsters, all of which should sound familiar. There were no specific mentions of our two favorite alt-coins, WhopperCoin and Dogecoin.

Dave Bittner: [00:04:06:24] The New York Law Journal took a look at trends in social engineering and concluded that law firms are surprisingly easy marks. It's not as if Blofeld or Goldfinger or some other high-tech Bond villain is hacking in. "No, counselor," the Journal says, "you're being had by the kind of petty grifters who, if they weren't working online, would be selling you really genuine merchandise out of the trunk of their car on some corner in Tribeca or Soho."

Dave Bittner: [00:04:35:20] Anyone attending World Cup events this summer should be aware of the significant risk Wi-Fi hotspots present. Maybe better to leave your phones off, football fans.

Dave Bittner: [00:04:47:04] Apple's latest round of updates are regarded as markedly friendly to user privacy. MacOS Mojave and iOS 12 both include features designed to block secret trackers, and a feature being tested for iOS 12, USB Restricted Mode, is designed to impede Cellebrite's unlocking tools the FBI and others have used. The Safari browser also has new features designed to impede ad-trackers.

Dave Bittner: [00:05:14:06] Voters in eight US states head to the polls today to cast ballots in their primaries, and the security and integrity of those elections is of concern to officials and citizens alike. John Dickson is a Principal at security firm Denim Group, and he offers his thoughts on election security.

John Dickson: [00:05:31:01] By far the preponderance of resources and responsibility for elections lies at the state, and typically county level, sometimes at the municipal level. There's a popular misconception that the hardware voting machines equals the voting system. That's just one component of it. Yes, if you have physical access to a voting machine, as if you would have physical access to any device, you can certainly break them in many cases. But guess what election officials across US are good at? They're really good at detecting one or two people hovering around the back side of a voting machine in a voting area - that's what they do - they minister and watch to see people are voting correctly. The likelihood of somebody being able to prosecute a physical attack, without being noticed, is exceedingly small, I would argue. So, the bigger infrastructure, the stuff that worries many and is most certainly already in play, is the voter registration systems of the 50 states plus territories in DC, and then also the election night reporting infrastructure.

Dave Bittner: [00:06:38:20] Do you suppose we are emphasizing the right things then? Are we shining a light in the right areas? Are we focusing our energy where it's best spent?

John Dickson: [00:06:47:11] I would say we're becoming better at it. If you go back to, I think it was Defcon last year where researchers attacked and then were able to root six different voting machines, that was covered all over national press and I think that wildly distorts the problem. First of all, again, these are outdated and, I think, non-certified voting systems, if I'm correct there. More importantly, the attack scenario was completely not realistic. I mean, again, guys with hoodies hovering behind a voting machine is going to get noticed by an election judge.

John Dickson: [00:07:23:19] It's the other parts of the infrastructure that I think we're starting to realize have some of the similar problems that just general web and network infrastructure has. The biggest problem is you have, at the state level, election officials who have really focused on the integrity of the tabulation process, and of the integrity of the voting process in systems really driven off of their major event nearly 18 years ago in Florida with the hanging chad. Much of the improvements, on the hardware and system side, have been around, "How do I guarantee the integrity of the vote that's cast and the process in that vote all the way up to the Secretaries of State, and then onward to DC, if it's a federal election?"

John Dickson: [00:08:14:12] The problem we have here is that is a one use case, to use an IT term. But the other use case that we're confronted with now, is when you have an active human that is trying to do things and disrupt and distort and to inject themselves into this process, and that's a different use case - a different protection case. I think what people are starting to realize, is much of what was implemented on the hardware side, by the many vendors that are in the space, really were aimed at solving that problem, the integrity problem, and the confidence and ability to tabulate and tally votes and to process those. This is a different problem, and one that takes an entirely different mindset to start to solve.

John Dickson: [00:09:00:15] The hardware problem is substantial and challenging, but that is not the only problem. There's centralized aggregation points of collection, and the voter registration is where many people in industry now suspect that are the weaker leaks or the areas that, as an attacker, you're going to concentrate your efforts.

Dave Bittner: [00:09:24:05] That's John Dickson from Denim Group.

Dave Bittner: [00:09:28:20] The Director of the FBI has warned, in Congressional testimony, that Chinese espionage is a whole-of-nation problem. The US Congress is considering legislation designed to restrict Chinese intelligence collection. Some of its concerns are over the security implications that widespread use of devices by Huawei and ZTE are feared to raise. Other measures of consideration involve the sort of consciousness-raising Congress so often invokes in the Executive Branch. The measures under consideration would require regular reports on Chinese intelligence activities.

Dave Bittner: [00:10:03:13] The fact that such activities are significant is indicated by a recent arrest in Seattle. The US Justice Department has charged former US Army Warrant Officer and DIA civilian employee Ron Rockwell Hansen with 15 counts related to spying for China, including attempting to gather or deliver national defense information to aid a foreign government and acting as an unregistered foreign agent. Federal agents picked him up as he was about to board a flight to China. Mr. Hansen had worked, according to reports, in both signals and human intelligence, and had some background as both a Russian and Chinese linguist.

