Fears are raised about cyber bioterrorists, there’s a widespread blackout for IoT devices caused by a cloud cock-up, and what role do strippers play in a revamp of the United States’s computer crime laws?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Mark Stockley.
And don’t miss our featured interview with Steve Salinas of Deep Instinct, discussing ransomware.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
All right, hi everybody, Carole Theriault here from Smashing Security. Something a little different this week.
We have had quite the year, so Graham Cluley and I have decided that any monies we receive via Patreon during the month of December 2020 will go directly to our local food bank.
We're doing this because there are a lot of people that are hungry and it's getting cold out there and it's Christmas.
If you're not a Patreon supporter, which is totally fine, I do urge you to look at your communities to see how you might be able to help bring a little bit more joy this season to those that are having a hard time.
And lastly, just a huge thank you for all your support this year. It has meant the world to us. Now let's get this show on the road.
We have had quite the year, so Graham Cluley and I have decided that any monies we receive via Patreon during the month of December 2020 will go directly to our local food bank.
We're doing this because there are a lot of people that are hungry and it's getting cold out there and it's Christmas.
If you're not a Patreon supporter, which is totally fine, I do urge you to look at your communities to see how you might be able to help bring a little bit more joy this season to those that are having a hard time.
And lastly, just a huge thank you for all your support this year. It has meant the world to us. Now let's get this show on the road.
So hang on, hang on. There's a website. Yes. Put together by some guy—
Scientists.
I've seen the people that make websites. I'm already scared. And then they send you DNA in the post.
Yeah, they send you the genes.
Okay, I give up. I give up.
Smashing Security, Episode 207: Cyber Bio-Warfare, Giant Ladybugs, and Strippers, with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 207. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 207. My name's Graham Cluley.
I'm Carole Theriault.
And we're joined this week by Mark Stockley again. Hello, Mark. Again?
Yeah, yeah, Jesus.
Well—
And here's Mark again.
Now, Mark, after your last appearance on the show, you had a bit of feedback on the old Twitters, didn't you?
I did, I did. Yes. Somebody wanted to tell me that I was the poshest-sounding guest you've ever had.
What? What, one party told you that?
Yeah.
It must be 100% true.
Well, it's good enough for a marketing survey. It's good enough for me.
Thanks to Mrs. Stockley for leaving you that message. Very good of her.
It was a real surprise. But you have some very, very illustrious guests, like BBC journalists and—
Yes.
You know, serial chess world champions and things like that. And so I felt that was something I could cling on to.
At least, I felt that way until you piped up and said, actually, he's not the poshest-sounding guest we've ever had, because we've had Dr. Jessica Barker on.
At least, I felt that way until you piped up and said, actually, he's not the poshest-sounding guest we've ever had, because we've had Dr. Jessica Barker on.
She's very posh-sounding. Although apparently from Newcastle.
There you go.
Surprising. And that's something which we found out on our recent YouTube livestream, which we did. I know a lot of our listeners joined and watched that video monstrosity in action.
And Carole, we've got some news, haven't we, on the livestream front?
And Carole, we've got some news, haven't we, on the livestream front?
Why are you calling it a monstrosity?
Because you watched it afterwards.
Is that why?
Carole, what's happening on the livestream front?
Well, we are going to have a second inaugural livestream party. We're going to do it Thursday, 17th of December, and it's going to be our little pre-Christmas party on YouTube.
So Graham Cluley, talent and friends, maybe Mark, you would like to join us as a friend, but you might have to perform.
We're talking to people who are thinking about doing songs or street dances. So just saying, high caliber.
So Graham Cluley, talent and friends, maybe Mark, you would like to join us as a friend, but you might have to perform.
We're talking to people who are thinking about doing songs or street dances. So just saying, high caliber.
I can sound reasonably posh.
Yes. Does that count? Or maybe you could just bring a chicken along. That'll work.
Okay. Yeah.
So if anyone wants to pre-register for this or find out more, all you have to do is go to smashingsecurity.com/live.
And as Carole said, it will be on December the 17th, Thursday, December 17th at 8:00 PM UK time. And what other times around the world, Carole?
And as Carole said, it will be on December the 17th, Thursday, December 17th at 8:00 PM UK time. And what other times around the world, Carole?
