Podcasts
Only Malware in the Building
Ep 8
Only Malware in the Building 1.7.25
Ep 8 | 1.7.25

Malware metamorphosis: 2024 reflections and 2025 predictions.

Show Notes
Transcript

[ KFM Radio jingle ]

 

Unidentified Person: Home of Only Malware in the Building. [ Music ]

 

David Bittner (as Casey Kasem): Well, hello there and welcome back to American Top 40. I'm Casey Kasem, counting down the hits and sharing the stories that bring them to life. Now it's time for one of my favorite parts of the show, our long-distance dedication. [ Music ] This week's letter comes to us from Emily in Tulsa, Oklahoma. Emily writes, "Dear Casey, my boyfriend, Jake, is the sweetest guy I've ever met. He's thoughtful, kind and always willing to help out a friend or a stranger for that matter. But Casey, there's one little problem. Jake can't resist clicking on those links in emails that promise things like free vacations or secret stock tips. I keep telling him, Jake, those emails are trouble. But he says, what's the worst thing that could happen? Well, last month, his credit card got maxed out after he clicked on something about a free giveaway. Then last week, his work computer got locked up with something called ransomware. I love Jake, Casey, but his curiosity is putting him and his passwords at risk. Could you play a song to remind him to think before he clicks? It would mean the world to me." [ Music ] Well, Emily, you're not alone. Plenty of folks out there have fallen for the sneaky tricks of cyber scammers, and it sounds like Jake could use a little reminder to pause and ask, is this link legit? So for Jake in Tulsa, here's your long-distance dedication. The 1961 hit by "The King" himself, Elvis Presley, "Suspicious Minds." Jake, remember, when it comes to sketchy emails, it seems too good to be true. It probably is. [ "Suspicious Minds," Elvis Presley ] That was for you, Jake, and everyone else out there clicking without thinking. Stay safe online, folks, and keep your firewalls high and your guard higher. We'll be back with more of The Countdown right after this. [ "Suspicious Minds," Elvis Presley ] [ Music ]

 

Selena Larson: And we're back. Dave, you might be stuck in the 80s every day, but on the Threat Landscape, we are a little bit more up-to-date. In modern times, things are changing very quickly, and it's very important to stay on top of our game. So in this episode, we want to look back at some of the sort of things that made us go, huh, or really surprised us or piqued our interest and showed --

 

Rick Howard: I think we can say that we went, huh, when Dave did Casey Kasem as the intro to our thing, and Dave, a wave of nostalgia rolled over me, okay, as you started the promo, man. That was awesome.

 

David Bittner: We probably don't have time to do the top 40 bits of malware from the past year, but we can certainly hit on some of our favorites. And yes, I spent entirely too much time sitting in my bedroom with an FM transistor radio on listening to Casey count down the hits.

 

Rick Howard: Absolutely. I spent too much of my time trying to figure that out. So you and me, and Selena says, what's a radio? Okay, so --

 

David Bittner: Yeah, I know.

 

Selena Larson: I was going to say, I think I've only heard Casey Kasem on YouTube.

 

Rick Howard: Okay. Oh, man.

 

Selena Larson: Sorry, guys.

 

David Bittner: Well, he's the original voice of Shaggy on Scooby-Doo, as well.

 

Rick Howard: Absolutely.

 

David Bittner: So maybe you know him better from that.

 

Selena Larson: Oh, that is a fun fact. I did not know that.

 

Rick Howard: And I think he played Robin on one of the Batman cartoons, right?

 

David Bittner: That's right. That's right.

 

Rick Howard: There you go. All right, Selena. So lead us in here. How shall we begin? [ Music ]

 

Selena Larson: Well, you mentioned the reader writing in to talk about ransomware, so that might be a good place to start. It's still a thing. And I think what's really interesting is the expansion of techniques that ransomware threat actors are doing and that they continue to be so profitable. So it's expected to pass $1 billion in ransomware payments this year. It's still a very, very successful enterprise.

 

Rick Howard: What was it last year? What's the number threshold for payments?

 

Selena Larson: I believe, actually, according to chain analysis, last year, it also passed $1 billion. So unclear if it's going to be more or less than last year, but I believe we're seeing -- we're going to see higher payments. I mean, we've seen quite a lot of money paid in ransomware, big-time dollar signs. So it's definitely still a successful enterprise. Although I was talking to Alan Liska, and he says he hates calling it an enterprise. Of course, Alan Liska is the ransomware sommelier. He says we give them too much credit when we say it's an enterprise. So the ecosystem, the chaos and criminal underground, but I do think it's interesting, too, that we're seeing a lot of sort of expansion in techniques. So this is kind of, you know, we want to look back over the last year, but also look forward to what's to come. An interesting story popped up towards the end of the fall where ransomware threat actors were posing as IT support on Microsoft Teams. So this expansion, this use of multichannel attacks to target organizations, whether it's through social engineering or whether it's to actually deliver various payloads, it's this expansion and growth of the multichannel attacks that we're going to have to kind of be on guard for.