Dave Bittner: [00:10:44:13] Finally, speculation about artificial intelligence tends to follow roughly three paths. One path, the trans-human road to immortality that will survive even the heat-death of the universe, believes firmly in strong AI and envisions a future in which artificial consciousness becomes not only a reality, but in effect an emergent godhead in which all of us will participate, or at least those of us with enough stock in the right Silicon Valley companies.

Dave Bittner: [00:11:11:20] The other path sees AI as an incipient Skynet, ready to off-board human beings as superfluous nuisances. Along the way, we'll see mass unemployment, slavery in spice mines, so on, and it won't matter what your portfolio looks like.

Dave Bittner: [00:11:27:18] Now, thanks to MIT, we have a glimpse of this dystopian second way. They've created a malevolent AI they call Norman, in an apparent homage to the psycho killer from Hitchcock's Psycho. Norman was trained on the danker memes from the creepier precincts of the Internet. The Media Lab calls him, unkindly we think, the world's first psychopath AI. It's their own fault, we say, because they're the ones who turned him loose to be trained on Reddit.

Dave Bittner: [00:11:57:19] But wait, you ask, what about that third way, that one that sees AI as more A than I - useful, but also troublesome in that typically ambivalent and backward-striking way most human-created technology has?

Dave Bittner: [00:12:12:01] Alright, fine, if that time traveler with a Birmingham accent who recently passed a polygraph administered by some paranormal researchers in the UK is right, this is more or less what we're in for.

Dave Bittner: [00:12:25:05] You missed the time traveler? Well, here's the skinny straight from the year AD 6491, which is at least four millennia more credible than the last guy who passed the poly - he was only from the year 2030.

Dave Bittner: [00:12:38:12] Anyhow, the time traveler, one Mr James Oliver, says that climate change had made the world warmer, so it's less comfortable, maybe, but not lethally so. On the bright-side, there's like this interplanetary UN where planetary leaders keep interplanetary peace. Also, the aliens we're going to meet over the next couple of millennia won't be a lot more interesting than the jokers we deal with every day. He's stuck here in the present because his time machine broke and he's hoping his buddies read all this stuff and come back for him.

Dave Bittner: [00:13:14:13] Now a moment to tell you about our sponsor, ObserveIT. It's 2018, traditional data loss prevention tools aren't cutting it anymore - they're too difficult to deploy, too time-consuming to maintain, and too heavy on the endpoint. They are high-maintenance and require endless fine-tuning. It's time to take a more modern approach.

Dave Bittner: [00:13:32:23] With ObserveIT you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization, that's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats, and it's extremely difficult even for the most technical users to bypass. Bring your data loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. We thank ObserveIT for sponsoring our show.

Dave Bittner: [00:14:23:16] Joining me once again is David Dufour. He's the Senior Director of Engineering and Cyber Security at Webroot. David, welcome back. As we see upcoming regulations and a continued emphasis on cybersecurity, we're seeing some new roles when it comes to security. What's your take on this?

David Dufour: [00:14:41:10] Thanks for having me back. We are seeing a lot of new roles, both inside organizations and then where you're hiring people to support security. Additionally, the training that people need in universities and things like that to be able to come in and build products that actively help prevent threats or detect threats, things of that nature. So there's quite a lot going on right now.

Dave Bittner: [00:15:06:07] Can you give me some specific examples? What kind of things are folks spinning up these days?

David Dufour: [00:15:10:23] One of the biggest things, and I know we hear about this a lot so let's remember I'm on the engineering side not on the sales and marketing side - AI machine learning. I cannot underscore the need in the industry for folks who are trained and well-qualified in building solutions with that in it. We're trying to get past the hype of saying, "We've got AI," or, "we've got machine learning." What we need are those people that are really well-trained in how to implement those solutions, such that products use them most effectively. That is not something you just learn overnight. There's a lot of work involved in understanding how to build those models, build machines that consume data, and then understand how to pull and analyze that data to build effective machine learning tools.

Dave Bittner: [00:15:58:05] I think we're also seeing, besides the traditional computer science pathway, that there are lots of other roles within cybersecurity. Folks coming up through school or are looking for perhaps a new career, they can take advantage of those needs.

David Dufour: [00:16:14:00] That's absolutely right. We are looking across the board at different types of folks in the industry, from mathematicians, people who understand human behaviors - we're seeing a lot of them get involved with the machine learning folks, to be able to develop user based stuff. Totally not being my normal snarky self here, we need a lot more technical PR, technical marketing folks to come out, to be able to really educate the consumer and the industry, because a lot of us engineers aren't really good at communicating that. You need people with that technical background and understanding, but in all types of fields.

Dave Bittner: [00:16:54:08] Don't let the technical stuff scare you away from perhaps pursuing a career that's related to cyber?

David Dufour: [00:17:00:15] That's exactly right and right now there's really not a better place to be than getting involved in cybersecurity in some way. Another thing, David, once you're in the industry you realize you're actually helping people and that feels pretty good too.

Dave Bittner: [00:17:15:11] It's a great point. David Dufour, as always, thanks for joining us.

Dave Bittner: [00:17:25:05] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:17:53:08] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:18:03:07] Our show is produced by Pratt Street Media, with Editor John Petrik, Social Media Editor Jennifer Eiben, Technical Editor Chris Russell, Executive Editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.