Can you not do the math? 3:00 PM Eastern Standard, noon Pacific. People can work it out. Same time as last time.
Okay.
Well, I think we know what talent you're gonna be showing off.
Okay, that's fabulous. So what else is coming up on the show this week, Carole?
Well, first let's thank this week's sponsors, Deep Instinct Culture AI and LastPass. Their support helps us give you this show for free.
Now coming up on today's show, Graham is going to scare us with research on cyberbiological attacks.
Mark Stockley laments a broken smart vacuum, and I find out why the US Supreme Court is talking about the Computer Fraud and Abuse Act.
And we also have a featured interview with Deep Instinct's Steve Salinas. We do a deep dive into ransomware and how it's impacting us all in 2020.
All this and much more coming up on this episode of Smashing Security.
Now coming up on today's show, Graham is going to scare us with research on cyberbiological attacks.
Mark Stockley laments a broken smart vacuum, and I find out why the US Supreme Court is talking about the Computer Fraud and Abuse Act.
And we also have a featured interview with Deep Instinct's Steve Salinas. We do a deep dive into ransomware and how it's impacting us all in 2020.
All this and much more coming up on this episode of Smashing Security.
Now, chums, have you ever been accused of releasing some kind of biological weapon into the atmosphere?
I'm so bored of these ridiculous questions.
Yes.
Interesting. Okay, well, I've been thinking about this, and certainly there is a lot of concern out there that bioterrorists may begin to get up to all kinds of shenanigans.
I thought this was a fart joke.
No, not that kind of emission into the atmosphere.
What have I just admitted to? Well, it's been lovely being on the podcast. I think the police are here.
Now, one of the most interesting groups of researchers who I've come across in my years of investigating cybersecurity are the boffins at Ben-Gurion University of the Negev over in Israel.
They produce some of the most fascinating and wacky, crazy bonkers security research that's going.
In the past, they've described how data could be leaked by your computer monitor's brightness, how your headphones could be reprogrammed to record your conversations, how data could be stolen from air-gapped PCs through the fan or ultrasonic emissions— not that kind of emission, Mark— through your built-in speaker, and much more besides.
Really crazy, bonkers stuff. And now those researchers claim to have discovered a new end-to-end cyberbiological attack.
They produce some of the most fascinating and wacky, crazy bonkers security research that's going.
In the past, they've described how data could be leaked by your computer monitor's brightness, how your headphones could be reprogrammed to record your conversations, how data could be stolen from air-gapped PCs through the fan or ultrasonic emissions— not that kind of emission, Mark— through your built-in speaker, and much more besides.
Really crazy, bonkers stuff. And now those researchers claim to have discovered a new end-to-end cyberbiological attack.
What?
Yes.
Okay, I need you to explain this I'm 5. Tell how this would work.
Well, what they're saying is that they have found a way of compromising the synthetic DNA supply chain, I'm sure.
Okay, again, I'm still not following.
Hang on, hang on. Is this— are we talking about actual DNA here or are we talking about Bitcoin marketing bullshit?
No, no, no, no, no, no, no, no, no. This is actual, actual DNA. This is real DNA.
Yeah, he got this in the Daily Mail, so.
It's definitely not just the Daily Mail, Carole. I also— I'm sure you read about it this week in Nature Biotechnology magazine.
No, not in my reading list.
You didn't pick that up?
I'm still on last week's. I haven't got to this week's yet.
Now, you might have imagined in the past that a bad guy would have to get their hands on a dangerous substance such as a toxin or some kind of poison or biological virus to produce and deliver it to an unsuspecting world.
No, I'm not imagining that. I still don't even understand what synthetic DNA is.
We're going to come to that.
We're going to come to that. I'm just saying, I'm just correcting you.
I can't imagine it.
It's bitcoin. I'm telling you, it's bitcoin. This is going to be a bitcoin story.
Well, Mark, when you've previously emitted dangerous toxins into the atmosphere—
He passed out.
You probably had to work hard to produce them yourself, didn't you?
No, it's quite easy, to be honest.
Just eating some sprouts. Well, here's the thing, right? In the old days, Carole, making genes— so genes are made up of DNA.
Right?
We're not talking Levi's here.
Okay. No, no, no. Making genes from scratch used to be laborious, time-consuming. You know, you couldn't do that many before lunchtime. But it isn't anymore.
