CyberWire Daily - Daily & Week in Review: Crypto wars update, story stocks, AI, encryption, and the usual crime.
Episode Date: May 27, 2016In today's podcast, we discuss the SWIFT transfer issues now under investigation in a dozen more banks. SWIFT announces a five-point security strategy. Attacks on the private sector are seen as having... national security implications. Other cyber threats to business--DDoS and ransomware--place availability of data and networks at risk. We take a look at investor interest in cyber stocks, and we talk with experts on artificial intelligence and encryption. And, as far as nation-state attacks are concerned, again, signs point to Pyongyang. (As they so often do.) Malek Ben Salem from Accenture Labs explains AI and Machine Learning, and Brent Waters, of the University of Texas at Austin, who's recently been honored with an early career award from the Association of Computing Machinery for his contributions to encryption. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. dozen more banks, while SWIFT announces a five-point security strategy. Attacks on the private sector
is seen as having national security implications. Other cyber threats to business, DDoS and ransomware,
place availability of data and networks at risk. As leading companies report results, we take a
quick look at the state of the cybersecurity sector, without, of course, offering investment
advice. We talk with experts on artificial intelligence and encryption.
And as far as nation-state attacks are concerned,
again, signs point to Pyongyang.
I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, May 27, 2016.
The Swift Funds Transfer Network remains in the news.
It appears that the anticipated wave of attempts on other banks had spread beyond Bangladesh and Vietnam.
Anonymous sources have told Bloomberg that up to 12 banks have opened investigations into attempts at fraudulent transfers.
There so far seems to be no evidence of actual losses.
The affected banks are said to be in unnamed Southeast Asian countries and also
in the Philippines and New Zealand. FireEye, which is investigating the theft from the
Bangladesh Bank, is reported to have been retained by some of the newly affected institutions.
Symantec reports finding connections between malware found in Bangladesh and the Philippines
with the Lazarus cybercrime group.
Swift maintains that none of its own systems have been compromised.
Some observers see Swift-related attacks as an indication
that criminals are turning their attention from banking customers to the banks themselves.
But whether this represents a secular trend
or merely the current opportunistic state of criminal play remains to be seen.
The national security implications of attacks
on corporations was under discussion this week at Georgetown's Cybersecurity Law Institute.
Companies are often the targets of nation-states. Iranian operators were indicted in the U.S. over
attacks on financial institutions, and U.S. prosecutors have also charged officers of
China's People's Liberation Army with hacking manufacturers to
obtain intellectual property. Some reports have linked the swift attacks to a nation-state,
most commonly North Korea, in view of the similarity of some of the malware found in
Bangladesh to that used in other incidents attributed to the DPRK. StealthBits senior
vice president Adam Laub commented on possible nation-state involvement
by suggesting that defense against this sort of attack is, quote,
to fortify, and by this he means going beyond perimeter defenses to protect, quote,
data, privileged credentials, and the end users, end quote.
Last Line's Craig Kensick also commented, quote,
Craig Kensick also commented,
quote,
This is another demonstration of the need for international cooperation against cybercriminals and attacks like this.
The financial community knows no boundaries,
and funds can be transferred or stolen within seconds.
Without cooperation, identifying the perpetrators can be next to impossible.
End quote.
He recommends looking into data loss prevention and anomaly detection.
The SWIFT network continues to work on the security of its interactions with its partners.
It has announced a five-point strategy for enhanced security.
It includes improving information sharing among the global community,
specifically among the approximately 11,000 users of the SWIFT network worldwide,
enhancing SWIFT-related tools for customers.
These tools will be tailored to
users' particular needs and circumstances. Enhancing guidelines and providing audit
frameworks with particular attention to making compliance transparent to and enforced by
counterparties, regulators, and SWIFT itself. Supporting increased payment pattern controls,
including faster stop payment intervention. And enhancing support by third-party providers.
This would include, quote, security software and hardware, consulting and training, implementation
services, providers of fraud detection solutions, interface vendors, service bureaus, auditors,
and others.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. Cyber threats are evolving every second, and staying ahead is more than just
a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
Joining me is Malek Ben-Salem. She's the R&D manager for security at Accenture Technology
Labs, one of our academic and research partners. Malek, we hear a lot about artificial intelligence
and machine learning. Can you explain
to us what do those terms mean and how do they differ from each other? So in a nutshell, basically
machine learning is one branch of AI or artificial intelligence. Machine learning is data-driven,
is the ability to have a machine be able to learn new knowledge by giving it or exposing it to new data,
new instances of data that it can learn from, just like a human being.
