CyberWire Daily - Daily & Week in Review: Election hacking, journalist hacking, and the rise of TbpS DDoS. More reflections on the Yahoo! breach. Ransomware and other forms of extortion.
Episode Date: September 30, 2016In today's podcast, we hear about how IoT botnets bring scunion across the Internet, and why security cameras are attractive to bot rustlers. InfoArmor's explanation of the Yahoo! breach gains tractio...n among observers. Europol warns that ransomware is on the rise. Zerodium raises its iOS 10 remote jailbreak bounty to a cool million and a half. US states continue to grapple with election hacking. Markus Rauschecker outlines some new cyber regulations proposed in New York. Dr. Eli David from Deep Instinct explains deep learning. And the Tofsee botnet is chumming for the lonely—click with caution. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Why security cameras are attractive to bot rustlers. InfoArmor's explanation of the Yahoo breach gains traction among observers.
Europol warns that ransomware is on the rise.
Zerodium raises its iOS 10 remote jailbreak bounty to a cool million and a half.
U.S. states continue to grapple with election hacking.
And the Tofsi botnet is chumming for the lonely.
Click with caution.
Click with caution.
I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, September 30, 2016.
The IoT botnets used against OVH and Krebs on security should, a Los Angeles Times op-ed says, terrify you.
Terrify may be breathless, but the incidents represent a dramatic increase in criminal capability.
Many of the devices herded into the botnets were security cameras.
The threat posted by hacked security cameras isn't new.
These cameras are widely deployed, and although people still tend to misleadingly call them
closed-circuit TV, they're almost invariably networked.
It's worth returning to a primer we received on cameras
at the Jailbreak IoT Security Summit earlier this year.
Our guide was Wesley Weinberg, a senior security research engineer at Microsoft.
His premise was that security cameras were Internet of Things devices
before people generally recognized that there was such a thing as an internet of things.
The businesses that use them tend to link them to other systems, often physical security
networks like those that control doors, and sometimes to building control systems like
HVAC networks or even to point-of-sale systems.
People have gone after IP cameras for many reasons, Weinberg told us.
They may want access to a video stream. They may want access to a video stream,
they may wish to modify a video stream, they may seek persistent access to the security system,
or they may be interested in pivoting from camera to other networks. His advice to users of security
cameras included recognizing that while IP camera protocols aren't themselves necessarily flawed,
their implementation often is, and that, as he put it, feature equals attack
surface. Many of those attack surfaces are physical attack surfaces, an accessible compact
flash card port, ethernet, video, audio, input, output, and so on. So if you must network your
security camera once you've paid due attention to implementation, you'd do well to restrict
physical access to the camera itself and to restrict the ways the camera can communicate. As DDoS attacks of the last two
weeks have shown, the risks aren't restricted to the camera's users, and that's true of the IoT as
a whole. InfoArmor's study of the Yahoo breach maintains those responsible weren't state-sponsored,
but rather criminals who subsequently sold their take to a nation-state.
This explanation is gaining traction in the industry press.
Some observers continue to point out that in some parts of the world,
there's often very little daylight between criminals and security services.
Mirapol warns that crypto-ransomware remains a big threat.
The Princess Locker is one relatively new strain.
Its demands show a distinctive and unusual escalation. The initial ask is three Bitcoin, but if you don't
pony up by the deadline, the threats get uglier and the demand doubles to six Bitcoin.
Plixer's CEO Michael Patterson told the Cyber Wire that he agrees with assessments that ransomware
incidents will continue to rise in the coming months.
The money's relatively easy.
And big breaches like the Yahoo compromise have put a lot of credentials onto the black market,
which makes for easier phishing of victims.
He sketches a likely scenario.
Quote,
Imagine purchasing the stolen 200 million Yahoo email list for $1,860
and then targeting them with a phishing attack that looks as though
it came from Yahoo's account recovery team. Many of those 200 million recipients would be tempted
to open the malicious email. Once they click, the ransomware encrypts the victim's files and the
user is forced to make what could be a difficult decision, end quote. And as always, the best line
of defense against ransomware is secure,
regular backup. And there are other forms of extortion online than crypto ransomware.
Flashpoint continues to keep an eye on the unfolding attempt by the Dark Overlord to
extort money from a California investment company, the Dark Overlord Doxed. If the Dark Overlord
isn't paid, he'll continue to dribble out increasingly sensitive
files. In industry news, Zerodium has upped its bounty for an iOS 10 remote jailbreak to $1.5
million. This is not a conventional bug bounty. Zerodium is a zero-day broker, and they're quite
clear that they want exploitable stuff, not idle proofs of concept. The tally of states experiencing hacking attempts in the U.S. is now up to 20.