Today, you can literally log into a website, upload the DNA sequence you want, which is, you know, G-A-T-A-A-A-T-C-T-G-G-T-T. You know, DNA sequences, all those characters.
Today, you can literally log into a website, upload the DNA sequence you want, which is, you know, G-A-T-A-A-A-T-C-T-G-G-T-T. You know, DNA sequences, all those characters.
I do know, yeah.
It's very odd, isn't it? G-A-T-C. I'm not sure how that works. Mark, you probably understand that. Anyway, you upload the DNA sequence that you want.
Do you think that we're all secret medical scientists?
Mark reads a lot.
Yeah, but—
I assumed it was to do with the shape, because there are interlocking pieces. And it's A, T, C, G, isn't it? I assumed it has to do with the shape of the interlocking pieces.
I don't know. You upload the DNA sequence you want, and you order however many genes you want online, right? So it's just making any other online order. And a couple of—
So hang on, hang on. There's a website. Yes. Put together by some guy.
Scientists.
I've seen the people that make websites. I'm already scared. You type in ATGCTG.
Or cut and paste.
And then they send you DNA in the post.
Yeah, they send you the genes according to the sequence that you've requested.
Okay, I give up, I give up.
It arrives. It arrives a couple of weeks later in the post.
We've gone too far. We've gone too far. Stop.
But how does it arrive? Okay, what arrives? In the post. No, no, okay, I understand that. What, you open up the box and what is inside?
Well, I imagine it's some receptacle.
Genes.
Containing genetic material or something.
What, in a syringe?
Well, I don't know.
Is it just an organ? Just an organ that no one's ever seen before?
3D printed?
A placenta or something? Is it refrigerated?
I don't know why you're making this sound so complicated, because the powers that be, the powers that be are worried about how simple this is, and they are worried about how to stop this technology being abused.
So they're worried about terrorists, for instance, going to these websites, uploading the DNA sequences of bioweapons or dangerous viruses, or changing a harmless bacteria into one that could be a deadly toxin.
So what they've done, the US Department of Health and Human Science have put together guidelines for scientists and for these websites for how to screen requests for synthetic DNA to stop naughtiness happening.
So they're worried about terrorists, for instance, going to these websites, uploading the DNA sequences of bioweapons or dangerous viruses, or changing a harmless bacteria into one that could be a deadly toxin.
So what they've done, the US Department of Health and Human Science have put together guidelines for scientists and for these websites for how to screen requests for synthetic DNA to stop naughtiness happening.
Hang on, hang on, hang on.
Hmm.
So these guidelines, step one on the guidelines is obviously don't make a website where somebody can type in some words —some letters.
And they get biotoxins.
Well, well. Right? Is that— I mean, surely.
Yeah, you'd like to think that as you were typing in your sequence, they might go, "Ah, stop right there, mister." Well, that's not a good one.
So let me tell you what they do, right? And in some ways, this is— what would you rather they did, Mark? Would you rather they wrote it in crayon and put it in the post to people?
That would— imagine the transcribing of that. That could go terribly wrong as well, wouldn't it? What's so wrong with using the web?
That would— imagine the transcribing of that. That could go terribly wrong as well, wouldn't it? What's so wrong with using the web?
Hang on, I don't even understand why we're debating a service whereby some random person just randomly writes something out, and then they get the thing, like the organ comes in the post.
Can I explain what the first screening test is? The first screening test is, who the hell do you think you are ordering synthetic DNA, right?
Oh, well, that's a relief, 'cause those work really well.
So they ask you, for your name, contact information, billing and shipping address. And they also ask some other questions.
If you answer these kind of questions incorrectly, it rings a few alarm bells. Like, would you rather pay in cash or cryptocurrency?
Do you want the DNA shipped to you in an unusual way? Or, you know— What does that mean? Do you have any special requests? Like, don't tell the feds what I'm doing, or, you know—
If you answer these kind of questions incorrectly, it rings a few alarm bells. Like, would you rather pay in cash or cryptocurrency?
Do you want the DNA shipped to you in an unusual way? Or, you know— What does that mean? Do you have any special requests? Like, don't tell the feds what I'm doing, or, you know—
Would you like it shipped to you in some sort of projectile. Could you send it to me in an artillery shell, please?
