Smashing Security podcast #207: Cyber biowarfare, giant ladybugs, and strippers

All right. Hi, everybody. Carole here from Smashing Security. Something a little different this week. We have had quite the year. So Graham and I have decided that any monies we receive via Patreon during the month of December 2020 will go directly to our local food bank. We're doing this because there are a lot of people that are hungry and it's getting cold out there and it's Christmas. If you're not a Patreon supporter which is totally fine, I do urge you to look at your communities to see how you might be able to help bring a little bit more joy this season to those that are having a hard time. And lastly, just a huge thank you for all your support this year, it has meant the world to us. Now let's get the show on the road. So hang on, hang on, there's a website, yes, put together by some guy scientists. I've seen the people that make websites, I'm already scared. And then they send you DNA in the post?

Smashing Security, Episode 207. Cyber Bio Warfare, Giant Ladybugs and Strippers with Carole Theriault and Graham Cluley. Hello, hello and welcome to Smashing Security, Episode 207. My name's Graham Cluley.

I'm Carole Theriault.

And we're joined this week by Mark Stockley again. Hello, Mark.

Again. Yeah, yeah, Jesus. Well.

And here's Mark. Again. Now, Mark, after your last appearance on the show, you had a bit of feedback on the old Twitters, didn't you?

I did. I did. Yes. Somebody wanted to tell me that I was the poshest sounding guest you've ever had.

What? What, one party told you that?

Yeah. It must be 100% true. Well, it's good enough for a marketing survey. It's good enough for me.

Well, thanks to Mrs. Stockley for leaving you that message.

Very good of her. It was a real surprise, but you have some very, very illustrious guests like BBC journalists and, you know, serial chess world champions and things like that. And so I felt like that was something I could cling on to. At least I felt that way until you piped up and said, actually, he's not the poshest sounding guest we've ever had because we've had Dr. Jessica Barker on.

Well, we are going to have a second inaugural live stream party. We're going to do it Thursday, 17th of December. And it's going to be our little pre-Christmas party on YouTube. So, Graham and Carole talent and friends, maybe, Mark, you would like to join us as a friend, but you might have to perform. We're talking to people who are thinking about doing songs or street dances. So, just saying, high caliber. I can sound reasonably posh. Yes. Or maybe you could just bring a chicken along. That'll work. Okay.

Yeah. So, if anyone wants to pre-register for this or find out more, all you have to do is go to smashingsecurity.com/live. And as Carole said, it will be on December the 17th, Thursday, December 17th at 8 p.m. UK time. And what other times around the world, Carole?

Can you not do the math? 3 p.m. Eastern Standard, noon Pacific. People can work it out. Same time as last time.

Okay. Well, I think we know what talent you're going to be showing off. Okay, that's fabulous. So what else is coming up on the show this week, Carole?

Well, first, let's thank this week's sponsors, Deep Instinct, CultureAI, and LastPass. Their support helps us give you this show for free. Now, coming up on today's show, Graham is going to scare us with research on cyber biological attacks. Mark laments a broken smart vacuum, and I find out why the US Supreme Court is talking about the Computer Fraud and Abuse Act. And we also have a featured interview with Deep Instinct's Stephen Salinas. We do a deep dive into ransomware and how it's impacting us all in 2020. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, have you ever been accused of releasing some kind of biological weapon into the atmosphere?

I'm so bored of these ridiculous questions. Yes. Interesting. Okay. Well, I've been thinking about this, and certainly there is a lot of concern out there that bioterrorists may begin to get up to all kinds of shenanigans.

Now, one of the most interesting group of researchers who I've come across in my years of investigating cybersecurity are the boffins at Ben-Gurion University of the Negev over in Israel. They produce some of the most fascinating and wacky, crazy bonkers security research that's going. What? Yes. Okay, so I need you to explain this to me like I'm five. Tell me how this would work.

Well, what they're saying is that they have found a way of compromising a synthetic DNA supply chain. Okay, again, I still am not following. Hang on, hang on.

No, no, no, no, no, no, no, no, no, this is actual DNA. This is real DNA.

Yeah, he got this from the Daily Mail, so it's definitely.

Not just the Daily Mail. I also, I'm sure you read about it this week in Nature Biotechnology Magazine.

No, not in my reading list. You didn't pick that up? I'm still on last week's. I haven't got to this week's yet.

Now, you might have imagined in the past that a bad guy would have to get their hands on a dangerous substance such as a toxin or some kind of poison or biological virus to produce and deliver it to an unsuspecting world.

No, I'm not imagining that. I still don't understand what synthetic DNA is. We're going to come to that. We're going to come to that. I'm just saying, I'm just correcting you. I'm not imagining. It's Bitcoin. I'm telling you, it's Bitcoin. This is going to be a Bitcoin story.

He passed out.

You probably had to work hard to produce them yourself, didn't you?

No, he does quite easily, to be honest. Just eating some sprouts. Well, here's the thing, right? In the old days, making genes. So genes are made up of DNA, right? We're not talking Levi's here.