For the most part, the attempts as reported amount to reconnaissance
or sometimes theft of not particularly highly sensitive
and sometimes publicly available anyway, voter data.
There's growing awareness that one need not corrupt an election's data nationwide
to affect its outcome.
Carbon Black thinks attending selectively to Pennsylvania precincts could do the trick.
Of course, the prime persons of interest in election hacking remain the two bears, cozy and especially fancy.
And finally, for all the worries about the Internet of Things and its potential for botnet rustling,
many ordinary botnets are also
still out there. So it's not all IoT all the time. The Tofsy botnet, for example, is newly active
and aggressive, reports Talos. Tofsy is spamming out fish bait consisting of what's euphemistically
called adult dating opportunities, mostly involving claims that Russian and Ukrainian
beauties are looking for you, Mr. Lonely Heart.
Don't be fooled.
Lyudmila hasn't discovered you as a soulmate, and Lyudmila might not even be Lyudmila.
For all you know, Lyudmila is actually Vladimir, all 181.437 kilos of him,
and working not from his parents' basement, but perched in a lawn chair in front of a wading pool and a mig.
Think before you click. Remember the mig.
Did we mention 181.437 kilos?
That's 400 pounds, or as we like to say around here, one hacker weight.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Joining me once again is Marcus Roshecker. He's the cybersecurity program manager at the
University of Maryland Center for Health and Homeland Security. Marcus saw a report come by via Reuters that New York has issued some cyber regulations for banks
and insurers. What can you tell us about this? Yeah, this is big news. New York actually
proposed regulations for cybersecurity. And so they're not in force yet, these regulations, but they are proposed by New York State.
These regulations would affect businesses in the banking sector, the insurance sector, the financial sector.
This proposal has been getting a lot of attention because a lot of the best practices that we talk about in cybersecurity would actually become part of the regulation here. And companies that would be under these regulations would now be forced to implement
some of these best practices. That includes, among other things, that companies would have to
nominate a CISO, a chief information security officer. They would also have to have written
cybersecurity policies in place. They would have to do regular risk assessments. They would also have to have written cybersecurity policies in place.
They would have to do regular risk assessments. They'd have to have other written policies and
procedures applicable to cybersecurity practices. They'd have to start using encryption and do
internal and external cyber audits. And on top of everything else, they not only would have to be concerned about their own cybersecurity,
but they would have to have knowledge about the cybersecurity status
of any third parties that they deal with.
Lots packed in into these regulations,
and we'll see if they actually go through.
So there's a 45-day comment period before anything happens.
Is there any feeling how the banks and the other organizations that are under these regulations are responding to this proposal?
Right. So whenever there's talk of regulations, businesses generally speak out against the regulations.
As you can imagine, regulations traditionally, or as the traditional argument goes, would increase costs for businesses, would increase the burden on businesses.
So I'm sure we're going to hear a lot of the same kind of response to these proposed regulations.
My guess is that larger companies, companies with a lot of resources, are probably already doing most of the things that are in
these regulations so there probably wouldn't be much of an additional cost or burden on these
companies to implement or continue to perform do the things that are contained in the regulation
but you know these regulations could become problematic for for some mid or smaller sized
companies who don't necessarily have the
resources to do everything that they would now be required to do. Certain companies are going to be
exempt from these regulations. If we're talking about smaller sized companies, companies with
fewer than a thousand customers, for example, or companies that make less than five million in
gross annual revenue,
those companies, those smaller-sized companies, they would be exempt from these regulations.
And New York obviously is in a leadership position when it comes to the banking and insurance industry. So is this the sort of thing where other states would follow suit after New York's lead?
Or would that even be necessary?
Would enough things be covered just by New York having these regulations? I think by New York coming forward and
proposing these regulations, they are really taking a leadership role here. And I think a
lot of other states are going to be very interested to see how things develop in New York. And I think
it might be a sign of things to come. There's been talk about regulation for a long time now.
a sign of things to come. There's been talk about regulation for a long time now. Here we have an instance now where they're actually being implemented. So everyone's going to pay close
attention. And I think it might be a sign of things to come in other states as well.
