Collective Intelligence

It's New Year's Eve, the perfect day to reflect on the year's best episodes of the Collective Intelligence Podcast. It also happens to be the 50th episode, so thanks for subscribing, listening, and sharing the podcast so far. Enjoy the recap.  Flashpoint's Allison Nixon on SIM swap fraud (1:04) Troy Hunt on changing behaviors around password reuse (11:27) Marty Roesch reflecting on 20 years of Snort and growing a commercial company around security's most popular open source project (21:05).  Patrick Wardle relives research he did on synthetic clicks in MacOS (31:10) Alex Klimburg discusses how ideologies shape conflict in cyberspace (38:41) Bruce Schneier talks about the need for public-interest technology (48:02) And Flashpoint's Eric Lackey shares his experience and insight on mitigating the insider threat (58:05). 

Flashpoint's Ian Gray and Max Aliapoulios discuss trends happening inside illicit underground online markets where everything from credit cards and personal information, to drugs and other physical goods, are sold. Ian and Max help characterize these markets, the impact of law enforcement and self-imposed shutdowns on the overall landscape, the ecosystem supporting these markets, as well as trends we can expect to see formulating in the coming months. 

Chris Cochran, threat intelligence lead at a media services company, shares his personal and professional journey to a career in information security and intelligence. Cochran, who co-hosts the secdevops.ai podcast, shares his unique career path, one that spans the military, public service, a startup, and now a major enterprise. He's an innovator in developing a culture inside the enterprise that embraces security, doing so by introducing unstructured play into the environment with a large degree of success. In the podcast, he describes how play helps train teammates, increase visibility, and remediate security gaps.  

Longtime Fortune 100 CISO and current managing partner at DelveRisk Anthony Johnson discusses what it takes to drive information security culturally inside the enterprise and smaller organizations. Anthony explains the trends that helped to elevate security to a C-suite and board-level discussion, how employees must be an extension of the security operation, and the consequences of current security skill shortage in the industry. 

In this episode of the Collective Intelligence Podcast, recorded during the recent Black Hat conference in Las Vegas, Alexander Klimburg of the The Hague Centre for Strategic Studies discusses how the East—Russia and China specifically—don’t view cyber conflict and cyberwar as a battle for critical infrastructure, as the West might. Instead, regime change is the nightmare scenario in these regions, Klimburg said, adding that Russia is attempting to extend to the internet the Communist tradition of the information sphere being the dominant sphere of decision making. By changing the multistakeholder governance model to a multilateral one, Russia believes it would have more stable control over cyber. 

Jeffrey Smith, managing partner of Cyber Risk Underwriters, explains why the adoption of cyber insurance is turning a corner and becoming a constant fixture inside enterprises, smaller companies, and even managed security service providers. Smith discusses how cyber insurance products options are improving, with input from a number of prominent security researchers and managers. He also discusses what current cyber insurance products look like, what industries are gravitating toward adoption, and why he believes it will someday soon be on par with standard insurance businesses currently buy as a baseline. 

Security researcher Mathy Vanhoef discusses two new vulnerabilities he and colleague Eyal Ronen discovered in the Dragonfly cryptographic handshake in the WPA3 WiFi protocol. The vulnerabilities, nicknamed Dragonblood, are the continuation of research and additional security flaws in the protocol the two disclosed in April.  The bugs include side-channel timing attacks and downgrade attacks that allow a hacker to leak memory from a client connection to a wireless access point and decrypt passwords in offline dictionary attacks. The Dragonblood attacks bypass mitigations in WPA3 designed to blunt these types of offline attacks.  The vulnerabilities are design and implementation flaws that are being addressed by the WiFi Alliance. Vanhoef discusses his and Ronen's interactions with the group. He also looks back at the KRACK attack he developed three years ago against WPA2. 

LAS VEGAS—Akamai Director of Security Strategy Tony Lauro table-sets the annual Black Hat hacker conference with a wide-ranging discussion about some of the threats facing private- and public-sector organizations. Lauro discusses the changing motivations of threat actors, and describes the challenges facing defenders stuck between hackers seeking profit, social change, or those motivated by espionage. He also digs into the shifting trend of targeted ransomware attacks, how attackers are leveraging bots to carry out credential-stuffing attacks at scale to perform account takeover attacks, and how sharing of threat data across industries needs to move beyond only industry-specific groups. 