I do not, yeah. It's very odd, isn't it? G-A-T-C. I'm not sure how that works.

You upload the DNA sequence you want and you order however many genes you want online. So it's just like making any other online order.

So hang on, hang on. There's a website put together by some guy.

Scientists. I've seen the people that make websites. I'm already scared. You type in A-T-G-C-T-G. Or cut and paste. And then they send you DNA in the post.

Yeah, they send you the genes according to the sequence that you've requested.

Okay, I give up. I give up. It arrives. It arrives a couple of weeks later in the post.

We've gone too far. We've gone too far. Stop.

Well, I imagine it's some receptacle containing genetic material or something.

What, in a syringe? Well, I don't know. Is it just an organ? Just an organ that no one's ever seen before. Like a placenta or something. Is it refrigerated? I don't know why you're making this sound so complicated. Because the powers that be are worried about how simple this is.

Hang on. Hang on. Hang on. So these guidelines, step one on the guidelines is obviously don't make a website where somebody can type in some words and they get biotoxins.

Well, right, is that? I mean surely yeah, you'd think that as you were typing in your sequence they might go stop right there mister, well that's not a good one.

So let me tell you what they do right, because in some ways, what would you rather they did? Would you rather they wrote it in crayon and put it in the post to people? Imagine the transcribing of that. That could go terribly wrong as well, wouldn't it? What's wrong with using the web? Hang on, I don't even understand why we're debating a service whereby some random person just randomly writes something out and then they get the thing, like the organ comes in the post.

Can I explain what the first screening test is?

The first screening test is who the hell do you think you are ordering synthetic DNA, right?

Oh, well, that's a relief because those work really well.

So they ask you your name, contact information, billing and shipping address. And they also ask some other questions. If you answer these kind of questions incorrectly, it rings a few alarm bells. Yes. I'm guessing this site was online, alive and kicking before these regulations came into place?

Oh, no, these regulations have been in place for about 10 years.

All right. So this is how the environment tries to control who gets their hands on synthetic DNA. This is how it's done right now. Although, sadly, not all websites which are producing synthetic DNA are following these guidelines at the moment. I hate this. It's 2020. We're all having a hard year. And now you've just added another layer of complexity.

Let me reassure you, because there's now a second screening you have to pass. So once you've convinced them that you have a legitimate request, the next thing is, what on earth do you want?

Oh, my God. So I wonder if someone was trying to get weed killer, right? And they're putting the sequence for some kind of, why would you have a DNA weed killer? Who knows? But if you did...

Then it might try. I don't know. I feel like I've detected a flaw in this plan. Well. A lot of these things are dose dependent, aren't they? It's like if you take too much salt, it will kill you. Can I order a ladybug, but one that's nine feet wide?

Well, I wouldn't worry about that. She's not going to get into your house. What if she was nine foot long?

Are you telling me Amazon don't have cardboard boxes for that? Because I'm telling you you're wrong.

So what? So they basically encrypt it and then slip it through?

Well, encrypted is the wrong term,

But it was something which would effectively emulate the same sequence of characters, although it didn't look the same. So it would muddle it up, but you'd get the same result.

So like steganography?

Yeah, maybe in a way. So how can they inject their toxic, nasty, malicious DNA sequence into one of these systems? What they're talking about is they could actually infect legitimate laboratories who are asking for synthetic DNA with a browser plugin. So if they managed to install a browser plugin, when the scientists cut and paste their DNA sequence, they could actually intercept that and inject some of their own nasty DNA in there as well. And in their tests, 50 obfuscated DNA samples, 16 of them were not detected. So around about a third of all of their attempts were successful to sneak past effectively malicious toxic DNA, which could then end up in the hands of people.

Yeah, but they weren't actually using toxic DNA sequences, presumably, right? So they basically obfuscated DNA samples and said, does this get passed or not?

No, I think they looked at the databases, which they felt were out of date, and they found the toxic pathogens, and they obfuscated those, and they put them into the requests, and they went through and they passed the tests.

Oh, great. So we now have a research team with 16 toxic DNA sequences.

Great. They're Israeli students. We can trust them.

I don't feel I've learned very much at all, really. But thank you. It was entertaining. I'll put links in the show notes. Thanks. Mark, what's your story for us this week? I'm sorry, I'm still terrified. I'm going to start with a question. So what would you do if your hoover stopped working?

Panic.

When? Who cares? I don't know. Buy a new one.

That was a first world answer. Go away, buy a new one. Unlike you, I would get in there. I enjoy doing that, actually, cleaning a vacuum cleaner, unplugging it from some mat of hair somewhere.

I think when I was a student and I had a vacuum cleaner, it never really occurred to me to empty the vacuum cleaner. So they just naturally stopped working on the three times during the year that we used it. Do you think I'd replace the battery in the doorbell? Yeah, or the piece of string.