Artificial intelligence is much larger.
It includes, obviously, machine learning, but it also covers things like expert systems that can reason and make
deductions. It covers things like information retrieval, the ability to retrieve information
related to specific concepts, such as search, for example. It covers natural language processing. It covers robotics, you know, automated vision and perception, as well as the automation of movement and ingestion of surrounding information.
So artificial intelligence as a field covers much more than just machine learning, which is really focused on the ability to learn
through data. So is machine learning a subset of artificial intelligence? That is correct, yes.
So explain to us what are some of the applications for machine learning when it comes to security?
Sure. So machine learning has been applied to a number of security topics or problems.
For example, analytics at the network level, looking at network traffic, identifying or automatically detecting what are anomalies within the traffic and perhaps linking those anomalies to security attacks. It has been used to profile user behavior, how people interact with computer
systems, and using that knowledge or those profiles of how people behave as ways to authenticate
users. Another way of applying it is the ability to automatically classify data as sensitive or non-sensitive
based on instances of sensitive and non-sensitive data.
So building an algorithm that can automatically predict how sensitive a piece of data is
based on previous instances of data that it has seen before.
All right, interesting stuff. Malek Ben-Salem, thanks so much for joining us. And now a message from Black Cloak. Did you know the easiest way
for cyber criminals to bypass your company's defenses is by targeting your executives and
their families at home? Black Cloak's award-winning digital executive protection platform secures Thank you. already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
This week saw another executive taken down in the wake of a cyber incident as a fraudulent
transfer with no relation to Swift prompted the board of Austrian aerospace firm FACC to remove the company's CEO.
The incident here is being called a case of presidential impersonation, a kind of business
email compromise in which a spoofed email purporting to be from a corporate officer
prompts company personnel to transfer funds or give up sensitive data.
Other business concerns this week involve the two long-standing threats to network and data availability, DDoS and ransomware.
Domain name service provider NS1 was hit by a denial of service attacks that slowed DNS delivery in the Americas, Europe, and Asia.
With respect to ransomware, Locky is back.
A JavaScript exploitation campaign is distributing it to the unwary.
ThreatTrack Security shared some advice for businesses on how to deal with the threat of ransomware. A JavaScript exploitation campaign is distributing it to the unwary.
ThreatTrack Security shared some advice for businesses on how to deal with the threat of ransomware.
First, back up your data, either to external hard drives or to a solid cloud-based option.
Second, get on a schedule. ThreatTrack recommends backing up daily.
Third, educate yourself and your people about phishing.
Fourth, practice safe computing by keeping your systems patched and up to date.
And fifth, keep work and personal data separate.
We might add to the notes on DDoS and ransomware two points made this week at Georgetown's Cybersecurity Law Institute.
Both of these threats make use of botnets.
Researchers who made a solid contribution to botnet control would be doing the world a service, and every enterprise should have a well-conceived, well-drilled incident response
plan in place. To the point made about the importance of patching, it's worth noting that
an office bug Microsoft patched last year continues to yield opportunities for cyber espionage.
CVE-2015-2545 is being exploited by Danti, which is active against
the Indian government, Platinum, APT-16, Kachang, and other campaigns. Unpatched systems afford an
uncontested attack surface. In industry news, Palo Alto's results disappointed investors last
night, as did Splunk's, which in fairness to Splunk, didn't represent a loss, merely a less-than-spectacular gain.
But analysts, as a group, seem disposed again to view cyber as a story stock sector.
See, for example, Sophos, whose shares saw a small gain even after reporting a loss.
And FireEye's story appears to be looking good to investment advisors, too.
And FireEye's story appears to be looking good to investment advisors, too.
And finally, since we've been talking about threats from nation-states,
it's only right to close by observing that the official website of South Korea's Air Force was shut down for about two weeks.
Access has now been restored.
There's no attribution, but the world, in the style of the Magic 8-Ball,
seems to say, in unison, signs point to Pyongyang.
One of the foundations of cybersecurity is, of course, encryption. Brent Waters is a professor
of computer science at the University of Texas at Austin,
who's recently been honored with an Early Career Award from the Association of Computing Machinery
for his contributions to encryption, specifically his work in what's known as functional encryption.
I asked Brent to explain what led him and his research partners to their breakthroughs in functional encryption.
to explain what led him and his research partners to their breakthroughs in functional encryption.
It began, actually, you can sort of trace when it first started to when I was a grad student at Princeton University.
