CyberWire Daily - Daily: Sources say FBI is confident foreign intelligence services penetrated former Secretary of State's private email server. WikiLeaks says it's not a Russian tool. Notes on industry; notes on cybercrime.
Episode Date: November 3, 2016In today's podcast we hear about how fallout from the FBI investigation of former Congressman Wiener continues to drop onto the Clinton campaign. WikiLeaks' Assange says he'll continue to dox, but den...ies he's doing so with Russian help. Iot-driven DDoS fears continue. A new exploit kit is replacing earlier stars in the criminal firmament. Jonathan Katz from the University of Maryland describes an experiment Google ran, pitting several AIs against each other in an encryption challenge. Edward Fox from MetTel explains the role telecommunications companies play in cyber security. NIST issues a cybersecurity workforce framework, NSA promotes its Day of Cyber, and the SINET 16 are introduced in Washington. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Fallout from the FBI investigation of former Congressman Weiner
continues to drop onto the Clinton campaign.
WikiLeaks' Assange says he'll continue to dox,
but denies he's doing so with Russian help. IoT-driven DDoS fears continue. A new exploit
kit is replacing earlier stars in the criminal firmament. NIST issues a cybersecurity workforce
framework. NSA promotes its Day of Cyber. And the Cynet-16 are introduced in Washington.
are introduced in Washington.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Thursday, November 3rd, 2016.
More continues to emerge on the FBI's renewed investigation of emails that allegedly found their way from former Secretary of State Clinton's private server to a laptop belonging
to former New York Representative Anthony Weiner. It's thought that they are on the laptop because
of Weiner's connection to his now-estranged wife, Huma Abedin, a close aide of Ms. Clinton.
The number of emails is very large, in the hundreds of thousands, and machines used by
key Clinton advisers that were thought to have been destroyed are now reported to be under active exploitation by the FBI.
Sources are telling various news outlets that FBI investigators have high confidence that five unnamed foreign intelligence services succeeded in compromising the former secretary's now decommissioned and presumably not replaced private server.
We leave speculation about which five nations are suspected as an
exercise for the listener. Wikileaks continues to make good on its promise to release discreditable
documents related to the election, with a particular animus directed at the Clinton
campaign. More are expected before next Tuesday's election. Most of the recently released emails
have been associated with campaign manager Podesta, and the general climate of opinion holds that they were taken by Russian intelligence services.
But WikiLeaks' leader Julian Assange denies that he's getting those documents from Russia.
Where he's getting them, he isn't saying, but the releases do seem generally aligned with Russian interests.
Concerns, of course, about Russian influence on U.S. elections continue. Among
those concerns are the prospect of distributed denial-of-service campaigns against election-related
targets. DDoS fears have risen since the Mariah Internet of Things botnet attacks last month.
Bitdefender reports finding an exploitable vulnerability in widely used web cameras
that would render them susceptible to botnet herding.
Looking back at the DDoS attacks sustained by Dyn two weeks ago, the Online Trust Association
says that the attacks could have easily been prevented with better secured IoT devices.
That's no doubt true enough, but in fact such devices are widely deployed and haven't been
securely provisioned, and mopping up so very large a number of insecure devices is a far from trivial challenge.
Many observers have discerned signs of ISPs becoming more willing to take an active role in combating IoT-based DDoS,
but others raise doubts.
Net neutrality policies and regulations are thought by many to be likely to inhibit ISPs from doing so.
Analysts think such companies would assume non-negligible regulatory risk.
Hacktivism and state-sponsored cyber activity may have bulked large in the news recently,
but it would be a mistake to think that more conventional cybercrime has gone into any temporary eclipse.
The Angler, Neutrino, and Nuclear Exploit Kits have
been put down, but the Sundown Exploit Kit is increasingly occupying their niche in the criminal
ecosystem. Hospitals in the UK continue their recovery from a criminal attack they sustained
over the past week, and news has broken of a major data breach among New Zealand nursing services.
As technology evolves, one area that's grown in sophistication is telecommunications,
with most new subscribers choosing voice-over IP over traditional landlines.
There are generally cost savings and productivity gains to be had, but also concerns about reliability and attack surface.
We checked in with Edward Fox from telecommunications provider
Mettel to get his perspective on secure telecommunications. Out in the wild, there's
many carriers. And just for the simple fact that many enterprises and end users, just like we're
talking on Skype today, we're mixing data and voice. We're having a great connection. But if
something was to happen in between, and if that particular attack is in the
path of where our voice is going, it can be affected. We try to keep the voice and data
networks as segregated as possible, although I have to say 85% of our customers that we serve
today have converged last miles. But usually the last mile
is not, when you're talking about DDoS, usually the last mile is not where the biggest issues are.
So we do that as well as we keep trusted versus untrusted networks. And that allows us to keep
the untrusted side beefier and able to take on traffic that it's not ready for and protect the trusted side of
the network. We spent a little extra money doing it, but on the voice side, it's an architecture
that has saved us multiple times. Can you dig into that a little bit more?
What are we talking about when we're talking about a trusted and untrusted network configuration?
Yeah, so just as an example, in our voice network, we have proxies or session
border controllers that face different networks. And we have those completely segregated on
completely different networks. And we have those that register endpoints and talk to our customers
and talk to their PBXs and Polycom phones in their desk. And then we have those which talk to the rest of the world.