Eric Lackey of Flashpoint discusses the risk to businesses and the public sector posed by privileged insiders. The insider threat—characterized by a rogue or disgruntled employee, or an accidental disclosure by an employee—requires a mix of technology and understanding of human nature to properly mitigate the risk to the bottom line. Lackey covers common risks posed by insiders, mistakes made by defenders trying to mitigate insider threats, and what it takes to successfully develop and implement an insider threat program. 

Digita Security Chief Research Officer Patrick Wardle discusses a macOS Mojave vulnerability he recently disclosed whereby an attacker can abuse synthetic clicks allowed by the OS to spy on users, access private data, or install additional malicious code.  Wardle disclosed the vulnerability during the Objective By The Sea conference in Monte Carlo earlier this month. He previously had privately disclosed the issue to Apple, which has yet to patch it, but has introduced a temporary mitigation.  The bug bypasses additional security protections Apple introduced in Mojave that specifically ban synthetic clicks without the user physically clicking through and permitting this action. 

Flashpoint Director of Security Research Allison Nixon discusses SIM swap, a lucrative form of fraud that is turning profits for criminals and quickly gaining more attention from the security research community and law enforcement alike.  In this podcast, Allison describes the machinations of a SIM swap scheme, starting with the criminals who cook up these capers and often recruit insiders at a telecommunications company to take part in these scams, to the places where the industry is coming up short in defending against it.   

Peri Doerfler of the NYU Tandon School of Engineering discusses a recently published paper and research conducted by NYU and Google looking into the efficacy of login challenges in deterring account takeover attacks. The research examined a sample of 1.2 million users and 350,000 hijacking attacks and the success of things like knowledge-based challenges, on-device prompts, SMS two-factor authentication and more in holding off account takeover attacks.

David Maimon, an associate professor and director of the Evidence Based Cybersecurity Research Group at Georgia State University, describes work he and his colleagues did investigating the prevalence and availability of SSL and TLS certificates on the dark web. A paper published by the group explains the results and demonstrates a thriving market for SSL and TLS certificates, which in some of the leading underground markets are getting more interest than ransomware, for example. 

Troy Hunt’s Have I Been Pwned website recently turned 5 years old, and for much of that time it has been the definitive place for computer users to determine their exposure from data breaches. Have I Been Pwned is also a model for usability in security, enabling a free and clearly spelled out answers as to whether account information has been compromised, where, and how. Hunt hopes that it and its sister service Pwned Passwords continue to be the catalyst for improved behaviors online. In this episode of the Collective Intelligence Podcast, Hunt discusses the brief but impactful history of his site and not only how it’s grown into one of the top 5,000 sites on the Internet, but also how many critical web-based services have integrated its data via an API to improve privacy and security.

Bruce Schneier, a cryptography pioneer, and fellow and lecturer at Harvard’s Kennedy Business School, has taken up the cause of public-interest technology and is trying to bring awareness to the current state of affairs, and how not only security professionals but technologists in all fields can make a difference. In this episode of the Collective Intelligence Podcast, Schneier discusses how technologists can—and should feel an obligation to—make a difference. Schneier uses the analogy of public-interest law and would like to see technologists, beyond security and privacy professionals, carve out pro-bono time to assist marginalized communities or built software tools that are public-interest focused.

In this episode of the Collective Intelligence Podcast, Kris Mansson, chief executive officer of technology company Silobreaker, explains how organizations are struggling with unmanageable volumes of security data, and their desire for context around that data in order to make better decisions about threats to their networks, resources, or people. Even with threat intelligence platforms or security information and event management systems, organizations can still be overwhelmed by security alerts and data culled from dozens and dozens of sources. As Mansson said, “Now it’s a prioritization game.”

Dr. Avi Rubin, professor of computer science at Johns Hopkins University and technical director of the JHU Information Security Institute, explains the challenges associated with securing IOT devices, and the strides companies such as Harbor Labs, founded by Rubin, are making in analyzing IOT firmware for flaws. Rubin also addresses whether IOT is the unsolvable problem in security, how legislation may impact manufacturers and distributors of connected devices, and whether the Mirai botnet and malware is the IOT equivalent of the Morris worm. Rubin wraps up the discussion with some insights into another area of his expertise, election security. He discusses influence operations against our elections and whether paper ballots are the safer alternative to electronic voting.

Flashpoint Director of Americas Research and Analysis Ian Gray discusses the proliferation—or lack thereof—of cryptocurrency usage and interest among cybercriminals operating in Latin America. While some criminal elements do cash out or mine cryptocurrency in the region, a lack of legal oversight and technical sophistication makes legitimate payment processors viable options. Gray and co-presenter Carles Lopez-Penalver of Chainanalysis presented on the topic this week at RSA Conference 2019 in San Francisco.