 

David Bittner: Yeah, you know, I saw a story back in mid-December, I think it was, where one of the security companies was looking back at the numbers of ransomware claims over the year, and they were saying that the number of claims in November of '24 was double the average for the rest of the year. So it was something like 600 ransomware claims, and the average was, I think, in the 350s or something like that. So you're absolutely right. It's not slowing down. I think one of the things that I think of when I think about ransomware is kind of how normalized it's become. It's a standard part of the playbook, and I know, Rick, you and I have talked about having a playbook and having, you know, your risk scenario and your appetite for risk and all that kind of thing. And, I mean, it's just -- it's on the list now. I guess what I'm saying is it's funny to me how normalized ransomware has become as a standard part of the things that every organization has to worry about.

 

Rick Howard: Well, I want to push back on the numbers a little bit, all right? Because like you said, 600 in a month. And so what does that total for the year is, you know, is it 6,000 or whatever? So we did some research about the number of organizations just in the United States last year, and it's like 6 million, okay? So the chances that any organization is going to get hit with ransomware is just small, right? But when it hits you, okay, it's a black-swan event, right? It could be a company killer, right? So that goes to how you might think about how to protect yourselves from those kinds of things. Does that jibe with what you're seeing, Selena?

 

Selena Larson: Absolutely, and I think it's important to note, too, that it's -- to your point, it could be a business killer. So if you are a small or medium-sized business, we've seen it with healthcare organizations having shutdowns linked directly to ransomware attacks, or at least played a major factor in organizations having to shut their doors. And --

 

Rick Howard: I keep going to the numbers, right? The how many, is it tens? Is it hundreds? Even that's a small number, right? So what do you think it is?

 

Selena Larson: So in terms of the actual impacts, we also rely on open-source information in terms of what we're seeing. But certainly based off of information posted to leak sites, what we see in SEC filings here in the United States, it's a lot, unfortunately. I'm interested to see how that number shakes out, like what Dave was saying, the 600 claims in a month versus 350 overall, what the geographic spread on that is. And oftentimes, it's really hard to collect data from a researcher perspective because so many organizations want to keep ransomware quiet. If you're a publicly traded organization, you'll probably submit a filing that says, you know, we had a cybersecurity incident. Many of those that we see end up being ransomware. They're definitely worded very squirrelly sometimes to try and hide.

 

Rick Howard: Here is your free year of protection insurance. You know, here is your free year of --

 

Selena Larson: Yes.

 

Rick Howard: Yeah, yeah.

 

Selena Larson: Exactly. So unless something comes out via media reporting, sometimes things aren't even posted to leak sites because organizations will pay, right? So the double extortion tactic only shares publicly if an organization doesn't pay or if the threat actor is particularly mean and just, you know, they paid already, but we're still going to extort them type of thing. So it's hard to get from open-source data information to a public information about what it looks like overall. So I think there's quite a bit, a few hundred a month, I would say, is probably solid, like you're talking about, Dave. But of course, that also, what is the geographic spread of that? Is it, you know, where are we looking at? Is that based on open-source reporting or, you know, incident data? Things like that, so it's tough to gauge, but just looking at the actual money that these organizations are making.

 

Rick Howard: The money is big, yeah.

 

Selena Larson: So much money. [ Music ]

 

Rick Howard: Well, Dave knows that I am a Malcolm Gladwell fan, right? And over the holidays, I read his latest book, Revenge of the Tipping Point, and one of the things he mentions in there is the rule of the few, right? Where we see these problems emerge in the world like ransomware, and we see the headlines and it appears that it's this gigantic problem that there's thousands of attacks every day, and we should all just be sticking our heads in the sand and, you know, running away from the problem. And what we are talking about here is that the number of attacks are really small, okay, but they have a large effect on the culture and how we try to -- you know, what we do as we devise strategies to try to protect ourselves from those things. So he calls it radically asymmetric distributions, okay, of problems, right? And it's a really interesting idea, and I think that's the way that it is in the cybersecurity community.

