CyberWire Daily - Aadhaar updates. Fancy Bear doxes the Olympics. WhatsApp snooping vulnerability discussed. Spectre and Meltdown patching. US House reauthorizes Section 702. Bitcoin isn't Bitcoin Cash.
Episode Date: January 11, 2018In today's podcast we hear that the Government of India is working on Aadhaar security, suspending many officials' access. Fancy Bear doxes the IOC. WhatsApp snooping proof-of-concept revealed. Sp...ectre and Meltdown patching continues. The US House voted to reauthorize Section 702 surveillance (the Senate is considering its own version). On the FBI's unwanted list: jerks and evil geniuses (and they're scowling in the direction of Cupertino). Rick Howard from Palo Alto Networks on AI and ML in cyber security. Guest is Shelley Westman from EY, with the results from their Global Information Security Survey. Conflating Bitcoin with Bitcoin cash could have been an e-commerce issue. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The government of India works on Athar security, suspending many officials' access.
Fancy Bear doxes the IOC.
A WhatsApp snooping proof of concept is revealed.
Spectre and Meltdown patching continues. The U.S. House votes to reauthorize Section 702
surveillance. The Senate is considering its own version. On the FBI's unwanted list,
jerks and evil geniuses, and they're scowling in the direction of Cupertino.
And conflating Bitcoin with Bitcoin Cash could have been an e-commerce issue.
I'm Dave Bittner with your CyberWire summary for Thursday, January 11, 2018.
India continues to deal with breach concerns surrounding the country's Athar database.
Many in the press are calling the
comprehensive national identity system too big to succeed, as it offers the ill-disposed a target
so big, a billion-plus individuals enrolled, that it's impossible to resist. It also presents
administrators with an attack surface arguably too difficult to defend. The apparent breach is
thought to have arisen from abuse or misuse of privileged accounts.
The government is sorting the system out.
One early step in doing so has been suspension of some 8,000 officials' access to Aethar.
We've seen many reports of South Korean companies being fished
with well-timed and well-crafted Winter Olympics bait,
but there are other capers being cut
during the run-up to the Olympiad.
The Rio Games were afflicted with a lot of retaliatory doxing
when Russian competitors were kicked out for doping.
The South Korean Winter Games
are apparently going to be no different.
Fancy Bear is out of hibernation
and has been grubbing up International Olympic Committee emails
and releasing them in what's evidently an effort to discredit the International Athletic Anti-Doping Program.
And why?
Well, last month the IOC banned the Russian team from competing
because it decided there was just too much performance enhancement going on.
Clean Russian athletes are welcome to show up and compete as individuals under the
five-ringed Olympic flag, but the white, blue, and red Russian tricolor will neither be worn,
displayed, nor paraded. Any Russian athletes who take gold will be celebrated on the stand
with the Olympic anthem, Bugler's Dream, and not Russia, Our Holy Nation, the melody of which
listeners of a certain age will remember as
indissoluble union of free republics. This is seriously a shame, and it would be nice to have
Russians compete as Russia. Expect more fancy bear sightings over the coming month, however,
since fancy doesn't tend to forgive and forget, letting bygones be bygones.
forget, letting bygones be bygones.
Researchers at Ruhr University Bochum report that WhatsApp group chats are vulnerable to infiltration and snooping by uninvited parties.
NVIDIA has released patches for its GPU that are inspired by Spectre, but it also says
that Spectre really isn't a problem for its system.
IBM is carefully preparing Meltdown and Spectre patches with all deliberate speed.
They should be out early in February.
Microsoft warns that now and henceforth,
antivirus software must be compatible with its Spectre and Meltdown patches.
If not, systems with incompatible security products won't be getting updates from Redmond.
EY recently released the latest version
of their annual global information security survey. Shelley Westman is a principal at EY
in cybersecurity, and she joins us to run the numbers. Most organizations feel they're at
increased risk today versus 12 months ago, and that's for several reasons. First of all,
cyber attacks are getting
more sophisticated, as we know, those of us in the industry. But on top of that, organizations
are being more connected than ever when we look at things like IoT and digital. In fact, what's
very interesting is that the World Economic Forum rated a large-scale cybersecurity breach as one of
the five most serious risks in the world. So with that as a little bit of backdrop,
what we found is that the mounting threat requires a more robust response. And this year's
GISS reveals that many organizations are continuing to increase their spending on cybersecurity.
59% of them, those surveyed, say that their budgets have increased versus 12 months ago.
87% say they need up to 50% more budget than they have.
But here's the important number.