Well what about your lights? What would you do if your lights didn't turn on? Headlamps, start a fire, turn on the oven.

No, I think the fuses have gone.

Okay, poltergeist. Of course, the mistake of saying, have you tried turning it on and off again, which is the wrong way around. That's a mistake.

If they said no, then you have to say, aha, I've diagnosed the problem. We need to turn this thing on, baby.

Funny. If they see a brief flicker and then it goes dead, then it was off in the first place.

No.

Oh, this is all smart tech stuff, isn't it? Lights that wouldn't turn on.

Very clever.

Yeah, yeah, yeah. And basically a bunch of mysterious technical issues, apparently unrelated. And of course, as Carole has guessed, what all of these things had in common was that they are all modern internet connected smart devices or what we like to call part of the internet of things. So in other words, they are part computer. Now, unfortunately, what was affecting these devices is that the computer part was on the fritz. And so like all computers, when they break, as we just discussed, what you need to do when it breaks is you just need to turn it off and on again.

Right.

Yeah. But there was a problem.

Okay. Because these things were all part of the Internet of Things. So they're Internet connected devices.

Well, yes, you don't have the plug for that, do you? Someone else does.

So yeah, but if your router goes down, it would impact all these things. Or your router. Sorry, I was trying to be posh there.

All the routers went down at the same time, that would be something else. This isn't some guy whose Hoover stops and his light switch.

Something has gone wrong with the cloud. And when something goes wrong with the cloud, you have to talk to Amazon.

Right.

Because in this case, the part of the cloud that failed was actually an Amazon service called Amazon Kinesis, which is one of thousands of Amazon cloud services that you've probably never heard of that it turns out your entire life depends on.

It's amazing, isn't it? Because I think the average person in the street, I'm sure our listeners aren't like this, but the average person in the street thinks of Amazon as a company which delivers you cardboard boxes with small things inside them.

Massive boxes, small things. Yes, exactly. But they also have so many services which rely upon Amazon cloud computing services.

Yeah.

And they could start selling that infrastructure to other people. And I first heard about this in about 2007.

And all these people who try to think, actually, maybe I won't shop at Amazon to try and balance the landscape out there. They actually looked at their houses and how much of their services rely on Amazon.

Or the websites they're going to, which are probably still being hosted by Amazon.

It reminds me of my time on Air Canada, every single flight I've ever taken where they have to stop and restart the television or whatever entertainment system due to some glitch somewhere.

So the question is, so yes, they had to turn it off and on again. Meanwhile, people are crying over the fact they can't vacuum.

I'd like to think that there'd be simulated environments to do exactly that before you do it live, though.

But even if there are, they clearly don't work perfectly because you wouldn't get in a situation like this in the first place. If they had a fire or something, maybe you'd understand, but this was of their own volition. They added more computers and caused their own problems. So if there are simulations, the simulations are obviously incomplete. Have people dried their tears now and their lights are back on and the vaccines are running?

Their interconnected fans are working again. They can get some assistance in drying the tears. But I think the worrying aspect of this is this is just where we are now, the speed with which we are acquiring devices that are dependent on an internet connection. Not just that have one, but don't work without one. It's rather alarming.

How dare you accuse him of cheeriness after you talk about biological cyber warfare? I mean, is he talking about Roombas going offline for a bit? Graham, what have you got for us this week? Well, we have a very cheery topic, Graham. The 1986 Computer Fraud and Abuse Act. The CFAA. Okay. And the reason we're talking about this is it's in front of the US Supreme Court this week. This is the first time the Supreme Court has ever heard arguments to or against how the Computer Fraud and Abuse Act is currently designed. This is America's main anti-hacking statute. Okay. And the Supreme Court are looking at the scope of the CFAA law and how it is and can be interpreted. And so you have the court's nine justices have a range of views on the question. And I'm inviting you all to don your Supreme Court judge hats or robes, rather. A wig? Do they have wigs over there? Wigs? No, no, no, no. But they'll have certainly robes, I believe. And we'll see what you do here. All right. I'll get my bathrobe on. I'm wearing my robe already and my wig. But I always wear those for podcasts. So I'm going to start with the year 1986. That was when the CFAA was put into law. And that is almost 35 years ago. Now, is it just me? Or do we feel like as you've just talked about, Mark, we're going through this incredibly huge technical revolution. And one of the richest countries in the world is depending on a 35 year old law. I find that shocking.

So this law is designed to stop teenage hackers breaking into WOPR and playing tic-tac-toe, basically. That's what it's there for.

Well, that's interesting. What it's there for and what it actually covers, that's what we're going to talk about. So it turns out that many, many Americans and organizations in the US have inadvertently broken this federal law repeatedly. Because inside the 1986 law, there is a broad definition of what's considered hacking. Okay, so quote, the law considers any intentional access to a computer without authorization to be a federal crime. Now, as CNET point out, this is broad enough that sharing a Netflix password could be considered a CFAA violation. So does that make it a federal crime? Yes. A federal crime to share your Netflix password? It makes it a federal crime. Granted, unlikely to warrant federal attention in a normal case-by-case basis. Right. But it does mean that Americans are extremely reliant on how individual prosecutors and individual judges understand and decide to enforce this law.