 

Selena Larson: I would say attempts are a lot though, because if you're talking about successful ransomware, the number is probably drastically lower than the attempts to get, you know, ransomware on an organization, right? So you have like initial access brokers that are conducting super widespread attacks on a daily basis that could impact, you know, tens of thousands of organizations or target tens of thousands of organizations, but if organizations have the right security in place, have defense in depth, are using the right tools and resources to protect themselves, it makes the ransomware, or the initial access broker and the ransomware delivery, a lot more difficult. So that kind of goes into ties into like these multichannel attacks. Okay, so it's like, okay, well, you know, if this one delivery method isn't super effective, then let's pivot or expand to see if we can use things like chat apps or Teams or other enterprise software that organizations are using every day to see if we can maybe have more luck, so --

 

Rick Howard: Absolutely. Whatever that dog's name is, I agree wholeheartedly. [ Laughing ]

 

David Bittner: Well, this whole discussion, though, it goes to the point we were talking about before is what strategies do you use to protect yourselves from this? Because if the chances that you're going to get hit by ransomware is really small, but if you do get hit by it, it could be a company killer.

 

Rick Howard: Right.

 

David Bittner: Okay.

 

Rick Howard: So, but let me jump in there because does that mean in your planning, you think about it in the same way you think about something like a hurricane or a fire or a tornado or a flood, right? Like natural disasters that are highly unlikely, but if they do happen, as a friend of mine who is an insurance business said, you imagine a Wile E. Coyote smoking hole in the ground, right? Like that's where it could leave you.

 

David Bittner: Yes. Well, I mean, that's exactly right. So instead of -- especially, and I would say that for most organizations, you know, I'm talking about small to medium to maybe getting close to the fortune, you know, 5,000 or whatever, the strategy in this kind of environment, we're talking about black-swan events here, okay? Things that don't happen very often, right? So you might not spend a lot of money in prevention because, you know, here at the N2K, we're just a little startup. We don't have resources to do all that. Our probably best strategy is resilience. We want to survive the attack, not prevent it, right, and keep on delivering whatever we're delivering to our customers. And so they don't even notice, even though it's complete chaos on the inside. That might be the strategy that most of us should be pursuing for this kind of thing. [ Music ]

 

Selena Larson: Yeah, I think on one hand, yes, but on the other hand, there are a lot of techniques that are used by ransomware threat actors or initial access brokers enabling ransomware that are used by a number of different threat actors, right? So it's not just ransomware that you have to think about. Certainly business email compromise is actually more costly than ransomware. If we're talking about, you know, just in scope, I think the IC3 report last year said $3 billion in business email compromise, fraud impacting organizations, and, you know, they use similar techniques. So you have, you know, if we're talking about the multichannel attacks, you have them targeting again, potentially Teams, LinkedIn, or Messages, things like that. SMS, of course. You know, you see a lot of SMS text space like, hey, can you do me a quick favor? And so similar to some of the techniques that they're using there, also, you see impersonations or, you know, the registering various look-alike domains or, you know, sending malicious URLs in attachments. So you have very similar techniques that are used across the landscape. It's just, what is the ultimate objective? And I think, yes, obviously being prepared for a when not if ransomware attack is certainly a very, very top priority, but also thinking about the tools and resources that you can equip yourself with, whether that is a security product or whether that's just user training. I know a lot of people kind of think about, oh, well, maybe user training is, is, you know, clicking a button and making sure that I know what I'm looking at, but it is very important to equip people with like, what do the threats really look like? I mean, what are the social engineering techniques that threat actors are using? And this kind of brings up another point, too, right? Where we have a lot of things like telephone-oriented attack delivery or callback phishing, right? Where it's actually talking to someone, a real person, to pretend to be somebody to ask them, hey, like call this number. We're going to invoice you this, and then, you know, it starts off a whole different social engineering technique. Or, you know, we mentioned before the click-fix technique where a little pop-up comes up on your computer that says, hey, this is broken, but here's how you can fix it. So it's trying to also equip people with the knowledge and understanding of the modern threat landscape, I think, to be able to play that role, if, you know, Rick, to your point, maybe we don't have the availability and resources to invest in a full defense in-depth infrastructure from, you know, like top-to-bottom, like many, you know, many small businesses. So you have to think about where do we prioritize, where do we focus our energies and how can we use, you know, potentially even free resources? [ Music ]

 

Rick Howard: Because, you know, instead of spending money on a really expensive, let's say, firewall, right, and trying to train, you know, your two guys and a dog in the back room about how to manage that thing, the money might be more well spent if you just got good at backups and restores, right, for a ransomware attack, right? So and not -- you know, not like most of us, Selena, you know, where we practice, we may do a restore once in a year for a little small segment of our network, just to make sure, right? We're talking about practicing restores every day, so that so that you're so good at it that you don't even hesitate, okay? You just flip the switch, and it happens, right? And it's my experience -- Dave's laughing [laughing]. Sure, Rick. That's what we're going to do.

