CyberWire Daily - Daily: Pentesting meets the gig economy. Stingrays, machine learning, and more.
Episode Date: September 14, 2016In today's podcast we discuss the posting of more documents swiped from the US Democratic Party, which most consider the work of Russia's Fancy Bear. US officials continue to worry about election hack...ing. "Periscope skimming" is a new ATM hack. The US government mulls the reorganization of its cyber agencies. Raj Gopalakrishna, Chief Software Architect at Acalvio, provides his insights on machine learning. Ben Yelin from UMD CHHS explains some newly released revelations about Stingray surveillance devices. The new Snowden biopic hits movie theaters. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Guccifer 2.0, sock puppets and fancy bears, oh my.
Insights on machine learning,
new revelations about stingray surveillance devices,
and Snowden lands in U.S. theaters.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, September 14, 2016.
The bears are busy again, or at least Fancy Bear is.
More documents swiped from the U.S. Democratic Party were released yesterday
at the Future of Cybersecurity Europe conference in London.
The documents were released with the appropriate stagecraft of hacktivist anonymity.
The hacker or hackers addressed the conference, Russia Today reports,
through, quote, an unknown and remote transcriber, end quote.
The 500 megabytes or so seem to contain mostly information about party donors
and some information going back to vice presidential candidate
Kaine's tenure at the head of the DNC.
We should also note that the hackers continue to represent themselves as Guccifer 2.0,
which most people outside of Russia today regard as a sock puppet for Fancy Bear.
which most people outside of Russia today regard as a sock puppet for Fancy Bear.
In any case, Guccifer 2.0 is quite miffed that people think he's, or she's, really Russian intelligence.
It seems unfair to him, or her, that the Russian organs are getting credit for all that great stuff.
So, he or she is angry.
But, quote, then I realize the deeper they go this way, the safer I am, end quote.
That's what Guccifer 2.0 concluded with a smiley emoticon.
Fancy Bear also seems behind the doxing of the World Anti-Doping Authority, or WADA.
Medical records and drug test results for various Western athletes were released.
Russian authorities have been displeased by the disqualifications of Olympians for alleged doping and by the general cloud of suspicion that hung over its team in Rio this summer.
The documents released don't appear to show anything terribly scandalous,
but the hack was done in a clear spirit of U2.
ABC News, in reporting on the incident, says the threat actor calls itself Fancy Bear,
but that's not exactly true.
CrowdStrike called them that,
and the name stuck. Fancy Bear probably calls itself the GRU, only in Russian, GRU, like that.
U.S. officials continue to worry about election hacking and appear, we heard at the Billington
Summit yesterday, to have settled on a policy of offering help to state and local authorities
without designating voting critical infrastructure or federalizing elections.
There's a new threat at the ATM.
Krebs on Security reports that the U.S. Secret Service is warning people against periscope
skimming, a new technique in which a specialized probe connects to an ATM's internal circuit
board and accesses card data from there.
Machine learning continues to grow in importance as a tool for detecting and mitigating cyber attacks.
We checked in with Raj Kapalakrishna, chief software architect at Akalvio,
a company that offers advanced threat defense, for his take on machine learning.
So machine learning is basically various algorithms that have been designed over the last 20 years, which help us solve very complex problems.
And today they're being largely used, for example, in recommendation engines when you buy something on Amazon.
It looks at people's behavior and purchase patterns, who has bought this item before, and gives you a recommendation.
That's an example of a machine learning algorithm.
And how does this extend to the cybersecurity realm?
So the thing is that in the cybersecurity world,
for the last couple of decades,
all the solutions, most of the solutions in the market,
they're basically made up of rules,
you know, where you can set some policies,
say don't allow this, block this,
whitelist, negative list, blacklist,
things like that, right?
So there's too much of work for humans. And it was very error-prone and very slow. block this, whitelist, negative list, blacklist, things like that, right?
So there's too much of work for humans.
And it was very error-prone and very slow.
And it only went back to what you know, as opposed to looking at what you don't know about.
So machine learning is now being widely started being adopted in the security domain, cybersecurity domain.
You don't need a human being telling it a rule.
It can actually derive and make its own rules as things move along. With machine learning, can the machines actually come back to the user with new creative insights? Absolutely. So it can take a lot of
different data and give back feedback and saying, this is something I've never seen, for example,
anomaly detection. So they look for behavior of a human being, for example, on a machine. This machine, typically this laptop or server tends to send
this type of, this amount of data on a typical day or a typical hour in the day. And now they
start baselining that. And now the machine learning algorithms can start learning that
automatically, but they watch the data, let's say for a month or a few weeks. And now they exactly know what is normal on Monday morning at 9 a.m. on this laptop or on this network or on
this website. So they know. So something looks different, they immediately can flag it and tell
you this is anomalous, this is unusual, I didn't expect this. So do you want me to do something
about it? So those are all examples of how people have started using it.
So can the bad guys use machine learning to streamline their operations as well?
Absolutely. And machine learning is, of course, you know, requires a lot of theoretical knowledge.
So in my team, for example, we have people with PhDs who have done just that in machine learning
and data science for seven years. And so it's a lot of math involved and a lot of,
and then there is domain knowledge.
