CyberWire Daily - Facebook comes to Washington. Research ethics? IoT threats. Switch bug exploited in the wild. Criminal misdirection. Russia and the West, again. And what do cybercriminals earn?
Episode Date: April 10, 2018In today's podcast, we hear that Facebook begins facing the Congressional music today. What are the rules for online research, professors? Experts say they're worried about weaponized IoT hacks. Ho...ods exploiting Cisco switch vulnerability in unpatched systems. Named threat groups and bugs as insider misdirection. As relations between Russia and the West worsen, some in Moscow call an end to Peter the Great's experiment. And how do cybercriminals make, and what do they spend it on? Daniel Prince from Lancaster University on clandestine data transmission and steganography. Guest is Gabriel Bassett from Verizon, reviewing his work on the Verizon DBIR report. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Facebook begins facing the congressional music today.
What are the rules for online research, professors?
Experts say they're worried about weaponized IoT hacks,
hoods exploiting Cisco switch vulnerabilities and unpatched systems,
named threat groups and bugs as insider misdirection,
as relations between Russia and the West worsen,
some in Moscow call an end to Peter the Great's experiment,
Verizon's annual data breach investigation report came out today,
we'll talk to one of the report's authors.
And how much do cybercriminals make?
And what do they spend it on?
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, April 10, 2018.
As Facebook CEO Mark Zuckerberg appears on Capitol Hill to testify about a range of topics,
mostly related to the privacy concerns surrounding his company's platform,
another quasi-research organization, QBU, is said to have scooped up users' data
by inducing them to take various quizzes.
QBU is a market research firm, of course,
and quizzes and surveys have long been used to collect information destined to be used for marketing.
Some other research projects that have drawn adverse attention and comment, however, have been more academic in nature.
We've got a question for university research review boards.
Has this sort of issue surfaced in the course of human subjects' research reviews?
And how do research review boards handle them?
It's easy to think of these boards as confined to biomedical research,
but behavioral and social scientific studies are also often submitted for consideration.
And how's that working out?
Verizon published the 2018 version of their data breach investigation report today,
one of the most anticipated and respected cybersecurity reports.
Gabriel Bassett is a senior information security data scientist at Verizon
and one of the authors of this year's DBIR.
He joins us to share the results.
We've always seen large attacks using social actions, things like phishing or pretexting. But this year,
we saw concerted attempts to get tax information, the USW2 information. And I think that's a
substantial trend. It's really interesting because I like to think about the attackers as
always looking for the best value proposition. They're shopping around.
And when we see a new attack, I kind of see it as
the attackers having found a better deal. And so when we see something like theft of tax information,
W-2 theft come up, it's like the attackers have found this new better deal. And it makes sense,
right? Because now when they send a phishing email, they're not just stealing one person's data,
they're stealing a whole bunch of people's. And then they can use that to go and commit
tax fraud on an entire slew of people at the same time.
Another trend that we saw rise substantially was ransomware. Ransomware breaches doubled again
year over year. And that makes sense. There's more and more people getting in this game.
I think the reason that attackers are jumping onto this is, again, it's a good value proposition for the attacker. It's low risk. It's not like
physically stealing a laptop where you have to physically be near your target.
You can target people all over. And then once you've targeted them, it's really easy to monetize.
The incorporation of cryptocurrencies, it's very easy to get paid no matter where you are in the
world. It used to be that the cryptography was the hard part of the equation. But now attackers
can simply purchase or lease out that portion of the attack chain. And that gives them the
opportunity to make this a very easy and quick attack. The hardest part now is really the
customer service, right?
They have to be able to educate people
who are probably otherwise unaware
of how to use Bitcoin or decrypt systems
on just how to use their tools.
And one of the things the report points out
is that the human factor is still critical.
You had some interesting statistics
when it came to phishing.
Yeah, I think some of our statistics around social attacks and phishing were really interesting, especially from our
non-incident data. Because in addition to the half a million security incidents we have, and when we
say incidents, we mean a compromise of confidentiality, integrity, or availability, not like an alert on
your SIM. So we have half a million incidents, but we also analyze half
a billion records of non-incident data. And that would be things like malware or phishing tests or
such. 78% of people don't click a single phishing email all year, or at least phishing testing.