Yeah, okay. But there are always extreme cases like this, aren't there? I mean, it's not as though they're going to pursue it. And sharing your Netflix password is a naughty thing to do. Have you ever done it? So you should be in jail. So next time you go to the States and it says, are you a terrorist on the little phone? Have you ever committed a crime? You're going to have to, yeah. You've committed a felony, Graham, and you've admitted it.

So if you take that, so the law considers any intentional access to a computer without authorization to be federal crime, would that mean that a 12-year-old who starts a Facebook page breaks the rules? Because she's basically not authorized to have an account? Does that mean it's a federal crime? What if someone shares their logins with a third party in order to get IT support from someone?

There are gazillions of laws like this, and it's all down to

Interpretation. No, there's what we're talking about. I don't know about the other laws. I know about this one. And I think, as you'll see very quickly, there's a loophole here that is kind of scary for our industry, Mr. Cluley. So the core issue that they're discussing is should violating something like the terms of use on a website or a computer system lead to legal trouble at a federal level, using the CFAA as your umbrella. So that's one. Now, there's a second angle to consider. There's a group of people who are not happy about this 1986 law and its potentially incredibly broad remit. And this is our cybersecurity researchers, because many cybersecurity researchers' work involves finding vulnerabilities on software and gadgets without a company's authorization. So election security researchers at MIT uncovered issues with voting machines without the approval of the manufacturers. So they wrote it up and presented at the Usenix Security Conference earlier this year. And they called it "The Ballot is Busted Before the Blockchain."

That's a terrific example, because you're absolutely right. The way that we think about computers now versus the way that we think about computers in 85, 86 is even the idea that there's computer security. I can almost remember the day that computer security arrived in my life as a thing. It was a long time after that. It reminds me of, if you ever read about people that try hacking into cars, because obviously cars are part computer now, just like everything else. The trouble that they have to go to to avoid poking any of the bits that they're not allowed to poke is really quite excruciating. And when you read it, my reaction on reading that stuff is certainly, hang on, there's something wrong here, that they are, assuming that they are going to be ethical with what they discover, it seems like there's something wrong with them not being able to look. And, you know, in whose interest? Because I think we're all fans of responsible disclosure. But whose interests are being, I guess there's maybe concerns about intellectual property or something like that, that, okay, here's a black box and it's full of proprietary stuff and you're not allowed to look inside it. But it seems to me the greater good is normally served by people being able to poke around. So how are people calling for the legislation to be changed, Carole?

Well, people like, for example, a bunch of security researchers, obviously, have had a beef with Voatz's point. And soon after its tap dance in front of the Supreme Court, these guys responded publicly in an open letter, saying, you know, security research is vital to the public interest. And they say a broad interpretation of the CFAA, which is what we currently have, it risks undoing many of these positive advancements, like being able to discover security vulnerabilities in election machines, for example, which is a big deal. Voatz's actions threaten good faith security research are indicative of what may come should the courts decide that a breach of controlled terms constitutes a criminal CFAA violation. They urge the courts to adopt a narrow interpretation of the CFAA. Can you imagine if the outcome of this is that we all have to start reading the terms and conditions of every website we visit? Like if you think it's bad with the cookie pop-ups now, combined with eye tracking technology to see if you really have read it as you scroll down, have you actually taken in each of those words as you plug your brain into your IoT device so it looks at your brain activity to make sure?

We're not even close to going too far the other way. Right now, it's so, so broad, Graham. And what that means is, for example, let's say they wanted to arrest you, right, but they couldn't for whatever reason, a side reason, and they couldn't get you, they could get you on this federally.

What I did with the Hoover did not cause any harm or damage to any other individual.

Because you brought up cyber biological warfare on the show, right? The FBI now got you earmarked and they want you, right, because you've now opened up this huge floodgate. And the way they'll get you is by sharing your Doctor Who password with someone.

Graham would never share his Doctor Who password with somebody. It's Gary Kasparov, isn't it?

Yeah, Politico are the only ones that said, you know, they are hopeful, I feel, is the way I would interpret what they wrote, saying that they saw a number of the Supreme Court representatives indicating reservations about the ambiguity and the scope. And they feel maybe they need to review it. So there is a silver lining if they do. I think they totally should. I think it's insane that we're relying on something that is 30, almost 35 years old. It's insanity.

Well, those Supreme Court justices, they all look pretty tech savvy. I'm not concerned. Yeah, they've got their finger on the pulse. Yeah, don't worry. Justice Thomas has got us well in. You want to know, can I just say, you know how this all got in front of the Supreme Court? You might remember this story, actually.

Sorry, no, I'm confused. There was a man who was interested in whether a stripper was actually an FBI agent and he himself was an FBI agent. Yes.