Would you like it shipped to the White House directly? Something like that would ring an alarm bell, thinking, hmm, I wonder what's going on here.
So they do, they first of all say, who the hell are you to be asking for this stuff?
So they do, they first of all say, who the hell are you to be asking for this stuff?
Are you a terrorist? No.
It's like when you fly to the United States, you have to fill in the form and tick the box if you're a member of the Nazi Party or something like that.
So similarly, they have that kind of test. So you have to get through that hurdle first. And of course, a web form always, 100%, will weed out any ne'er-do-wells at that point.
So similarly, they have that kind of test. So you have to get through that hurdle first. And of course, a web form always, 100%, will weed out any ne'er-do-wells at that point.
I mean, you know, as long as it's got a captcha, right? Yeah. Yes, Carole?
I'm guessing this site was online, alive and kicking before these regulations came into place?
Oh no, these regulations have been in place for about 10 years.
All right, so this is how the environment tries to control who gets their hands on synthetic DNA.
This is how it's done right now, although sadly, not all websites which are producing synthetic DNA are following these guidelines at the moment.
But these are the official ones which they are encouraging these websites— because of course, anyone can set up a website if they want to.
And you may be some bizarre foreign state which is doing this as well. But let's not even get there. I hate this.
But these are the official ones which they are encouraging these websites— because of course, anyone can set up a website if they want to.
And you may be some bizarre foreign state which is doing this as well. But let's not even get there. I hate this.
It's 2020, we're all having a hard year, and now you've just added another layer of complexity.
Let me reassure you, because there's now a second screening you have to pass. So once you've convinced them that you have a legitimate request— You are who you are.
The next thing is, what on earth do you want?
So what they do is they look at this DNA sequence, which you are ordering, and they check whether it contains any sequences which have the potential to pose a severe threat to human life, animals, plant health, and other things like that.
Life, basically. Yes. So they've got, they've created some kind of database of common bad stuff and say, if we spot any of this, I imagine they do something like a grep.
The next thing is, what on earth do you want?
So what they do is they look at this DNA sequence, which you are ordering, and they check whether it contains any sequences which have the potential to pose a severe threat to human life, animals, plant health, and other things like that.
Life, basically. Yes. So they've got, they've created some kind of database of common bad stuff and say, if we spot any of this, I imagine they do something like a grep.
I imagine they're just looking for a sequence of characters. Oh my God.
So I wonder if someone was trying to get weed killer, right? Would it kind of, you know, and they're putting the sequence for some kind of— Why would you have a DNA weed killer?
Who knows? But if you did—
Who knows? But if you did—
Then it might try.
I feel like I've detected a flaw in this plan. A lot of these things are dose-dependent, aren't they? If you take too much salt, it'll kill you.
Can I order a ladybug, but one that's 9 feet wide?
Can I order a ladybug, but one that's 9 feet wide?
Well, I wouldn't worry about that. She's not gonna get into your house. What if she was 9 foot long though?
Are you telling me Amazon don't have cardboard boxes for that? 'Cause I'm telling you, you're wrong. On a more serious note, I have other concerns.
So I'm not a geneticist, but my understanding of genetic code is that there are very large parts of the human genetic code that we don't know what it does and are quite possibly useless, just kind of remnants from previous iterations of humans.
And who's to say if they're harmful or harmless if they were activated? I'm very concerned. Mostly concerned about the giant ladybug.
So I'm not a geneticist, but my understanding of genetic code is that there are very large parts of the human genetic code that we don't know what it does and are quite possibly useless, just kind of remnants from previous iterations of humans.
And who's to say if they're harmful or harmless if they were activated? I'm very concerned. Mostly concerned about the giant ladybug.
Yeah, I'm sure the US government department have got this all under control and they've created a totally thorough database.
So we can say they've logged Mark's concern.
If your request for the DNA, the genes, the synthetic DNA has triggered either the 'Who the hell are you?' or 'What on earth are you doing ordering a giant ladybird?' challenge, then they look at it a bit more closely, and they can eventually pass it over to the nearest FBI field office.
Specifically, the Weapons of Mass Destruction Coordinator.
Specifically, the Weapons of Mass Destruction Coordinator.
Whoa, that jumps up the chain pretty quickly.