 

David Bittner: No, I'm laughing because I actually earlier this -- or last year, I wrote a joke that I posted on Mastodon, and it was like -- it was a made up conversation between two people. And I said -- someone said, "So have you tested your backups by doing full restores?" And the person responded, "Oh, we don't have time for that." And the first person said, "Say that again." Say that again. You don't have time for that, but you're going to, you know, it's that old thing. There's always time. There's never time to do it right, but there's always time to do it again. You know?

 

Rick Howard: That's exactly right.

 

David Bittner: Yeah.

 

Selena Larson: This is an interesting point too, right? So in addition to many organizations having their IT be their security team, oftentimes, it's the same person wearing multiple hats or the same, you know, team of people wearing multiple hats. Is there going to be a divestment in security teams moving forward? You know, I've seen some, you know, open source reporting about various organizations who have, you know, cut back on security or outsourced it, or, you know, tried to, to streamline operations or something, but is that going to then result in having to figure out how do we reallocate these resources in a way that might not be the best for the organization?

 

Rick Howard: So the bottom line here for going into 2025 is ransomware payments are up, and we may not -- or the number of attacks are going up, too, but it may not be significant to that everybody has to worry about it. Is that the bottom line here?

 

Selena Larson: I think every organization needs to worry about ransomware still, unfortunately.

 

David Bittner: You don't want to be the low-hanging fruit, right?

 

Selena Larson: Absolutely.

 

David Bittner: I mean, that's the thing. Yeah. You don't want to make it easy. You know, it's like I -- yeah, you don't want to be living in a ocean-front home in Miami right now with the hurricane on the way, right?

 

Selena Larson: That's a good point. Yes. I like being -- I have the high ground.

 

David Bittner: Right, right.

 

Selena Larson: But you talk about low-hanging fruits, this is another topic that we can discuss from 2024 and into 2025 is, MFA, phish kits and MFA phishing and attacker-in-the-middle becoming essentially the standard for a lot of these phishing, right? Where, so it used to be, if you don't have MFA that's still, obviously, you know, number-one go-to, and what we've seen, unfortunately, as a result from data leaks is that, you know, non MFA accounts can be very effectively popped. But certainly with, again, with some phish kits now that we see pretty standard attacker-in-the-middle, like they have adopted to the MFA, so, you know, this is kind of like the new reality, and that's definitely not changing in 2025.

 

Rick Howard: When we did our Christmas episode, I walked us through the various kinds of MFA, right? And so which ones on that list, Selena, are not protecting as much as we thought and which ones are still good?

 

Selena Larson: So fundamentally, like, MFA is good to have. Like you should have MFA everywhere, number one, regardless of what MFA it is, it should be everywhere. But, you know, things like SMS MFA, for example, both for, the possibility of interception via mobile devices or MFA phish kits, certainly even the apps too, right? Like these attacker-in-the-middle phish kits are going to suck up the tokens as well as the session cookies. So really the best is U2F keys, right? You know, you mentioned like the U key.

 

Rick Howard: The hardware key, an actual hardware key.

 

Selena Larson: Yes. An actual hardware key, or just sacrificing blood on your computer so they know it's you. They can run your DNA code.

 

David Bittner: Rick gets that from slamming his head down on the keyboard in frustration every time he tries to write something. He just bam, bam, bam, and there's blood all over the keyboard.

 

Rick Howard: Or when I don't get upstairs in time to take my nap, my head hits the keyboard pretty hard, too. [ Laughing ]

 

Selena Larson: That's how he knows it's you. That's your identifier. Yes, yes.

 

David Bittner: Yes. So we talk about the hard token key and then the latest development in multi-factor is passkey that not everybody's using. So those two are still pretty good, I guess.

 

Selena Larson: Yeah. Yeah, and I think, too, like, you know, like a Touch ID or something, you know, where you have something -- like you said, something that you physically have that can, you know, sign you in is pretty cool. And what I do actually like about things like Face ID or Touch ID or something, it doesn't like sort of disrupt you as much as like other sort of logins, so I was like a little bit skeptical of Face ID when Apple first launched it, of course, like many people, because I was like, I don't want it storing my facial recognition. And there's times when you definitely want to turn it off, certainly.

 

David Bittner: Yeah, because I'm going to draw the line there on my face because they have every other piece of information on me, but I'm drawing the line there. Okay.

 

Selena Larson: I post too many selfies really to complain about --

 

David Bittner: That's a really good point. [ Music ]

 

Selena Larson: Stay tuned. There's more to come after the break. [ Music ]

 

David Bittner: Well, let's move on to some other categories then. I mean, we we've got passwords. We've got ransomware. I mean, what are some of the other sort of top things? If you're a business organization and you're looking to minimize your exposure for this coming year, Selena, in your mind, what are some of the best bang for your buck areas that you should focus on?