Verodin CTO Colby DeRodeff talks to Mike Mimoso about his company's new Threat Actor Assurance Program and partnership with Flashpoint. DeRodeff explains the need for threat intelligence to support an examination and evaluation of an enterprise's security controls against advanced and commodity malware and exploits. 

Flashpoint Director of Research Chris "Tophs" Elisan discusses the development and business structure behind the GandCrab ransomware. Elisan, along with co-presenters from Microsoft and F5 Networks, discussed GandCrab and other malware and exploits turning a profit for criminal gangs during a talk this week at RSA Conference 2019 in San Francisco. Hear Elisan describe the evolution of GandCrab, services and partnership aspects to the operation, and the profits generated from these attacks. 

The Electronic Frontier Foundation has been an advocate for encrypting not only web-based connections between clients and webservers, but for encrypting all internet traffic. Dr. Jeremy Gillula, tech projects director for the EFF, joins Mike Mimoso for a discussion about the technologies and directions required to ensure that encryption of internet traffic is the default moving forward. In this podcast, you'll hear about how industry collaboration led to the development and growth of Let's Encrypt, a CA distributing free SSL certificates, as well as how mainstream awareness of surveillance post-Snowden is driving adoption of encryption technology. Finally, Jeremy and Mike discuss how email, server, and DNS encryption are the next hills to climb in this effort to secure all internet traffic. 

Snort creator Marty Roesch is leaving Cisco Feb. 1 for a new adventure, parting ways for the time being with the one of the true success stories in the information security industry. Snort, the ubiquitous open source intrusion detection and prevention system, is a mainstay in many homegrown and commercial security products. It was commercialized in 2001 when Roesch founded Sourcefire, which was acquired in 2013 by Cisco. In this conversation with Flashpoint Editorial Director Mike Mimoso, Roesch talks about the early days of Snort when it was a nights-and-weekends passion project for him. Roesch explains how his faith in the product and community supporting it guided him past early skeptics who doubted it could be commercialized. Sourcefire was ultimately acquired for $2.7 billion in 2013, and Snort's open-source roots remain a crucial part of the the software's legacy as it has been integrated into many mission-critical products at Cisco. 

Flashpoint Director of Research Vitali Kremez explains the links discovered between malware used to attack Chile interbank network Redbanc and North Korea's Lazarus Group. The state-sponsored attack took place in December and was recently disclosed. The attackers used social engineering to lure a Redbanc employee into installing the malware, which allowed the APT group to examine the user's access to burrow deeper into the network. 

Flashpoint Director of Security Research Allison Nixon discusses the recent takedown of 15 domains associated with DDoS-for-hire booter and stresser services. The takedown opened an important new legal avenue for law enforcement to take action against these harmful services, which in the past hid behind the notion that they were not responsible for the actions of those who bought them. 

Michael Tiffany and Ryan Castellucci of White Ops discuss the recent takedown by law enforcement of the 3ve ad-fraud operation. 3ve was a sophisticated and expansive operation responsible for tens of millions of dollars in losses due to fraudulent ads. Michael and Ryan talk about specifics tactics used by the fraudster, the collaboration required to take down the operation, and what lessons the online ad industry can take from this. 

Flashpoint Director of Research Vitali Kremez discusses the activities, capabilities, and victim targeting associated with the Magecart cybercrime group. Flashpoint and Risk IQ partnered on a research paper called "Inside Magecart" that exposes the inner workings of the seven groups that make up this criminal collective. In this podcast, Vitali talks about the group's use of digital skimmers to steal payment card data, how the data is monetized on the Deep & Dark Web, and why it's important that security researchers collaborate on such initiatives. 

Software security expert Gary McGraw discusses the recently released Building Security In Maturity Model report. BSIMM 9 includes contributors from 120 enterprises worldwide, and is used a measurement tool to evaluate software security practices and identify trends in the practice. Gary also comments on the current state of supply chain security, how companies should be working with vendors on the transparency of software security provided by third parties. 

Flashpoint senior malware analyst Ronnie Tokazowski and Editorial Director Mike Mimoso discuss Ronnie being honored with the JD Falk Award for his work in getting the BEC List off the ground. The BEC List is a 530-member working group dedicated to stopping business email compromise attacks; to date, information from this group shared with law enforcement has led to more than 100 arrests and stopped millions in fraudulent wire transfers. 

In this episode of the Collective Intelligence Podcast, Harvard fellow and IBM Resilient CTO Bruce Schneier talks about his new book "Click Here to Kill Everybody." The book covers the risks around connecting everything to the internet and why regulation and learning from previous technological revolutions may be the only solution to a worsening problem. 

