Hacktivists claim to perform a public service. Once and Recorded Future ransomware. Attribution controversies. Disturbing toys.

Dave Bittner: [00:00:01:17] Hacktivists turn to defacement. They say they're performing a public service. Recorded Future takes a close look at ransomware's likely course in 2017. ISIS exposes itself online. Attribution controversies, the good, the bad, and the ugly. And would you hug Skynet, if it looked like Teddy Ruxpin?

Dave Bittner: [00:00:26:22] Time for a message from our sponsor, Netsparker. Are your security teams dealing with hundreds of vulnerability scan results? Netsparker not only automates scanning but it verifies the exploits it finds too. Reduce alert fatigue and improve security with Netsparker. Not only will your protection improve but your costs will drop and that's a good deal in any one's book. Netsparker's automated approach to web application scanning lets your security team concentrate on the things best left to the human beings. Find out more about Netsparker Desktop and Netsparker Cloud. Whether you're pen testing or securing your enterprise online, you'll find what you need at netsparker.com. And check this out. You can try it out for free with no strings attached. Go to netsparker.com/cyberwire for a 30 day, fully functional version of Netsparker Desktop. And by fully functional we mean, yes, really, really, actually, truly fully functional. Scan the websites with no obligation. That's netsparker.com/cyberwire. And we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:38:01] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, January 4th, 2017.

Dave Bittner: [00:01:48:01] In separate incidents HackRead is reporting that hacktivists hit both Philippine military sites and the Google Brazil domain. In both cases their declared intention was to warn people about the need for better security. In the Philippines, someone with the handle “Shin0bi H4x0r” told the Army it was pwned by me and warned, "Fix your security or I will be back."

Dave Bittner: [00:02:10:12] In the Brazilian case, one Kuroi’SH gave both a shout out to his friend Shin0bi and a sneer in the direction of rival Nofawkx as he kept a defaced page up on Google Brazil for about half an hour. Kuroi'SH told HackRead that Google Brazil was defaced to show the world everything can be hacked and we should not underestimate our security risks.

Dave Bittner: [00:02:32:24] So, okay, although one thinks the point might be better made without inconveniencing users and subjecting them to a picture of two anime teens in all their large-eyed glory.

Dave Bittner: [00:02:43:01] One might, for example, consult some recent reports on threat trends. Recorded Future published an interesting one a few hours ago dealing with ransomware and what we should expect from it in 2017. Their conclusions stand in contrast to predictions McAfee Labs made in November to the effect that ransomware had peaked and might be expected to decline in 2017, which on the face of it isn't an irrational prediction, given falling criminal profits and more widespread understanding of how to prevent and recover from ransomware attacks.

Dave Bittner: [00:03:13:23] But Recorded Future's report suggests that ransomware will continue to grow in the current year. They offer several predictions that are worth reviewing.

Dave Bittner: [00:03:22:02] First, ransomware will become just another tool in the hacker utility belt. It will be useful for distracting defenders from more serious attacks, as we've seen DDoS used. So large criminal organizations will use it for both profit and misdirection. A Carbonite study of ransomware reaches a similar conclusion about this sort of attack's utility as a smokescreen and distraction.

Dave Bittner: [00:03:44:00] Second, we’ll see more attacks designed to publicly shame the victims. The public shame is designed to force quick payment of ransom.

Dave Bittner: [00:03:52:08] Third, we can expect ransomware to become stealthier, more examples of ransomware using no executable as a means of evading detection.

Dave Bittner: [00:04:00:21] Fourth, Ransomware spam campaigns will target the security of webmail providers. Webmail is complex and offers an attractive attack surface. Ransomware can be expected to follow the same path here as other spam attacks.

Dave Bittner: [00:04:14:11] Fifth, a contrarian prediction. There will not be any ransomware IoT campaigns. It's too easy, the researchers think, to wipe or replace IoT devices and so there's less incentive to pay.

Dave Bittner: [00:04:27:13] Related to the last is the sixth prediction, similarly, there will not be a Mirai-style botnet installing ransomware.

Dave Bittner: [00:04:35:08] Finally, if there is a decline in ransomware it will be because of law enforcement action. So support your local police and if you're in the US, get to know your regional FBI office.

Dave Bittner: [00:04:46:09] The Daily Beast has an account of how Islamist exploitation of social media and other online platforms for information operations has proven a proverbial double-edged sword. It's been undeniably successful for recruiting and inspiration but it's also been risky for the Caliphate's information operators. Many leaders have been targeted when their phone chatter exposed their location and ISIS dependence on the Internet for its own version of command and control has enabled the civilized world to collect a great deal of actionable intelligence about the terrorist group. Unfortunately effective inspiration needs only a few receptive minds, or what FBI Director Comey characterized as "a few screwed up individuals," to inflict the suffering and sorrow recently visited on Berlin, Baghdad, and Istanbul.

Dave Bittner: [00:05:34:04] The first week of 2017 continues to see skeptical takes on various attributions. The conclusions being called into question range from the debunked, like the hacking of the Vermont power grid, through the newly controversial, like the Russian malware-enabled counterfire against Ukrainian guns, to the generally accepted, like Russian intrusion into US political party networks.

Dave Bittner: [00:05:56:11] KrebsOnSecurity has a particularly good round-up of the grid-hack-that-wasn't, with a reflective account of how the story gained currency.

Dave Bittner: [00:06:04:16] Taia Global's Jeffrey Carr calls bunkum on CrowdStrike's "Danger Close" report on Android X-Agent targeting of artillery positions. He promises more details at the upcoming Suits and Spooks conference. In the meantime SecurityWeek says that CrowdStrike stands by its report. It's an interesting and complex case. We hope to learn more about it in the near future.