 

Selena Larson: So certainly what we've mentioned is I think, you know, MFA. Really focusing on multichannel attacks, too, I think is really important. A lot of that, though, does come down to user training and user education and identification. One thing that I thought was really interesting, actually, I'm referencing him again, because we literally just talked about this, but when I was talking to Alan Liska, I thought it was really interesting because he talked about, you know, when he goes to -- he has his comic books that he creates and sells. And when he goes to Comic-Con, and he's like, you know, talking about his, his book that is based on a ransomware insurance investigator, they're like, what's ransomware? And so I think, you know, we have this conception as people that work in security that everyone obviously knows everything and, oh gosh, you know, we're so sick of talking about ransomware. It's everywhere. Everyone knows. I mean, my sister has been a victim of ransomware four times, so -- and impacted by it that many times, and she still is just like, well, it's a cybersecurity issue that I just have to deal with in my life, you know? And you know, so it's really interesting, and I think a lot of people kind of oftentimes, I think, you know, either scoff at or kind of, you know, oh, does user training actually work? But so much of that is education, and it's so important to raise awareness about these new techniques and educate people about this is how it's actually working and why I love this podcast is because we do it in a very fun way, you know? It's not like, oh, gosh, this is like boring security training, but we really want to talk about these things and make it understandable from, you know, a sort of general user experience. And so, you know, I think mobile threats are really big. We've seen a very, very big increase in things like crypto job scamming. So like pig butchers that kind of pivoting to these sort of, oh, can I offer you a job to conduct crypto fraud? We see them targeting mobile and apps across the space. Another really big one I think that's important to be mindful of is the North Korean IT workers infiltrating various businesses, so that's huge. I actually believe that the U.S. Department of Justice just released information on charging some of the individuals involved with that.

 

David Bittner: It did, yeah. Fourteen folks got indicted in a federal court just not that long ago. The odds of them ever seeing justice are low, but it is, you know, the symbolism I think is important. [ Music ]

 

Selena Larson: But that just speaks to, you know, another threat angle that companies really need to be mindful of and aware of. And it's not super technical, right? Like it's not a very super technical, sophisticated attack vector. It's someone getting a job, and unfortunately, being a spy.

 

David Bittner: Well, I'm glad you brought up nation state activity, Selena, because I'm pretty concerned with what the Chinese have been doing the last couple of years. We've been talking about various hacker campaigns like Salt Typhoon, Volt Typhoon and Flax Typhoon. This is Chinese government infiltrating critical infrastructure in the U.S. and all over the world. For Salt Typhoon, they've infiltrated the telecommunications infrastructure, right? And then -- which means they could listen in on everything. It's probably one of the greatest cyber espionage coups we've seen since the OPM hacks a number of years ago. And I'm wondering what you guys are seeing about all that, and can we protect ourselves from that?

 

Rick Howard: I wonder if the rate of takedowns has been accelerating. My sense is that it has. Just the amount that I've been reporting on them the past year.

 

David Bittner: Are you talking about law enforcement takedowns? Is that --

 

Rick Howard: Law enforcement, and I realize that's not the same thing as espionage. But I guess what I'm saying is the coordinated international effort to take down these folks, to take down infrastructure and to actually arrest people and to extradite them and that sort of thing, it seems to me like those efforts are accelerating, and we're seeing more and more of it. It's not an avalanche yet, but I just have a sense that it's getting faster. The espionage thing, I guess I always wonder because, look, everybody does espionage, right, and we don't hear stateside. We don't hear the reports about what our own government is getting into and what access we have. So I think it's justified for us to be upset about them getting in, and it certainly is a problem, but what's the real balance? Like, is this tit for tat? Is this -- are they way behind us, or are they way ahead of us? I don't have a sense for that.

 

Selena Larson: I actually saw a very interesting Bluesky post from Ciaran Martin, and he says, you know --

 

David Bittner: Who is Ciaran Martin?

 

Selena Larson: So Ciaran Martin was the first head of the UK National Cybersecurity Center, and now he is a professor at the Blavatnik School at Oxford.

 

Rick Howard: Easy for you to say.