Only 12% expect to get an increase of more than 25%.
What we found from the survey is quite troubling is that many organizations are waiting until the worst happens to get an increase in budget.
76% said a breach that causes damage will allow them to get increased resources. But 64% also said an attack that
doesn't appear to cause harm would be unlikely to increase the budget. This is higher than last year
and concerning because damage will be done in attack whether or not it's apparent at first
glance. So these attacks could be a way to test the setup of a
company or to take attention away and divert it from another attack that's going on.
You know, one of the things that caught my eye was there was a statistic that 32% of boards,
only 32% of boards have sufficient cybersecurity knowledge for effective oversight of cyber risks.
Now,
that's interesting to me because something I've heard in the past certainly year or so is that cybersecurity is getting more attention from boards, but the numbers here don't bear that out.
First of all, only 50% of the organizations that we surveyed report out to the board.
Boards still can be intimidated to ask a question on cyber security some boards have a cso that's
coming in and reporting to them hey we stopped 10 000 attacks today is that good is that bad
right was there 10 000 and one was there 15 000 attacks that needed to be stopped and 5 000 of
them got through so some boards are still not finding enough courage,
if you will, or gumption to ask the hard questions of the CISO and ask them to put that into English.
And that could be a problem. In fact, 89% of the respondents in the survey have said that
the security function in their organization doesn't fully meet the organizational needs.
And then you couple that in with what we're seeing around the board,
and that can definitely lead to ramifications.
And one of our top pieces of advice is you've got to make sure you've planned out crisis management.
And so when you think about it, if there's an emergency that's going on,
if there's firefighters running to a fire, if there's nurses that know and doctors that know what to do,
they know how to do this because they've actually prepared for a breach. Companies that don't
prepare for a breach or that just have a written plan written down but not practiced do not do well
when a breach actually occurs because they waste too much time figuring out what to do.
So one of our top recommendations is really make sure you're rehearsing what to do.
What do you do if all of your networks go down?
Do you have written cards that tell you where to find someone's phone number?
All of us rely on the network to look somebody up.
If that's not there, how do we get in touch with them?
Who's going to talk to the media? Who's going to alert the board? How quick can the board be pulled together? If there's ransomware involved, who's going to decide whether you're going to pay the ransomware? All of these scenarios have to be thought out in advance because when you're facing a breach, there's simply not enough time to do that.
There's simply not enough time to do that.
That's Shelley Westman from EY.
You can dig into all the numbers and find out more about their Global Information Security Survey on the EY website.
The U.S. House of Representatives today passed its version of Section 702 surveillance reauthorization.
The Senate will soon take up its own.
Should that be passed, as most observers expect, a conference would determine a final version.
The US FBI continues its relatively lonely counteroffensive in the crypto wars.
This time, Apple is the target,
as a senior bureau official says Apple is a bunch of jerks and evil geniuses for encrypting iPhones in hard-to-break ways.
Apple seems to be less jerky when in China.
It's moving Chinese iCloud account data to servers in the Middle Kingdom.
Coincidentally or not, FBI takedowns of cyber gangs dropped significantly in 2017 by about 90%.
No reason for this is given, and the Bureau has declined comment on what the import of the drop may be,
The reason for this is given, and the Bureau has declined comment on what the import of the drop may be,
but it has said that on balance it's pleased with the progress it's made in building cyber law enforcement capability.
Finally, a tip for those of you who are buying and selling cryptocurrencies.
Bitcoin and Bitcoin Cash are not only not the same currency, but they have very different valuations. Overstock and Coinbase have fixed a website glitch
that could have enabled people to buy things for pennies on the dollar.
Their site had briefly confused the two.
It was, as we say, a glitch, an oversight,
since e-commerce and coin sites do know the difference,
but it could have been costly.
At the time of the oops,
Bitcoin's volatile and swiftly fluctuating
value was pegged at around $14,000, while Bitcoin Cash was at the same time worth only about $2,400.
So, traders and techno-libertarians, buy, sell, and speculate, but caveat emptor,
and caveat vendor, for that matter. Hold on to your digital wallets.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and
showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
365 with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Rick Howard.
He's the Chief Security Officer at Palo Alto Networks. He also heads up Unit 42,
which is their Threat Intel team.
Rick, welcome back. We want to touch on machine
learning and artificial intelligence
and all of the fears we have
of Skynet becoming self-aware
and so forth.
But before we do, let's just start with some definitions.
What's your take on the difference between ML and AI?
Well, you got that right.
It appears that AI and machine learning are the two latest favorite squares
for your cybersecurity marketing bingo cards.