All right, Marcus Roschecker, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
My guest today is Dr. Eli David. He's the Chief Technology Officer at Deep Instinct,
a company that claims to be the first to apply the concept of deep learning to cybersecurity.
Dr. David is one of the leading researchers in the field of computational intelligence.
We wanted to learn more about deep learning and how it applies to cybersecurity.
It is the closest we have got in computer science
to creating something that mimics our brains
or more accurately takes direct inspiration from our brain.
Deep learning has obtained amazing results
in all the fields it has been applied to.
In computer vision we have seen 20 to 30 percentage point improvements in all the benchmarks,
similar improvements in speech recognition, a big improvement in text understanding.
And in all these fields deep learning is completely agnostic to the domain,
processing just raw data without any feature engineering or pre-processing.
Cyber security is a very tough problem since it is very easy to create new malware and
it's very difficult to detect them.
So the underlying idea of us was that if deep learning has been so successful in the other
fields, especially when tackling challenging problems, then it should be successful here too so help me understand you know
when does artificial intelligence cross over and become deep learning actually
deep learning is a subfield of machine learning which is in itself a subfield
of artificial intelligence since the early 2000s, machine learning has been the most successful field within AI.
The idea in machine learning is, instead of we humans trying to find smart heuristics
and code it, we just gather data and give it to the machine so that the machine will
learn by itself by observing many examples.
This is traditional machine learning.
But the problem with traditional machine learning is that in every problem that you apply,
you first need to perform feature extraction, feature engineering.
For example, if the problem is face recognition,
you need to bring image processing experts to analyze the problem domain and tell you that the most important features are
distance between pupils, distance between nose and mouth, proportions of the face, etc.
And this is how in traditional machine learning the raw data, in our example the raw image,
is converted into a list of a few tens or at most a few hundred values. When you look at someone
and you recognize their face, you're not
calculating the distance between their pupils and multiplying it by
proportions of their face, hopefully. You're just receiving the raw data, the
raw pixels, and your visual cortex by having learned how faces look like
immediately provides a prediction. The deep learning is the first family of
methods within machine learning
that completely skips that feature extraction phase.
So in deep learning, we have many layers of artificial neurons.
In our brain, we have real neurons.
In deep learning or deep neural networks, artificial neurons.
They're connected to each other via synapses.
And we have hundreds of millions of synapses
in tens of layers of neural networks
in typical artificial neural net.
So back to our analogy,
if you're applying deep learning to face recognition,
the input would be just raw pixels,
no pre-processing whatsoever.
In text understanding,
it would typically be the raw characters,
not even words, characters.
And in our case, in cybersecurity, we train our brain, the Deep Instinct's brain,
by training it on data sets of many hundreds of millions of samples of malicious and legitimate files,
and the input is just the raw bytes.
So in Deep Instinct, we'll look at the computer file exactly as if it is an image, but with bytes instead of pixels.
So we're completely agnostic to the file format.
We do static prediction.
We even don't care about the operating system.
So this is how deep learning is much more versatile than traditional machine learning, which is in itself the most successful field within AI.
So is there a penalty to pay in terms of computational overhead?
Deep learning is very cumbersome to train.
You do require special-purpose hardware.
The reason is that deep learning is a family of several kinds of algorithms, complex to understand, difficult to implement, but the most
challenging part is that even if you do have a full implementation, you still
have to reimplement everything on GPUs, graphical processing units, which are in
our case up to a hundred times faster than CPUs for the training purposes. So deep learning is very cumbersome and slow for training,
very fast in prediction mode.
It takes a few milliseconds on the slowest CPU or mobile device
that you can imagine for the prediction to work.
This sounds a bit counterintuitive,
but in fact it's very similar to how our brain works.
It takes us many years to learn a new language,
but when we learn it, it takes a few milliseconds to remember how a certain word is called.
And I would say that within our lifetimes, some say 10 years, some say 30, 40 years,
we will most probably see near human level artificial cognition because what we see is that
the more neurons we're capable of adding to our deep learning module the better results we obtain
similar to the evolution of homo sapiens more brain more neurons better cognition So we do think that we are approaching the level that in the next few
tens of years, computers will be virtually indistinguishable from humans as far as their
cognitive capabilities are concerned. That's Dr. Eli David. He's the Chief Technology Officer at
Deep Instinct. and that's the cyber wire we are proudly produced in maryland by our talented team
of editors and producers i'm dave Bittner. Thanks for listening. practical, and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.