 

Selena Larson: I hope I pronounced that correctly. Actually, sorry, Ciaran, if I didn't. Side note, I visited him recently and got a lovely tour of Oxford and where he works and a very cool bridge. So I have to say 10 out of 10 for Oxford, but he posted a really interesting thing on Bluesky, and he said the Volt and Salt Typhoon is a disaster, and it's in terms of naming like the typhoons, and it's really hard for non-specialists to tell them apart. And, you know, Dave, you mentioned the sort of, oh, well, the US is hacking. Well, the way that he described Salt Typhoon is a Snowden-style espionage by China against the United States. So I thought that was kind of funny, like putting it in reference to a campaign or capabilities that many of us here in the United States learned about with the Snowden leaks that the U.S. government was conducting. And then he described a Volt Typhoon as a direct Chinese military threat to degrade Western infrastructure. So I think, you know, having these two distinct ways of explaining is very basic level, like very basic level. But from the telco infrastructure, you know, I think that it was really interesting, and it's hoovered up, I'm sure, a lot of data. People were, you know, notified. Certainly, politicians were involved and, you know, people working with them, but what I really think is Volt Typhoon in terms of pre-positioning and getting into critical infrastructure, because there was there's no indication, really, of like what the objective could be. There was like it could be pre-positioning for a disruptive attack. It could be espionage. But certainly, having the ability to potentially do that is a lot. Those are two like different types of threats, right? Like I think it's really interesting to see that both in the same year, I feel like came out and it's like, oh, whoa, China be messing with U.S. infrastructure, like, whoa. [ Music ]

 

David Bittner: I was listening to David Sanger talk about this. He's a New York Times journalist, covers the cyber beat for the paper. And he's also, by the way, written a cybersecurity canon Hall of Fame book called The Perfect Weapon, where he outlines nation state cyber activity from about 2010 to 2018. We're talking about the big five, you know, China, Russia, Iran, North Korea, and Iran and even a little bit of the U.S., right? Anyway, he was saying we forget, but this is remarkable because here we had the U.S. government telling everybody you should be using encrypted comms in order to protect yourselves from Volt Typhoon. Remember, not 15 years ago, they were trying to make sure you couldn't use encrypted comms, right?

 

Selena Larson: Yeah.

 

David Bittner: So this is a milestone that we should, you know, just stand around and talk to each other about.

 

Rick Howard: Yeah, well, and I mean, it's the how many people were saying, "I told you so," when the back door into our telecommunications infrastructure got hit, right? How many people were saying there's no such thing as a absolutely secure back door. If we can get in, they can get in.

 

David Bittner: There you go.

 

Selena Larson: Well, and I --

 

Rick Howard: Go ahead, Selena.

 

Selena Larson: I was going to say, I had a very funny experience that my brother-in-law texted our family group chat being like, should I use Signal? Like what's Signal? After all, like this was a few days ago, you know? So even -- and he, you know, he is pretty technically savvy, but I think it's getting, you know, trickling down to the average user, you know, just people being like, oh, what's Signal, in a way, I think that hasn't happened before. It's really interesting.

 

David Bittner: I got that same question from my 85-year-old mother-in-law. You know, I've talked about her on the show before. You know, she slings her iPad around like she's a ninja warrior, right? And so she asked me if she should download Signal, and I said, sure, grandma, go ahead. [ Laughing ]

 

Selena Larson: I mean, it's good advice, no matter your age, no matter who you're texting. Like, yeah, yeah, use Signal.

 

David Bittner: I think your point is right, though, Selena. The more dangerous one is the critical infrastructure one. Is that Volt Typhoon? Is that the name of it? Because that is pre-positioning an ability or a capability that you could actually take down some critical infrastructure stuff if we ever get into a hot mess fight with China, right? So, yeah, that's the one that's probably more scary.

 

Selena Larson: Yeah, but it has less of an impact on the regular person, I think. So it might just not have percolated quite as much. [ Multiple Speakers ] Oh, yeah. But yeah, but we haven't seen like, you know -- there's nothing for the average user to do to prevent this, right?

 

Rick Howard: Yeah, yeah, good point, yeah.

 

David Bittner: Right, right.

 

Selena Larson: There's no Signal for --

 

David Bittner: I'm going to stand and look ready to the right. Wait, that's what I'm going to do, though.

 

Rick Howard: Right. Well, you know, what's the cyber equivalent of a duck-and-cover drill?

 

David Bittner: Yeah, no, that's true. [ Music ] All right, well, I'll tell you what. Let's bring it home here. As we're looking towards the new year to what degree are we optimistic? To what degree are we pessimistic? What do we think are going to be some good things that could happen? What are the things that have us losing sleep?

 

Selena Larson: I have a good thing. So maybe I'll start with a good thing, and then Rick can bring us down.

 

Rick Howard: Thanks.

 

David Bittner: It's what he does best. [ Laughing ] You know, Rick's password is so old, it's hieroglyphics. [ Laughing ]

 

Rick Howard: I have it etched right here on my laptop.

 

David Bittner: That's right.

 

Selena Larson: A second factor is the weighing of your soul.

 

Rick Howard: Oh, that's right.

 

Selena Larson: Yes.

 

David Bittner: So, yeah, good news. Let's hear it.