Yes, yes.
All right, but with all the hype,
you know what the one question is
that nobody is adequately addressing, okay?
You know what it is.
You mentioned it in the intro there.
All right, go on.
When is Skynet going to activate and kill all the humans?
That's what I'm worried about.
All right, so for the unenlightened, non-sci-fi few,
let me explain what that is.
Skynet features prominently
in the arnold
schwarzenegger terminator movie franchise and that all started back in the early 1980s okay
in the beginning skynet was a computer system designed to automatically control the military's
response actions during a crisis okay but at some point it becomes self-aware and decides that
not only that humans are not necessary we might be harmful and we need to be wiped out.
All right.
So that's the basis of the entire franchise.
Yeah.
And we've got modern, you know, people like Elon Musk are sounding the siren that perhaps
this is a serious concern.
Exactly right.
And so that's what and that's why everybody's talking about it.
It's Stephen Hawking, Elon Musk and Bill Gates have all said we need to be careful about
this kind of potential future.
Right.
Right. And they say it might, you know, we're within, it's in eyesight, right?
It's probably before 2050, okay, that we might see real artificial intelligence systems.
So we need to explain what that really is, okay?
So we can understand why they are alarmed by applying a very simple test, okay?
It's a thought experiment, if you will, it was devised by Alan Turing.
It's called The Imitation Game.
Did you see the movie?
No, but I'm certainly familiar with Mr. Turing.
Yeah, well, the movie is excellent.
If you want a great explanation
to what artificial intelligence is,
Benedict Cumberbatch plays Mr. Turing
and I thought he nailed it.
So go watch it.
I recommend it highly.
So here's the game.
A judge asks a question of
two subjects behind the screen. Okay. One subject is a human and the other is a machine. And if the
judge can't tell which subject is the human and which one is the machine, then the machine for
all practical purposes can think, right? So in the modern day, we see examples of machines starting
to pass the Turing test in very specific knowledge domains, such as
commercial flight autopilots, video game opponent, which is really cool, I think,
and online computer support. There are other domains where they're almost there,
like self-driving cars like Tesla and personal assistants like Amazon's Alexa.
So with these emerging AIs, humans can still tell that they're not quite there yet, but we can all see that it will not be very long until they get there.
All right. So then what's the difference between artificial intelligence and machine learning?
So machine learning is a software development technique used to teach a computer to do a task without explicitly telling the computer how to do it.
I know that sounds weird, but that's what it is. So when I learned how to program back in the day, I had to think of every possible outcome for my
program and then tell the program what to do for each case. It was one of the reasons I really
sucked at being a programmer. I was just not good at it. Yeah. 10 print, Rick is awesome. 20, go to
10. Exactly. That's my best program ever. Got an A on that assignment.
Yeah. All right. So today developers are using big data techniques to search through
large piles of data, looking for patterns that a human would never notice. Okay. So in other words,
we teach the program how to discover all the outcomes and the big data is the key. Now this
technique would not work without very large
collections of data. And it just turns out that right now it's possible for us to get access to
these large piles. Sure. So as an example, okay, at Palo Alto Networks, we use machine learning to
discover malicious files, files that bad guys send to victims in order to compromise and ravage their
systems. Yep. So Palo Alto Networks has been in business for over 10 years.
We have a giant collection of file patterns
that have passed through our customers' firewalls.
We're talking about petabytes of patterns.
So we divide them into two buckets,
known benign patterns and known malicious patterns.
And our engineers then set their machine learning algorithms
on the two piles of data.
So with an over 98% accuracy rate,
and without a human knowing what
the program is looking for, our machine learning algorithms can guess whether a brand new file
that we have never seen before is benign or malicious just by analyzing the characteristics
of the file. So that passes the Turing test with flying colors, right? So if we're going to get to
a point where Skynet is possible, the singularity, it's called from science fiction favorites out there, it will have to contain hundreds, if not thousands of machine learning algorithms running in conjunction with each other.
Now, we are a long way from that being possible today, but we can see that the singularity is no longer just a sci-fi trope.
OK, it is something that may be possible within our lifetimes.
And I'm not saying that Skynet will actually wake up and kill us.
But as a society, we are rapidly approaching the time when the singularity will happen.
So in the meantime, get your marketing bingo cards ready.
The AI and machine learning squares will be around for the foreseeable future.
Yeah, I think so.
We've come a long way since I used to talk to Eliza on my Apple II.
So, yeah.
All right.
Rick Howard, as always, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive
alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.