And it was all a way to capture, to get the Georgia police officer. So it was kind of a kind of a, what's it called? A sting? A honey trap.

Oh, so they were after the man who the FBI agent asked to do the looking up. Yeah, they're after the Georgia police officer who did the looking up of the license plate. Okay. Have they not got anything better to do with it? But the point is, is this is still being fought, right?

Well, he wasn't authorized to do that lookup, was he? He wasn't authorized to do that lookup because that hadn't come through the correct route.

Yeah, but that's not explicitly explained in the CFAA. So legal quagmire ensues.

So they're going to need some sort of subclause about stripper lookups.

Exactly. Graham's got it. Graham's got it.

Stripper lookups. That's what we need. I've got it. I think I've got this all under control, Mark. So what you're saying is that this law has been around for 35 years and the Supreme Court, because it's not clear what the law actually is, the Supreme Court has never ruled on this law. And then a story about strippers came along, and now it's like, yep, that's the one. We'll have that one.

All comes down to strippers. That's all you got. That's your takeaway.

Most people agree that the most effective way to reduce the cost of an attack is to prevent it from happening in the first place. Deep Instinct strives to prevent all known and unknown threats using deep learning, making detection and response automated, fast and effective for any threat that cannot be prevented. Check out a report by the Poneman Institute, which studied the cost savings of adopting an efficient prevention model. Go grab it at smashingsecurity.com slash deepinstinct. And thanks to Deep Instinct for sponsoring the podcast. This episode of Smashing Security is sponsored by LastPass. Now, everyone knows about LastPass's password manager for end users, but it's also a great solution for businesses. In fact, tens of thousands of companies rely upon LastPass to protect themselves. LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce. So whatever the size of your business, go and check it out. Go and visit lastpass.com slash smashing to find out more. And thanks to LastPass for supporting the show. Security training sucks. It's boring. Users hate it. They aren't paying attention. Doesn't work. For security training to actually work, you'd have to find out what each person in the company is doing that's risky. Send them phishing emails, monitor logs, check the password doesn't have I've been pwned, and then you'd have to train them in a way that doesn't send them to sleep, try and track what they're doing to see if it works. Who's got time for any of that? Culture AI do. What? Culture AI. They make this amazing software that plugs into your company, runs your phishing campaigns, integrates with Slack, tests if your users accept phony MFA requests, that's a biggie, and pulls in tons of other behavioral metrics from your existing apps.

And welcome back and you join us at our favourite part of the show, the part of the show that we like to call Pick Of The Week Pick Of The Week Pick Of The Week Pick Of The Week is the part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever they wish. It doesn't have to be security related necessarily.

Yeah, I told you about it repeatedly. In fact, the other day I told you, why don't you watch it tonight? And you went, okay, yeah, maybe I'll do that. Yes, I will. Yes, yes, I will. Well, I've got round to it now. Yeah. And also chess related, but slightly security related. I saw on Twitter in the last couple of days, security researcher Sarah Jamie Lewis discovered that they were able to exploit the popular Stockfish chess engine by feeding it malformed chess positions and can cause it to crash and do naughty things when trying to find a best move or even tricking to believe in there were no valid moves, even when it appeared that there were.

I might get this for my in-laws for Christmas. This could be perfect for them.

So that's my pick of the week. It's called One Straw Revolution. My pick of the week is a podcast. Now, it's hosted by the Telegraph journalist Cara McGugan. And I'm not a Telegraph reader, but I happened upon this podcast and I decided to give it a whirl. It's called Bed of Lies.

What's it about?

Well that's the thing, I can't really give you the big reveal. It starts off with the backstories. I can't, so you gotta just trust me because that's part of the way she kind of does it. Is she holds off on telling us what the biggest scandal is until episode three or four.

Can you give us a sort of genre? Can you sort of say whether it involves corruption?

Can you just hold on, I'm getting there baby. It starts off with the backstories of four women: Rosa, Lisa, Alison, Lindsay, all pseudonyms. They were all part of a lively activist community a few decades back. And they found partners who shared their passions for activism and seemed perfect, until it totally wasn't. So big 180 happens.

Yeah, I think I know what this is going to be about.

Don't say, don't say because it's kind of part of the way it's built. I think it's kind of silly. I think they should have given it away at the beginning and then just gone with the story personally. But you know, the first episode is hesitant, but I don't know, it's almost like the host and the producer are finding their feet or something. But it gets a bit pacier and the story is pretty juicy. And the stories from the women are actually pretty honestly told. It's quite good. So it sounds like your thing. Check it out wherever you get your podcasts. It's called Bed of Lies, hosted by Cara McGugan.

So I don't know what you're talking about, Carole, but if it's what I think it is, it's a fascinating news story which has spanned a few decades. And oh, that's good. Yeah. Well, I don't want to give anything away. I know. I hear you. I understand. But yes, involves activism and maybe law enforcement.