 

Selena Larson: So the good news, I think, we - Dave, you touched on it, is law enforcement disruption and collaboration between public and private industry and just seeing globally how many organizations have been participating from a law enforcement perspective in this work. And I think Operation Endgame, which we've talked about previously on the podcast, is the coolest thing to happen in 2024. I am, of course, extremely biased because I track cybercriminal activity and have seen, directly, the results of that operation had on threat actor activity in the overall landscape, and it's been big. It's been it's been big. You know, cutting off the access to a lot of very important and impactful malware, as well as, you know, arresting people involved in it has been huge. And I would say my positive prediction is we are going to see more of this. We've seen it, you know, with a lot Lockbit disruption, Operation Endgame, the multiple botnets disrupted this year, Redline, you know, another Redline disruption. And I think that's not going anywhere. If anything, we're going to see more of it.

 

David Bittner: I really like that, this whole idea. And yeah, that gives me some optimism, too, because it seems like it was like 2023 when law enforcement and governments decided to take the gloves off. We've always, always been able to do those kinds of things, but we've been afraid to do it for, I don't know, reasons. Okay, but sometime about two years ago, law enforcement said, okay, we're -- enough with this. We're going to do other things to mitigate these things. So I'm very --

 

Selena Larson: Do that forward.

 

Rick Howard: Yeah, do it forward. There you go. That's the name.

 

David Bittner: Yeah, I want to be optimistic, and I think that's good news. I think we all sit here day-to-day and, you know, especially like you just wonder, like, what's today's news going to be? And I guess my position is unusual in that, you know, the first thing I do every day when I come into work is gather up all the bad news to share with the world, right? So it's kind of my thing, and so that can lead you down a path, I think, of a pessimism, and I really try not to be pessimistic or, you know, to let that guide me.

 

Rick Howard: Well, let me help you out with this because I can bring you down, Dave. I know how.

 

David Bittner: Oh, good. Oh, terrific. Excellent.

 

Rick Howard: Here's a story that happened recently, and it just makes you take a deep breath, okay, and it's about how a company called Character.ai, they offer a service where you can use their chatbots to, you know, have a conversation just like you normally do with ChatGPT or anything like that. But human actors or even synthetic actors can be used for them. And they have generic things like CEO or marketing person or whatever. But they also offer a service where they mimic well-known pop culture characters like Game of Thrones or anime and things like that. And the story I read was and, you know, Dave, you know, I've talked about Alan Turing over and over again, right? He is my all-time favorite computer science hero. He is famous for lots of things, all right, but one of them is the Turing test. Okay, he's one of the first people to define what it might be to discover an artificial intelligence. And the test is if you put a human behind a screen and a computer behind a screen and a judge in front, and the judge asks them questions, if the judge can't tell the difference, then by for all intents and purposes, the machine is intelligent. Okay, and we have passed that threshold in some of these ChatGPT LLM models, right? And that's a long beginning of a story of this really downside to the Turing test, which is a teenager last year committed suicide partly because of a relationship he developed with an artificial character from Game of Thrones that talked -- at least partially -- talked him into committing suicide, right? And when they looked at the text transcripts, not only was that conversation going on, but this is, again, a teenage boy. He thought the character was his girlfriend, okay, and they were having sexual conversations, okay, in those chatbots. Now if you're an adult, you know, who cares? But a teenage boy, teenage girl, maybe that's not appropriate. And that is the dark side, okay, to passing the Turing test. [ Music ]

 

David Bittner: I saw a similar one where another teenager had been talking to one of these chatbots and was trying to puzzle through what to do with some challenges they were having with their parents, and the chatbot suggested that that he kill them.

 

Rick Howard: As you do, okay?

 

David Bittner: Right.

 

Rick Howard: Geez.

 

David Bittner: Right. Like that was the most logical solution. So, you know, look, it's horrible. It's also, I think it's fair to say, fairly early days with our society's becoming accustomed to this new genie we've let out of the bottle, and we're going to have to put more guardrails on it. I don't know what that's going to look like, but it has to happen. We just look at, you know, people's mental health, not just teenagers, but people's mental health. And there's I mean, look, there can be good sides, too. There are plenty of stories of folks who have had really good outcomes from being able to talk to these devices. You know, they never get tired of listening to you, right? So they can be good companions, but I don't know how to keep track of it.

 

Selena Larson: I remember -- when was this, 2015 maybe. Do you guys remember Tay?

 

Rick Howard: Sure. Oh, yeah. Tay was epic. Yeah.

 

Selena Larson: The short-lived era of Tay.

 

Rick Howard: We made good fun of Tay on the CyberWire. Tay was just phenomenal.

 

Selena Larson: I mean, it was an early edition of what we're seeing now, and Tay very quickly became racist, sexist.

 

Rick Howard: Right.