In this episode of the Collective Intelligence podcast, Ken Modeste, the director of cybersecurity and connected technologies at UL, explains how his organization is doing its part to explain these risks and establish cybersecurity standards for connected devices in order to ensure public safety.

In this episode of the Collective Intelligence Podcast, Matt Wixey of PwC talks about some research he’s done on what he calls ROSE, or Remote Online Social Engineering. The twist on ROSE is that it’s a long-term social engineering attack, almost a variant of catfishing, with the ultimate goal for an advanced attacker to compromise a targeted network. 

Billy Rios of WhiteScope LLC talks about medical device security, focusing on vulnerabilities in Medtronic implantable cardiac devices. At Black Hat, Rios and Jonathan Butts delivered a talk on vulnerabilities in pacemakers and insulin pumps. They also described how dealing with the manufacturer has been a challenge in remediating these vulnerabilities. 

MacOS security researcher Patrick Wardle talks about some recent MacOS firewall research he did into and discloses some of the architectural issues and resulting limitations present in both the native firewall and commercial products.  

In this episode of the Collective Intelligence podcast recorded at Black Hat, Chad Seaman, senior engineer on the security intelligence response team at Akamai, explains the importance of collaboration and sharing of threat intelligence, even among companies that compete for the same customers.

In this episode of the Collective Intelligence podcast, New York Times senior director of information security Runa Sandvik explains the importance of championing relationships with the Times’ newsroom and how important it is for her team to enable reporters and editors to do their job securely, protecting not only their sources, but in some cases, their physical safety as well.

Flashpoint Editorial Director Mike Mimoso talks to Flashpoint Senior Malware Analyst Ronnie Tokazowski about the first-year anniversary of the AlphaBay takedown. AlphaBay was the largest illicit market operating on the Deep & Dark Web (DDW) and it was shuttered on July 20, 2017 by Dutch law enforcement. Ronnie and Mike discuss the days leading up to the takedown and the impact since on the underground economy. 

Flashpoint Editorial Director Mike Mimoso talks to Director of Intelligence Asia-Pacific Jon Condra about the 2018 mid-year update to the Flashpoint Business Risk Intelligence Decision report. The report is a snapshot of the first six months of the year, covering trends and risk to business related to cybersecurity, the cybercrime criminal underground, geopolitics and disruptive threat actors. It helps security and risk professionals strategize and prioritize for the remainder of 2018.   

Flashpoint Editorial Director Mike Mimoso talks to Craig Williams, Director Talos Outreach for Cisco Talos, about the VPNFilter attacks. This state-sponsored attack infected more than 500,000 routers and network-attached storage devices in 54 countries, largely setting the stage for future targeted attacks primarily in Ukraine. The FBI, along with Cisco Talos' disclosure, put a significant dent in the VPNFilter operation by seizing a command-and-control domain associated with the attack. But infected devices are not out of the woods, and need to be updated, or at a minimum, rebooted. 

Flashpoint Editorial Director Mike Mimoso talks to director of research Vitali Kremez about the recent leak of the TreasureHunter point-of-sale malware and builder source code, as well as the MaxiDed bulletproof hosting provider takedown.  Both events figure to have some impact on cybercrime activity.  The TreasureHunter is somewhat unique because rarely is source code for the malware payload and configuration leaked alongside its builder. This could simplify matters somewhat for criminals on the underground who wish to build variants of TreasureHunter. Flashpoint worked in collaboration with Cisco Talos on this disclosure and Talos provided updated Snort rules and ClamAV signatures to the public.  The MaxiDed takedown puts a huge dent in the underground cybercrime infrastructure hosting world. Known for hosting numerous nefarious groups' infrastructure, including Carbanak and others, MaxiDed is an example of the need for continued international cooperation among law enforcement and private sector researchers. 

Flashpoint Editorial Director Mike Mimoso talks to Akamai CSO Andy Ellis about the company's zero-trust implementation, which treats every application, user and device as an external entity. This has been a multiyear process for Akamai, one of the world's largest content distribution networks. Andy and Mike talk about how Akamai moved its security controls away from traditional perimeter-based protection and how Akamai can see a day soon when its users will no longer need passwords to access corporate resources. 

Live from RSA Conference 2018, Flashpoint Editorial Director Mike Mimoso talks to intelligence analyst Liv Rowley about her presentation on the Spanish-language cybercrime underground. Liv provides her characterization of this segment of the cybercrime dark web with a particular focus on the Cebolla Chan forum. Liv has studied this forum for quite some time, and brings insight into the type of activity and sophistication on Cebolla Chan, what happened during an 18-month period of inactivity that ended last month, and what defenders need to consider when in the crosshairs of those active on the forum. 