Yeah, maybe.

Is the punchline that it turns out they're all actually connected to US East One.

Mark! So mysterious.

Now, Carole, it's time for our featured interview, isn't it? Who have we got this week?

We have an interview with Deep Instinct Stephen Salinas, who's going to get us all up to speed on ransomware and what's going on today. So ears open, people. So hi, Stephen Salinas, Product Marketing Manager at Deep Instinct.

Thanks for having me. I'm glad to be here.

It's really lovely to speak with you because we're going to talk all about ransomware. But first, I wanted to ask you about the lady on your homepage. So for our listeners, there's this woman who looks very lovely. And then you look at her and her eyes are neon phthalo blue. And then you zoom into her eye and it's all sci-fi. So I just wanted to know what the thought process was behind that.

Yeah, it's kind of a funny little picture there. But I think the whole point is, you know, we want to get across the point to someone that visits our website that we are using, applying artificial intelligence to solve cybersecurity problems. And it kind of is an interesting way to get someone's attention. So the idea of kind of the way a human brain works, the way that our brain makes decisions, we're using technology that works in the same way to solve cybersecurity problems. Totally.

It works. It works. I mean, I just brought it up as the first question, and I'm sure loads of listeners are now going to your homepage and see what I'm talking about. So tell me first, tell me a bit about Deep Instinct and what you guys do.

Sure. So the company name is Deep Instinct, and we are a deep learning cybersecurity solution provider. So that's kind of a long way to say that we're applying artificial intelligence, which we interact with every day, all day. We're applying a form of it, the most advanced form, which is known as deep learning, to identify threats as early as possible, which is known as pre-execution, using a deep learning neural network so that we can identify these threats and prevent them from ever having the chance to run in an environment. So it's really... Our company, what we call it, we are a prevention-first company. So our whole idea and philosophy around security is that the best way to protect yourself is to stop a threat from having the chance to run in your environment. We offer a lot of different solutions that extend that, but that's where we start about preventing.

So can you tell us a bit about deep learning? Just how does it work? And just for some of our listeners so they can understand exactly.

Sure. So the best way to kind of think about deep learning is if you think about, you know, ourselves, brains are very complex. There are tons of things going on in there. So if you think about when we were a child or anything, when you learned how to, let's say, ride a bike, right? As a kid, you know, the first time you rode a bike, you probably fell off a lot. I did. I broke my arm, actually. Ouch. I definitely had my share of scraped knees and whatnot. Then you got the hang of it, right? And as a kid, I rode my bike all over the place. The phrase that we're all used to is like, it's like riding a bike. That's not a mistake. So even though you probably haven't been on a bike in years, if you saw a bike and you got on it, your brain would remember how to ride that bike. It just would. So our brains are very complex and they're very advanced. So very smart people, a lot smarter than me, they kind of looked at that, the way that the brain works. And they said, all right, we can take the same approach to solving lots of different problems. So a very brief history about artificial intelligence. It's been around since the 50s. If you're familiar with Alan Turing, the whole idea of the Turing test was if you can distinguish between a machine asking questions compared to a person. So that was like a form of artificial intelligence, very initial forms. And then in the 80s or so, this concept of machine learning came out where you could train a machine based on a set of data to come up with some sort of decision or to take some sort of action. And machine learning has been around for a while. The latest version of artificial intelligence is known as deep learning. So this is where, this is what we do. So what we do is we take vast amounts of data, machine learning, deep learning, artificial intelligence, all about data. So we take a lot of data around threats. And then we take a lot of information about good files, you know, files we use all the time, applications we use all the time, not just a few, millions. And we have data scientists, the founders of the company, they created algorithms, very proprietary set of algorithms that can take this data, we feed it into the model, which is called a neural network. And the only thing that we tell the model about this data is this set of files and data is known as malicious. And this set over here is good. So we feed it in and we look at the results. And after training and we train in the cloud, it takes a lot of horsepower to train it, develops an innate ability, like getting back to my bicycle analogy, to identify a threat. It's really astounding in that once I develop this ability, it doesn't need to know anything else about the files at all. So that when we point it at a file that it has never seen before, it's going to be able to come up to a decision, whether it's malicious or what we call benign or good, in milliseconds. And it's extremely accurate.

Okay. So this must play into ransomware because we're actually here to talk about ransomware today, right? So talk to me about ransomware and what is deep learning telling you about ransomware?

Yeah. So ransomware is one of the most insidious threats that can hit an organization. And the attackers, they're pretty ruthless because the way that they deploy these threats, they could be either targeted or they kind of can use some automation to target vast amounts of IP addresses and whatnot. But the fact of the matter is if an organization gets hit by ransomware, it could be crippled, right? The whole way, if you're not familiar with anyone listening, essentially what ransomware does is it gets into an organization. If someone initiates it and starts the ransomware, it will go through and encrypt all the data on your computer. So think about all that data that's on your machine, stuff you rely on, you use all the time. It encrypts it and it holds it hostage. And what the attackers do then is they display on the machines a ransom note. It's very, I mean, it's called ransomware for a reason. It's just like when someone, when a person gets held hostage, they get a ransom note and said, here, we have your data. You need to pay us X amount. It's usually some sort of cryptocurrency. Bitcoin is their favorite. Or we're either going to destroy your data or some of the newer forms of ransomware, they say, we're not going to destroy it, but we're going to leak it. Which is obviously very concerning to an organization. You know, it's all sensitive data.