I heard of something called identity-based encryption, which was innovated by Dan Bonet and Matt Franklin had the first solution to it.
What it was, was you could encrypt to someone only knowing their identity.
Let's say your identity is like your email address.
And I had – actually, at the time, I had this idea that, well, what if instead of, like, an identity being an email address, what if it could be a fingerprint or some type of biometric that you could encrypt to?
The tricky thing with biometrics is sometimes, you know, if you measure
them a couple different times, you might get a slightly different identity, like the scan of the
face or your fingerprint might look a little different. So I wanted to come up with a form
of identity-based encryption that would be tolerant to this. So we called it fuzzy identity-based
encryption. I took this idea to who would become my co-advisor, Mitzahai, and we published it.
identity-based encryption. I took this idea to who would become my co-advisor, Mitzahai,
and we published it. This notion of fuzzy encryption led Waters and his team to another form of encryption called attribute-based encryption. We usually think of decryption
as an all-or-nothing type of operation. Either you have the private key and you can get the
message, or you don't have it and you don't learn anything. So what attribute-based encryption did
was it was the first thing to sort of challenge this pre-existing way of thinking of encryption
in that I could label my data with a set of attributes, let's say like a surveillance camera,
and we could label it with the attributes of, let's say, the GPS location and the time of day,
and then later on someone might get a policy saying, well, you can look at all data that meets this criteria.
His work with attribute-based encryption made Waters wonder, what if you could keep your
data encrypted, keep it secure, but still perform meaningful calculations or functions
on the data?
That question led him and his collaborators to functional encryption.
So functional encryption is a new way of thinking of encryption.
operators to functional encryption. So functional encryption is a new way of thinking of encryption.
So in functional encryption, let's say someone will encrypt some data.
Let's say if you go to an authority, you can get a private key,
which will not so much decrypt the data and let you see it in the clear.
Instead, you could learn a function of the data.
Okay, so maybe I could go to the authority and say,
I know I'm not allowed to see all the student records, but I think I should have the ability to learn what the median GPA is for students that, let's say, are in a certain major or graduated by a certain date.
So then if I apply my private key to it, it doesn't let me see the data in the clear.
Instead, it lets me see whatever my
function is on the data. Brent Waters is quick to point out that functional encryption is still in
the early stages of development, and there's still work to be done. The current candidates
for functional encryption actually have two limitations. There's multilinear maps,
there's both performance considerations, and they're not built on what we call standard assumptions in cryptography.
We always need to prove something secure.
We always prove it relative to some assumption, like my crypto system is secure as long as it's hard to factor large numbers.
And what we'd like is we'd like the assumptions to be sort of minimal or ones that
have been tested out for as long as possible. Like, for example, the factoring assumption
has been unused or at least thought of in cryptosystems since 1978, whereas these multilinear
maps are very new and perhaps a little more dangerous. One goal of my research is to bring
it from these multilinear map assumptions to things we're more familiar and comfortable with.
And this is a really exciting research challenge because I think this is what is needed to establish these new systems as being really secure.
Waters warned that while it's understandable that some people confuse functional encryption with homomorphic encryption,
there are important distinctions between the two.
So let's say that, suppose for example, I wanted you to filter my email for me. Let's say I have
a bunch of encrypted email coming in and you're, let's say, like a proxy or server in between me
and my mobile phone. I have a certain function which detects spam and if it's spam, I just want
you to throw away and not even bother sending it to my phone. And then also I have a certain other criteria for
marking an email as urgent. Let's say it comes from a set of urgent people or has certain keywords.
And so pretty much I want you to, for normal email, just send it onto my phone. For urgent
email, send it to my phone and also give me a text saying, hey, there's an urgent email,
you might want to look at it. And for spam, just drop it. Now, suppose I wanted you to do that on my encrypted email,
but without knowing anything other than these labels.
I don't want you to see these labels.
So functional encryption is something where I could do this.
I could give you a function which kind of decrypts the email,
looks at it, but only lets you know the answer.
So that's what functional encryption could do.
However, homomorphic encryption, you can compute on encrypted data,
but the person doing the computation never learns an answer. So if you get encrypted data and you have homomorphic
encryption, you can do a bunch of computations on it, but the person, the third party doing the
computation never learns anything, which can be a problem if I want you to know whether it's spam
or not spam, but nothing else.
Our congratulations to Brent Waters and his research partners and the University of Texas at Austin on the award and for the important work they're doing.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive
alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.