And so a good portion of your company is doing a great job.
On the other hand, in any given test, the median is for 4% of
the people that are tested to click. And one of the things we found analyzing data is that the
more times someone clicks, the more times they're likely to click in the future. And so if you have
someone that clicks five times, they're more likely to click six times. If they click 10 times,
they're more likely to click 11 or 12. And that means that you can go and find who the people in your organization are that are
likely to click phishing emails.
And that's great news, right?
Because now you know where to look for a threat.
And it's not because these people are in some way worse at security.
There's a lot of people in our companies that have to open attachments from people that
they don't know as part of their job.
So if you're in the legal department and someone sends you a PDF and says it's important to your job, you have to open attachments from people that they don't know as part of their job. So if you're in the legal department and someone sends you a PDF and says it's important to your
job, you have to open that. If you're in the marketing, the PR department, and someone sends
you a PDF, whether or not you know the sender, you need to open that attachment. It's not that
they are necessarily making bad choices, but they're trying to do their job in the context
of security. And so find those people and say, look, do they really need a full computer?
For me, as a data scientist, I've got all this data science software.
But they're probably using the standard office applications and web browsing tools.
And so they do fine with just a sandbox operating system, a sandbox Windows system,
or an iPad or a Chromebook?
Would they be happy with that? And then you get the benefit of security and they get the happiness
about this nice streamlined system. When you look at this year's report,
is there any good news? Is there any areas where we're gaining on the problem?
It's like two different questions there, right? Is there any good news? And are we gaining on the problem? Is it
improving? Because there's certainly good news. A very small number of the breaches in our corpus
are ever related to vulnerabilities. Rather than take that to mean that somehow vulnerabilities
are unimportant, I like to think of that that we're doing a good job of fixing vulnerabilities.
And there's always going to be these shotgun type attacks when a new
CMS content management system vulnerability comes out and there's the majority of people patch and
some don't. For those of us that care about security, I think we're probably doing a good
job. And we need to keep up doing what we're doing when it comes to vulnerabilities.
Another area of improvement is in malware. The median amount of malware on an organization's
worst day in the data that we got was seven pieces of malware on the worst day of the entire year.
They got seven pieces of malware. And so organizations don't necessarily need to
sit and think, oh my gosh, malware is going to just be hitting me and hitting me and hitting me.
It's like, even on the worst day, for most companies, the median company, it's not a whole lot. Most companies only have six or fewer days per year where they
even receive any malware. Only less than 2% of companies receive malware even half the days of
the year. A lot of these problems, we have a tendency in security to look at the worst case,
look at the terabit attack, look at the thousands of hours a day. But that doesn't represent the median company.
For the median company, the problem is, I think, within that realm where we can handle it.
That's Gabriel Bassett from Verizon.
The 2018 Data Breach Investigations Report is available on the Verizon Enterprise website.
There's growing alarm over ongoing exploitation of insecure Internet of Things devices.
They've been deployed for years. Experts are concerned that neither policies nor the devices themselves
are ready for threats that appear poised to weaponize IoT vulnerabilities and cause kinetic effects.
Others warn that industrial control systems present distinctive problems.
They may have vulnerabilities that render them susceptible to destruction and to malfunctions
that could compromise safety as well as operations.
The vulnerabilities in Cisco switches used by apparent hacktivists to deface Russian
and Iranian sites is now being widely exploited against unpatched systems by Russian hackers,
mostly criminals.
A high-tech bridge study suggests that the notoriety of named threat actors
and well-marketed vulnerabilities is being used as misdirection
by malicious insiders interested in covering their tracks.
As in, hey boss, it was like that when I walked in.
You think it was like that Spectre thing?
We lost data?
Wow, must have been that fancy bear you've been reading about.
Hey boss.
Russian President Putin's advisor, Vladislav Surkov, Putin's Rasputin,
sees 2018 as marking the end of Russia's attempts to turn westward,
terminating aspirations that go back to Tsar Peter the Great.
U.S. intelligence community insiders differ over whether the U.S. actually has the political will
to punish Russia for misbehavior in cyberspace and elsewhere.