Oh, well, hey, if they were going to leak my diary, I'd be concerned. Right.

So if an organization finds themselves in this situation, it's full on panic at this point. Because there are definitely things that we can talk about mitigation strategies. There are several you can use.

I was wondering first, are companies targeted more than individuals? Or is it more or less the same?

Well, the attackers, they target companies a lot because they have deeper pockets. Right. So, I mean, there are definitely lots of stories that you hear where this was a few months ago. I believe it was some, you know, I don't want to, I'm not going to say the name of the university because I don't want to get it wrong. But they were doing some COVID research and they got hit by ransomware. And they had no choice but to pay the ransom. And it was, you know, in the millions of dollars because this was extremely valuable data that they needed for their research. A university is going to have a lot more money to pay than, you know, just Joe public.

Yeah, I'm like, here's 50 bucks. Does that work?

Yeah. You know, they're looking to get the big paydays. One of the other things that's happened is people's work environments have changed.

Right. Yeah, yeah. So, people are working from home. So, that makes their kind of – now it's kind of an individual and a company problem, I guess.

Exactly. So, it's really bad. I mean, I remember hearing a story. This was years ago, but it's relevant. I won't, again, save all the names to protect the innocent. But at any rate, there was an executive from some large financial institution that would regularly use his home computer to access his work email and things like that. Well, he also had a son that would use that machine to go play online games. And somehow the attacker realized, you know, they were looking and they realized, oh, this kid is using this machine. And they did some sort of social engineering and got access and figured out, oh, this is an entryway into this bank.

I don't think I know a parent these days that have an under exhaustion handed over their phone or tablet or computer to kids just to have 10 minutes silence. Especially

now when you think kids are all doing school from home. Yeah. This is what this is. This is broadening the attacker's area that they can target. So not only before it was, all right, company, they're all behind the firewall. They're in buildings. Now the firewall has kind of virtually disappeared and everyone's at home. So now the smart attackers and they're doing it, they're identifying, oh, okay, all of these machines are now all over the place. So if I can penetrate Steve's machine, I can get into the company. Let's face it, people's protections at home are a lot less sophisticated than an organization's would be. Right? So.

Totally. That must be keeping so many IT security peoples awake at night, just thinking about all the doom and gloom that could happen just because one employee doesn't have the right infrastructure in place to protect the company and protect themselves.

So let's talk a little bit about how you protect yourself against ransomware organizations. So there are a couple of different ways you can do it. The old school, which doesn't work very well, is I guess I'd call it legacy. We'll call it legacy antivirus. So this is where there's a piece of software that's installed on all the, let's call it laptops, just for simplicity. And it pulls down a list of known ransomware, we'll just say, to be very generic. And it's signatures. So the software, if it identifies there's a file that matches one of these signatures, it doesn't let it run. But guess what? The attackers know that. So they have gone long past that. So it's easy for them to make small modifications to their ransomware, and it will completely evade that type of protection.

So if you're looking for a specific thing, they can just change it slightly so it doesn't match specifically. You

know, if someone's looking for a person and they put a disguise on, walk right by the police, right? Would never be seen. So then there's the machine learning approach, which is kind of this category, what I call the next gen players. They look at the features of ransomware. So it's a little bit better. And then they train a machine learning model to identify threats. But then the attacker is really smart. All that, what they've done is they've identified the features that these machine learning models are trying to use to identify the threat. And then they just simply don't use them or they change them. They bypass two different types of protection. Now our protection seems to be the best. You know, I, one of the things that I do all the time is look at the latest ransomware and I run it against our, our, our model. And it's very, very effective because we're not using features. Again, we're training against this vast amount of data and the deep learning neural network is making a decision. It's taking any sort of route to get to that decision. It's hard to say impossible, but it's virtually impossible for an attacker to figure out what decisions it's making to avoid that. So one good example, there's a really bad strain of ransomware that was hitting a lot of healthcare organizations called, I don't know how you pronounce it. I call it Ryuk. It's R-Y-U-K. It's been causing major issues. So the other day I pulled down, and there's a video on our website, I pulled down almost 100 samples of this ransomware. And I ran it against our neural network. And one thing I want to be clear is once we've trained the model, no additional training happened. So the one that I was using was trained in November of 2018. So two years old. And I said, okay, analyze all this ransomware. And it identified every single file as malicious. Yeah. So it's really powerful. And that's why we're finding a lot of – to get back to the whole point of, all right, all my employees are all over the place. What do I do? What you need is a protection that is what we call resilient, right, that doesn't need daily updates. So, I could provide this two-year-old model to most organizations in the country, the world, and they're going to get better protection probably than what they have today, even if I don't ever update it again.