Dave Bittner: [00:06:27:06] And many observers continue to express disappointment over the level of detailed evidence contained in the FBI-NCCIC Joint Analysis Report on Fancy Bear's election hacking. Many of those same observers also note the difficulty of making such a case without disclosing more about sources and methods than the Intelligence Community would find it prudent to reveal.

Dave Bittner: [00:06:49:06] One overarching lesson to be drawn, perhaps, from these various attribution controversies is that it's rare that any threat actor is in sole possession of the attack code they use. The Neutrino exploit kit, for example, may well have figured in Fancy Bear's bag of tools. But it's in a whole lot of other bags of tools as well.

Dave Bittner: [00:07:09:01] And finally, there's a fresh horror out there in the Internet-of-Things. Sean Gallagher writes in Ars Technica about a proof-of-concept for a grim connected toy he developed. As he put it, quote, "I had an idea to connect a speech-driven AI and the Internet-of-Things to an animatronic bear, all the better to stare into the lifeless, occasionally blinking eyes of the Singularity itself with," end quote. So he took a 1999 edition of the Teddy Ruxpin animatronic bear, equipped it with a Raspberry Pi and slaved the unholy monster to Amazon Alexa, with predictably disturbing results.

Dave Bittner: [00:07:46:08] As one commenter on the Ars site put it, quote, "A huggable Skynet on every kid's pillow. Aw, that's so sweet," end quote. But that's not the freshest hell, friends. It was left to Gallagher's competitor, Brian Kane of the Rhode Island School of Design, to penetrate the real heart of darkness. Kane connected Alexa to Billy the talking Big-Mouth Bass, a man-cave artefact whose morbid tackiness rises almost to grandeur. The horror, the horror.

Dave Bittner: [00:08:21:19] Time to take a moment to thank our sponsor, Cylance. Are you looking for something beyond legacy security approaches? Of course you are. So you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. Cylance, artificial intelligence, real threat prevention. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:09:15:04] Joining me once again is Malek Ben Salem. She's the R and D Manager with security at Accenture Labs. Malek, you wanted to talk today about deep learning for cyber security.

Malek Ben Salem: [00:09:25:08] Yeah, so there has been a lot of talk about deep learning and issues for cyber security lately and whether it's a suitable approach for the cyber security domain. Well, as you know, deep learning is an area of artificial intelligence which deals with vast quantities of data. It's not new. Some people say deep learning is just a buzz word or a re-branding of neural networks and that's to an extent true. But while neural networks are not-- have been out there for a long time, they have been used in a very limited way. They've been used with only one layer, one internal layer of neurons. What we're able to do today with the new developments and technology, with the abundance of data and multiple GPUs available, we're able to revisit that and implement neural networks with several input layers and that's what constitutes deep learning.

Malek Ben Salem: [00:10:32:23] And the approach, meaning deep learning, has been successfully applied in various domains, such as computer vision and voice recognition. So it has some potential in cyber security.

Dave Bittner: [00:10:49:10] My understanding of deep learning is that, you know, the systems themselves, rather than, than, you know, telling the systems what to do, the-- you rely on the system to kind of, you know, figure out what to do on its own. And so that can lead to novel approaches to problems?

Malek Ben Salem: [00:11:06:21] Exactly. So, one of the promises of deep learning is that it replaces the manual selection of features with efficient algorithms for unsupervised learning so that you don't have to tell the algorithm what are the right features to model but it should be able to learn on its own what are the right features. It can extract them autonomously and also the other difference that deep learning brings is a way of hierarchical feature extraction which is not the case for the existing machine learning algorithms.

Dave Bittner: [00:11:47:03] And dig into that for me a little bit. What do you mean by hierarchical feature extraction?

Malek Ben Salem: [00:11:50:24] So, for example, let's think about computer vision. The way people recognize the contents, or understand what's in a picture, is complex, right? We first recognize an overall shape, the shape of the main object within the picture, and then we may then recognize certain details from in that picture, to be able to tell exactly what that picture con-- entails. That's what deep learning does is it, it mimics that same way of recognition. So it may recognize the main object and then it may recognize the edges of that object. Then it may recognize later on certain specific features within the object. So it's very similar to the way the human mind works as well.

Dave Bittner: [00:12:44:09] So how do we apply deep learning to cyber security?

Malek Ben Salem: [00:12:47:15] So it has been actually applied already in, in certain problems for cyber security. It has been implemented by Symantec, for example. Another smaller start-up cyber security company, by the name of Deep Instinct, is also implementing deep learning to recognize malicious files. It's being currently tested for network intrusion detection and detection of DDoS attacks. But results, at this point, you know, are promising but are similar to existing machine learning algorithms. The point is, with deep learning, is that it requires a lot of data. So wherever we have a lot of data, that's where it shines. And another promising application for it could be for-- with spam filtering and spear phishing. So I expect that it will be applied successfully to solve that problem as well.

Dave Bittner: [00:13:50:16] Malek Ben Salem, thanks for joining us.

Dave Bittner: [00:13:55:01] And that's the CyberWire. For links to all of today's stories, along with the interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors, who make the CyberWire possible, and special thanks to our sustaining sponsor, Cylance. Learn more about how Cylance prevents cyber attacks at cylance.com. If you enjoy our show and find it a valuable part of your day, we hope you'll leave us a review on iTunes. It's one of the best ways you can help us spread the word.

Dave Bittner: [00:14:21:00] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.