Whether economic sanctions announced last week are hurting Moscow or not,
they're being felt in London, where the city is nervous about disruption
to Russian investment. Many millions have found their way into London's financial exchanges,
and for that matter real estate markets. If the oligarchs flee back to Russia,
what becomes of those markets? And finally, what do cybercriminals actually do with the money they
collect? It seems, according to a report by Bromium, that they spend their ill-gotten but untaxed
gains on the kinds of things regular working stiffs and suits do—paying bills, buying
gifts, purchasing disposable diapers, reinvesting in the business, and diversifying into stocks,
bonds, and real estate.
Bromium estimates that criminal big shots pull in up to $2 million a year,
good CEO wages.
Middle management can make up to $900 million.
Entry-level hackers make around $42,000,
which, come to think of it,
is better than a lot of journalists
with some years under their belt.
But kids don't turn to crime.
In the long run, it doesn't really pay.
Bromium says they'll have more on this at RSA,
but hey, how do they know? Who are you talking to, Bromium? Hmm.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the
world what AI was meant to be. Let's create the agent-first future together. Head to
salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Daniel Prince. He's a senior lecturer in
cybersecurity at Lancaster University.
Daniel, welcome back. We wanted to talk today about clandestine data transmission and things like network steganography, how people are sort of hiding data in plain sight. What do we need
to know about this? Well, this is an area that's really close to my heart, having sort of grown up
in my research career, looking at network protocols and sort of how you construct
networks. And it started to occur to me that as the protocols that we're using, the systems we're
using in networking are getting more and more complex, the opportunities for people to utilize
that complexity to hide information is increasing. And so what I'm starting to look at
now is how can we actually use things like the complexity inside the IPv6 protocol or the
complexity that is enabled through software-defined networking as a mechanism to exfiltrate or
send data in a clandestine way between two parties with a view that if we can
get ahead and start to think about these we can create classifications and then mitigation
approaches so that if the bad guys further down the line start to develop similar tools we've
already got approaches that we think that we can use to disrupt that activity. And so we're not starting
from scratch. It's really interesting the ways in which we can hide data quite robustly within
the technology. Here at Lancaster, there's been a previous piece of work that looks at this that we
did and we published and that can be found on the web. But the other thing that I'm really
interested in is the different rates at which we want to transmit information and the different uses.
When you think about something like a command and control infrastructure for a botnet,
that's not necessarily going to be very high bitrate. You just need to send small amounts
of information to activate certain activities of the bots within the command and control
infrastructure. But then if you want to wrap that up to maybe IP stealing
and exfiltration from a network,
you might need incredibly high data rates
over a very short amount of time to be able to get that data out.
So it's not a kind of a one-dimensional problem.
Some techniques that are very easy to hide are very low bit rates,
so you wouldn't use that for large volumes of data exfiltration, potentially,
whereas you might need to develop high data rate techniques.
So that's the broad area that I'm very interested in.
And where are we in terms of the ability to sniff out this sort of thing these days?
So obviously we've got a lot of tools and techniques out there that are intrusion detection systems that will pick up a lot of this type of, the few of these types of techniques.
And certainly a lot of the older type of techniques such as hiding data within ICMP messages, for example, are easily detected and well known.
But the advent of cryptographic techniques makes it
harder to actually analyze the data. Where I'm interested is actually, can we develop tools and
techniques which allow us to transmit information within effectively what is legitimate traffic?
So even if we have the best tools and techniques out there to be able to spot this,
the fact that it's legitimate traffic means it just makes it that much more harder. So one
example of this could be sending messages to a range of IP addresses and underneath the control
of a bad guy. And the reception of those messages to those particular IP addresses
would indicate a data exchange.
But the messages that they are sending are just fetching legitimate web pages.
And it's the ability to be able to chain that together
and multiplex that, which can be really useful.
And what we're seeing is now, you know,
a lot of machine learning AI techniques to being developed to drive anomaly detection within network traffic. matching that is required in those complex cases of how do you align multiple IP addresses
in a network communication which could send messages out of order and all these types of
things to enable that data exfiltration. So it's really interesting to see the potential use of
these next generation techniques such as AI and machine learning on both sides of the attacker
equation.
Daniel Prince, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing
CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben
Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John
Petrick, Jennifer Ivan, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.