Yeah, I agree with that sentiment totally. You don't have to have perfect protection. You have to have better protection.

You know, even though our solution shows extremely great results, you know, you can't guarantee 100% all the time. So we do do other things, behavioral analysis to look for things that look like ransomware. It's very rare that a ransomware would be able to get past us this first phase. But that's why we're seeing a lot of interest in our approach because it's resilient. It doesn't even require being connected to the internet. All the decisions are taken on the machine that it's protecting and it doesn't need updates.

So what about behaviors that individuals, so we're talking about these employees who are working from home, right? So I'm guessing rule number one, please don't lend your computers to your kids if you can avoid it. But what other advice do you have? What do you do at home? What do you tell your family to do?

If you get an email from someone you don't know that has a link on it, don't open it. Or if you get an email that says, oh, I'm from a company that you work with a lot, somebody you buy stuff from with, but it looks a bit weird. It has, oh, we need you to update your information here, or we're going to terminate your account. Be very suspicious. You can also look at the URLs. If it has a really weird URL, it says it's from a big box store, I don't know, Target or something, but the URL is completely different. It's probably not there.

These are really, really good points because right now we're kind of sitting ducks because a lot of us are looking up for information on elections that may have just happened. We're looking for information on coronavirus and what's going on there. We're getting ready for the holidays. We're buying loads of stuff online because a lot of us are not allowed out. So, we've kind of told the bad guys exactly how to get us.

I know. I mean, I'll give you one example. You mentioned the COVID. Some attackers, they said because people were looking for information desperately, they actually had embedded malware in an actual map, an interactive map of COVID. No way. Fortunately, though, we supported that file type. So, if someone downloaded it, we would identify it as malicious, but not everyone would. So, you know, the attackers, they don't have any qualms about doing things that.

I know. Well, I'm glad there are people you, Stephen, and David Singh to help protect us in this crazy, crazy world we live in right now.

We're doing our best. But I think, you know, again, you know, just be vigilant, be suspicious. It's okay to be suspicious. You're not going to hurt anybody's feelings.

Stay calm maybe is another good piece of advice. A lot of these things try to incite, you know, some kind of outrage or emergency scenario, you know, just maybe just take a second. It's okay to think for a minute or two and ask, you know, a trusted friend who knows more about this stuff if you're not sure. Absolutely.

And one last thing I'll mention too, from a personal standpoint, this is good for just individuals. There are lots of online solutions or ways to back up your data, you know, and they're not very expensive. So if you do happen to, oh man, I accidentally got hit by ransomware. Well, I always say don't pay the ransom. You know, it only makes the attack, they're only doing it because they get paid. So if you have other mitigation strategies, have backups, use a solution ours, obviously, if you're an organization, the lower we can make the incentive as far as the attackers are not going to get paid, you know, they'll go down in the long term.

Yeah. Choke the green, right? Choke the green. Exactly. Stephen Salinas, Product Marketing Manager at Deep Instinct. Thank you so, so much for coming on Smashing Security. Thank you.

Well, that was terrific. And that just about wraps it up for this week. Mark, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that? You can find me on Twitter at Mark Stockley. Terrific. And you can follow us on Twitter at Smash Insecurity, no G. Twitter allows us to have a G. And you can also join the subreddit for Smash Insecurity. And don't forget, if you want to be sure never to miss another episode, subscribe in your favourite podcast apps such as Apple Podcasts, Spotify or Pocket Casts.

A few announcements. First, you each have a VIP invitation to our YouTube Live Smashing Security Christmas special on Thursday, 17 of December, 8pm UK time. If our last session was anything to go by, where hundreds of you joined us, asked questions, made friends with other Smashing Security listeners, it was just awesome. And if our plan for this one on December 17th comes together it's going to be a YouTube sesh to remember we really hope to see you there guys because we need to see this shit show of a year out in style and remember Patreon supporters any support we receive via Patreon during the month of December 2020 will go directly to our local food bank and can I urge you all to look at your communities to see how you can help bring a little joy this season to those who are having a hard time there's some awful stories out there. Lastly, a huge shout out to this week's Smashing Security sponsors Deep Instinct, Culture AI and LastPass. Their support help us make this show free for everyone. For details on past episodes, sponsorship details or how to join our Patreon community check out smashingsecurity.com plus you'll find all the details for how you can get in touch with us.

Until next time, cheerio, bye bye. Bye. Bye bye.

Do you think anyone's going to show up on December 17th, Graham? What, on? To our live show? Well, hopefully Mark will. And a chicken. Are you thinking of giving it a pass, Graham?

No, I'm going to be there. If my internet connection holds up. It'll be interesting to see.

Sorry, I couldn't quite make that. I think it was a quick.