And we treat those very differently in how we broadcast IP addresses
and where we actually put them in the network.
So let's say I'm someone starting up my own organization,
and I know I'm going to need telephones, I'm going to need internet.
What would your advice be for someone in that situation
in terms of the kinds of things they should be looking for?
I would advise to look for a partner that may not necessarily be the underlying, you know, last mile provider like your Cablevision or Comcast or someone of that nature.
The benefit of that pricing and that bandwidth can give you the overlay and the service around cloud firewalling and cloud or hosted voice.
You know, someone who's taken the time and the initiative to do things like sandbox and offer that as a service, DDoS protection, you know, up in the cloud, as well as to take your voice network and make sure that there's a trusted
part of it and there's an untrusted part of it, and only expose you to the outside untrusted part
when you're making outbound calls, which can be routed all over the world today. So that would be
my advice. That's Edward Fox. He's Vice President of Network Services at Mettel.
He's vice president of network services at Metel.
In industry news, Microsoft says it will have a patch ready on Tuesday for the Windows Zero Day Google recently disclosed.
Sophos has acquired Irish security analytics shop Barricade.
A much larger acquisition has also been announced.
Broadcom is buying Brocade for $5.5 billion.
Speculators expect to see a wave of mergers and acquisitions in the broader IT sector.
NICE, the National Initiative for Cybersecurity Education, is meeting this week in Kansas City.
NIST has been using the occasion to launch not only its CyberSeek jobs map, which we
mentioned in yesterday's daily news briefing, but also a draft cybersecurity workforce framework.
This may be expected to draw considerable attention and attract considerable comment.
Your suggestions and reactions can be communicated to NIST by emailing them.
Comments are open until January 6, 2017.
Also at the NICE meetings, one heard about NSA and its Life Journey partner,
who are offering a day of cyber for students.
Registrations have already passed the 5 million mark.
Finally, a couple of our stringers are down in Washington today for the annual SciNet Showcase.
We'll have a full report in upcoming issues of our daily news brief.
The SciNet Showcase always features the SciNet 16,
16 innovative startups selected
from a field of hundreds. We'll close today by congratulating all of them. This year's winners
are, in reverse alphabetical order, Vera, Threat Quotient, Safe Breach, Risk Sense, ProtectWise,
PreAlert, PostQuantum, Phantom Cyber, Passages, Menlo Security, Intercept, Digital Shadows, DataVisor, CyberX,
Contrast Security, and BlackRidge Technology.
Congratulations to them all.
Their predecessors have established a terrific track record.
And again, that list was in reverse alphabetical order.
You're welcome, Vera. to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me once again is Jonathan Katz.
He's a professor of computer science at the University of Maryland
and also head of the Maryland Cybersecurity Center.
Jonathan saw an article come by on Ars Technica about some Google researchers
who had set a couple of artificial intelligences to sort of team up together
and try to come up with some cryptographic stuff.
Explain to us what was going on here.
This was pretty interesting work, actually. What the researchers did was they set up three
neural networks corresponding to three different entities, Alice, Bob, and Eve. And what they did
was they just programmed these neural networks to try to search for algorithms that would allow
Alice to encrypt a message and send it to Bob, who would then be able to decrypt it and recover it,
while simultaneously hiding the message from Eve.
And then they basically just let these algorithms run
until they converged on something where Alice and Bob were doing well
in terms of being able to recover the messages being sent,
while Eve was not doing well, namely not being able to recover what was being sent.
So essentially they just let the algorithms run, these neural networks run, and discover algorithms on their own, as it were.
And were these novel algorithms that they came up with?
Well, they were definitely novel.
I mean, one of the things that's funny is that actually the researchers were not really able to characterize what algorithm Alice and Bob were using to communicate.
able to characterize what algorithm Alice and Bob were using to communicate. So it was, you know,
they could maybe discern some characteristics of it, but they didn't really have a good representation of what the algorithm was doing. All they knew was that it was some algorithm that
was allowing Alice and Bob to communicate, while correspondingly, Eve was not able to decrypt what
was coming out. Was that a surprise that Eve's ability to decrypt the messages wasn't as good as Alice and Bob's ability to hide it?
Well, so first of all, I don't want to sound too overenthusiastic here,
because what the research ended up showing was that Eve was not able to decrypt,
but that doesn't mean that somebody more clever who was looking in from the outside and using techniques
other than those discovered by this neural network might not have been able to decrypt. And in fact, actually, the encryption
algorithm that they were using, I think the researchers said themselves in the paper,
it would have been possible for somebody, for a researcher, for a cryptographer looking at it
from the outside to actually cryptanalyze it. So the only security guarantee that they're giving
for the encryption algorithm is that this neural network couldn't figure out how to break it. That doesn't mean that nobody can figure out how to
break it. So from that point of view, you know, just because of the way they set the experiment
up, it wasn't surprising that it converged on a situation where Eve couldn't decrypt very well.
I think really it's just a fascinating idea, and I'm sure it'll be pushed a lot further in future
work. Have these people never seen a Terminator movie?
You know, it's funny. I was just at a conference last week, and one of the big things people were talking about was machine learning and how powerful it's getting and the coming breakthroughs
in AI. And so it looks like that's the direction we're heading with everything. Fortunately,
right now, cryptography is hard enough that AI hasn't cracked it, but this might just be the
start.
All right, Jonathan Katz, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.