Question: What do you get when you connect a bunch of friends who have worked in or written about security for a long time over a few drinks and fried chicken? Answer: A 62-minute dissection of the RSA Conference, security buzzwords, marketing missteps and lots more that's top-of-mind in the industry. This semi-annual podcast was recorded this week in San Francisco during the RSA Conference and features Flashpoint's Mike Mimoso and Jennifer Leggio, Decipher journalists Dennis Fisher and Fahmida Rashid and Tendermint head of security Jessy Irwin.  Up for discussion is a wide array of topics starting with blockchain and its applicability—if any—for information security, as well as privacy, the impending GDPR deadline, hardware bug disclosures, RSA Conference and how to do security marketing correctly without introducing more harm or risk.   

Flashpoint Editorial Director Mike Mimoso talks to Eva Galperin of the Electronic Frontier Foundation (EFF) about the high stakes of online privacy, defending human rights, and protecting vulnerable populations against surveillance and censorship. 

Flashpoint Editorial Director Mike Mimoso talks to security expert, cryptography pioneer and author Bruce Schneier about the security and privacy implications of rampant data collections by organizations. Mike and Bruce also discuss whether market pressure can impose a change on these practices, or if legislation is the inevitable outcome. Bruce also discusses how privacy has changed in recent years and how younger generations have "different defaults" when it comes to sharing personal information. 

Flashpoint Editorial Director Mike Mimoso talks to Flashpoint analyst Paul Burbage about the recent compromise of more than 1,000 Magento ecommerce platform admin panels. Threat actors used brute-force attacks to access sites guarded with default or known credentials. Once they had access, they were loading data-stealing malware and cryptocurrency mining software onto Magento-powered sites. Paul talks about the research and what site admins should be doing to counter this threat. 

Flashpoint Editorial Director Mike Mimoso talks to director of research Vitali Kremez about the arrest of the leader of the Carbanak cybercrime gang. Carbanak was responsible for more than $1 billion USD in losses and the arrest is a victory for international law enforcement and cross-jurisdictional cooperation between authorities.  Mike and Vitali talk about the effects such a high-profile arrest on not only on Carbanak, but also on the rest of the cybercrime underground, as well as the tactics, techniques and procedures employed by Carbanak in their operations.  

Flashpoint Editorial Director Mike Mimoso talks to Chad Seaman and Lisa Beegle of the security intelligence response team at Akamai about the recent and record-setting memcached DDoS attacks. The attacks leveraged memcached servers that were exposed to the internet and topped out at well more than a terabyte of traffic used to take down targets. The volume of traffic used in these attacks are the highest seen in publicly reported attacks and Chad and Lisa were among the first to investigate and report on them.

Flashpoint Editorial Director Mike Mimoso talks with Flashpoint senior malware analyst Ronnie Tokazowski about the staggering fraud attributed to business email compromise and what can be done about it. BEC has cost businesses billions of dollars in losses in the last half-decade, according to the FBI, and Ronnie goes into some details about why these scams work through effective social engineering, phishing and stolen credentials. They also discuss the lifecycle and different stages of of BEC, and the layers of collaboration and cooperation needed between authorities worldwide to get in front of this type of fraud.

Flashpoint Editorial Director Mike Mimoso talks to Mac malware expert and researcher Patrick Wardle about his involvement in investigating two pieces of malware targeting the Mac platform since the start of the year. Wardle, chief research officer at Digita Security, recently published his research into CrossRAT, a cross-platform Java-based implant used in a global espionage campaign, as well as MaMi, a MacOS DNS hijacker. MaMi replaces the root certificate on a Mac machine and redirects traffic to an attacker's server. Wardle discusses both with Mike as well as a bigger discussion on some of the continuing misperceptions about the security of Mac computers. 

Flashpoint Editorial Director Mike Mimoso talks to Gary McGraw, vice president of security technology at Synopsys and one of the pioneers of software security. Mike and Gary discuss Synopsys' recent CISO Report, which identifies four approaches to the chief information security officer role in the enterprise. The report provides security executives with data culled from interviews with CISOs at 25 large companies, identifying key characteristics and discriminators, and providing some insight on career development and progression. Gary and Mike also discuss how quickly information security has become a mainstream topic and part of the fabric of every day life.  Download the CISO Report Follow this podcast and more content from Flashpoint analysts.