So if they're willing to invest the time,
certainly they can.
Have there been any examples of that happening
that we've seen out in the wild?
There's been a little bit of that,
you know, but for example,
they try to learn what the attackers
are looking for in reputation services
and they're trying to confuse it.
But not a whole lot. I'd say not a whole lot. And it's still early days in the security space.
I think just only four or five parts of the security space started using machine learning.
It's because it's such a difficult domain, but very powerful.
That's Raj Gopalakrishna from Akalvio.
In the U.S., Congress is again taking up surveillance legislation.
The intelligence community, including the NSA director, this week testified in favor of strong encryption.
The U.S. government is also mulling some reorganizations to its cyber agencies,
among them the possible separation of NSA and Cyber Command.
Senator McCain says he'll block that particular reorg.
And the possible
separation of NSA itself from the Department of Defense. Defense Secretary Carter is said to be
considering if NSA might not be better off as an independent agency like the CIA. Finally,
Edward Snowden says he thinks he deserves a pardon, that his leaks did a lot of good.
President Obama appears to dissent from this view strongly,
but then he might not have seen Oliver
Stone's eponymous Snowden flick.
Wired has, however, and they've
got a review. Read the whole thing if you're
not averse to spoilers, and in this
case, why would you be?
The reviewer suggests the film has a clear
point of view. It, quote, takes about
90 minutes to bleach out the last shades
of gray in its black and white biopic, end quote. So, not as complex a narrative It, quote, takes about 90 minutes to bleach out the last shades of gray in its black
and white biopic, end quote. So, not as complex a narrative as, say, Captain America Civil War,
or so the kids tell us. On the other hand, the kids would like City Escape from Sonic
the Hedgehog to become the national anthem. Oh, these kids today.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant.
And joining me once again is Ben Yellen. He's a senior law and policy analyst at the University
of Maryland Center for Health and Homeland Security. Ben, you and I have been keeping our eye on these so-called
Stingray devices, these cell phone tower simulators. There's been a couple of developments
lately when it comes to Stingrays. Bring us up to date. Sure. So last month, a group of civil
rights leaders here in Baltimore complained to the Federal Communications Commission over the Baltimore police's use of this technology known as Stingray.
And we've talked about this before, but these are cell site simulators.
So law enforcement sets up devices that are able to trick phones into revealing location identifying information.
The use has been particularly widespread in Baltimore City, and I think because of the potential that it's being used disproportionately in some minority neighborhoods, and because it's actually led to a significant number of arrests, there has been that concern. FCC hasn't commented necessarily, but this is an interesting development in civil rights groups
trying to use the regulatory process to perhaps curb the use of this law enforcement tool.
And then the other recent development I think is perhaps even more interesting.
Earlier this week, there was a manual released from one of the manufacturers that produces these so-called
Stingray devices, and that's the Harris Corporation. And this is an operator's manual?
This is an operator's manual, that's correct. And it was revealed, you know, parts of the program
had been revealed under previous Freedom of Information Act requests, but there had been a
lot of redacted information. But this week,
the manual was leaked to a website known as The Intercept. That's the website you may be familiar
with that's run by Glenn Greenwald, who was, or at least run in large part by Glenn Greenwald,
who was at the center of the Snowden disclosures. And it revealed some pretty staggering information
about how these Stingray devices work.
They're particularly powerful.
I mean, one of the things that was revealed is that the device can impersonate up to four cell towers at once.
And it can monitor up to four provider networks simultaneously and can also monitor 2G, 3G, 4G communications.
And I'm sure, you know, as the technology changes and we get to 5G,
this technology will adapt as well. Based on the manuals provided and some of the analysis I've
seen is it looks like it's relatively easy for law enforcement to use on a wide scale that any
particularized technological knowledge. And that presents significant civil liberties concerns.
We saw a Maryland court
earlier this year say that people should have a reasonable expectation in privacy
that their location is not going to be revealed to the cell site simulators, meaning that law
enforcement is going to need a warrant potentially to do these types of searches. The highest court in Maryland hasn't yet come down
on it, but I think it's going to be crucial that there's some finality to this decision now that
we know the scope of information that can be retrieved from these devices and how easy they
are for law enforcement to employ. I guess what always puzzled me about this is that, you know,
presumably any cell phone and any cell service provider needs a license to set up their towers.
And so you would think even law enforcement wouldn't be allowed to set up a rogue transmitter receiving device that the sole purpose of it is interfering with the flow of information on a regular cell tower.
of it is interfering with the flow of information on a regular cell tower.
Right. So there is this sort of interesting principle, and I think this cuts across various areas of cyber law. The government is sort of its own entity. And some of the tactics that are
legal in the private sector are, and that require licenses in the private sector, the government is
often immune from those if they're using them for uniquely government functions,
such as law enforcement or domestic security or international surveillance.
So I think that's something the FCC is going to have to grapple with.
Is this a unique circumstance where the government needs a unique capability,
and something like revealing that they're getting these types of licenses
might hinder their law enforcement services?
Or do they not get a pass and do they have to go through the same rigorous process that
all the other cellular providers have to go through?
So I think this is an open question for the FCC.
All right, Ben Yellen, we will continue to keep an eye on it.
Thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.