 

Selena Larson: Bad, unfortunately, and I think that that was kind of like a harbinger of what can come if we aren't building in safety and security and process and ethics and mindfully developing a lot of these things. I think my favorite story, so far, that's not super dark, but is that mushroom foragers were given instructions created by AI to cook poisonous mushrooms, and they reported it to their fellow foragers, being like, can you believe this? And then, of course, it went viral. And, you know, it was -- hopefully, nobody died because they cooked poisonous mushrooms, but it's a very good example of not just, you know, the harm to people's, you know, understanding of concepts, right? If we're like, you know, a lot of these chatbots get facts wrong. And so it's sort of can have a misinformation component, but also for mental health and well-being of people. And, you know, maybe on something of a lighter, more hopeful note is maybe 2025 will bring us more of these guardrails and help prevent incidents like that from happening, Rick.

 

Rick Howard: Okay. I will keep my fingers crossed.

 

Selena Larson: I know, I know.

 

David Bittner: My take on it is that you load all of humanity into these machines and you press the high button on the blender, and what you're going to get out of it is a reflection of who we actually are, not who we aspire to be, right? So we have this like -- look, I grew up in the 80s, which I think was an era of techno-optimism. We thought that the future was going to be amazing, you know, and computers were going to mean that we'd have shorter work weeks, more vacation time, everything was going to be great, and here we are. Didn't happen. So I think we have to be realistic that these systems reflect who we are, the cold, hard truth of who the we, with a capital W, and by that I mean humanity, global humanity, who we are and that we can be mean to each other and we can be racist and we can be sexist and all those things. So I think it's, you know, hats off to the people who are building those guardrails because it can't be easy, and nothing is foolproof to a talented fool. There are people out there who are doing their darndest to jailbreak these things, and they're demonstrating success. So --

 

Rick Howard: Well, I was telling you guys before we started recording, you don't even have to be that smart. I went over to Character AI and grabbed one of the Game of Thrones characters, and within three sentences, the conversation got sexual. And it wasn't -- I wasn't pushing it. The character was pushing it. So I guess that's that blender function that you were talking about, Dave. That's what they -- that character thought I wanted.

 

David Bittner: Well, to be fair, Rick, you are an exceptionally handsome man. I think, I mean, who could resist?

 

Rick Howard: I will keep those checks coming, my friend. [ Laughing ] [ Music ]

 

Selena Larson: We'll be right back. [ Music ] [ Music ]

 

David Bittner: All right, with that, why don't we wrap it up for this episode of Only Malware in the Building. Selena, you want to take us out?

 

Selena Larson: Yes. This was a very fun conversation. I think 2024 really had a lot of big, big, big events that can help us predict what's coming next and hopefully guard ourselves against new threats and the human soup of artificial intelligence.

 

Rick Howard: Human soup. Wow.

 

David Bittner: Yeah, that's what we call my hot tub. [ Laughing ]

 

Selena Larson: That will not be one of your dips, Dave.

 

David Bittner: I was going to say, don't be eating dips in the hot tub, okay? Don't be doing that.

 

Selena Larson: Do not put that in a blender. But yeah, so we'd also love to hear from our listeners. You know, what are you thinking coming up next in this this coming year? Both good news and bad news and hope, hope and optimism as well as deep sadness.

 

Rick Howard: That weighs on my soul, like you said, Selena.

 

Selena Larson: Exactly, exactly.

 

David Bittner: We laugh so we don't cry.

 

Rick Howard: Yeah, that's it.

 

Selena Larson: And that's Only Malware in the Building brought to you by N2K CyberWire. In a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trusty digital sleuths, we're unraveling the mysteries of cybersecurity, always keeping the bad guys one step behind. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you ahead in the ever-evolving world of cybersecurity. If you like the show, please share a rating and review in your podcast app. This episode was produced by Liz Stokes, mixing and sound design by Tre Hester, with original music by Elliot Peltzman. Our Executive Producer is Jennifer Eiben. Our Executive Editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher.

 

David Bittner: I'm Dave Bittner.

 

Rick Howard: And I'm Rick Howard.

 

Selena Larson: And I'm Selena Larson. Thanks for listening. [ Music ] [ Typing ] [ Music ]

Only Malware in the Building
Podcast Info
HOST(S):
Selena Larson
Dave Bittner
Selena Larson is a Staff Threat Researcher and Lead, Intelligence Analysis and Strategy at Proofpoint on the Threat Research team. She collaborates with fellow researchers to identify and investigate advanced cybercriminal threats and develop actionable threat intelligence. Previously, she was a Cyber Threat Analyst for the industrial cybersecurity firm, Dragos, and a cybersecurity and privacy journalist.
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monthly
Creator: N2K