There's someone whose job it is at the FBI field office to look after WMDs and coordinate them. And so he'll say yes or no. So, back to the eggheads over in Israel.
They say that there's a few problems. One is there's no comprehensive database of pathogenic sequences. So all the bad stuff.
So they said the guidelines are fundamentally outdated already.
But more than that, they created a proof of concept cyber attack which could obfuscate a nasty toxic DNA sequence in such a way that it wasn't picked up by the screening.
They say that there's a few problems. One is there's no comprehensive database of pathogenic sequences. So all the bad stuff.
So they said the guidelines are fundamentally outdated already.
But more than that, they created a proof of concept cyber attack which could obfuscate a nasty toxic DNA sequence in such a way that it wasn't picked up by the screening.
So they basically encrypt it and then slip it through?
Well, encrypted is perhaps the wrong term. But it was something which would effectively emulate the same sequence of characters, although it didn't look the same.
So it would muddle it up, but you'd get the same result.
So it would muddle it up, but you'd get the same result.
So steganography?
Yeah, maybe in a way. So how can they inject their toxic, nasty, malicious DNA sequence into one of these systems?
What they're talking about is they could actually infect legitimate laboratories who are asking for synthetic DNA.
And with a browser plugin, so if they managed to install a browser plugin, when the scientists cut and paste their DNA sequence, they could actually intercept that and inject some of their own nasty DNA in there as well.
And in their tests, 50 obfuscated DNA samples, 16 of them were not detected.
So around about a third of their attempts were successful to sneak past effectively malicious toxic DNA, which could then end up in the hands of people.
What they're talking about is they could actually infect legitimate laboratories who are asking for synthetic DNA.
And with a browser plugin, so if they managed to install a browser plugin, when the scientists cut and paste their DNA sequence, they could actually intercept that and inject some of their own nasty DNA in there as well.
And in their tests, 50 obfuscated DNA samples, 16 of them were not detected.
So around about a third of their attempts were successful to sneak past effectively malicious toxic DNA, which could then end up in the hands of people.
Yeah, but they weren't actually using toxic DNA sequences, presumably, right? So they basically obfuscated DNA samples and said, does this get past or not?
No, I think they looked at the databases which they felt were out of date, and they found the toxic pathogens, and they obfuscated those, and they put them into the requests.
And they went through and they passed the tests.
And they went through and they passed the tests.
Oh, great. So we now have a research team with 16 toxic DNA sequences.
Great. They're Israeli students.
We can trust them. If anybody's looking for some biological weapons, you'll find them at Ben-Gurion University. So it's kind of interesting, I thought.
Oh yeah, this kind of thing.
As with much of the stuff done by this particular university when it comes to cybersecurity threats, it's not necessarily something you should lose too much sleep over, despite Mark's nightmare vision of a giant ladybug at night.
But clearly, better screening is required.
So just relying on a computer to look for particular sequences of characters is something which has to be maintained and make sure that someone's not trying to slip something past you.
So there you go, we've all learned about cyber biosecurity today.
As with much of the stuff done by this particular university when it comes to cybersecurity threats, it's not necessarily something you should lose too much sleep over, despite Mark's nightmare vision of a giant ladybug at night.
But clearly, better screening is required.
So just relying on a computer to look for particular sequences of characters is something which has to be maintained and make sure that someone's not trying to slip something past you.
So there you go, we've all learned about cyber biosecurity today.
I don't feel I've learned very much at all, really. But thank you, it was entertaining.
I'll put links in the show notes. Thanks Mark, what's your story for us this week?
I'm sorry, I'm still terrified. I'm gonna start with a question. So what would you do if your hoover stopped working?
Panic. What? Who cares? I don't know, buy a new one.
You'd buy a— Yes, that was a first-world answer. Buy a new one. I was gonna say on mine, it normally stops working 'cause there's a ball of fluff in the tube.
And I just have to fish the ball of fluff out. But you know, another way of getting rid of the ball of fluff is obviously to throw the whole thing out, buy a new one.
And I just have to fish the ball of fluff out. But you know, another way of getting rid of the ball of fluff is obviously to throw the whole thing out, buy a new one.
I'm you, I would get in there. I enjoy doing that actually, cleaning out a vacuum cleaner, unplugging it from some mat of hair somewhere.
I think when I was a student and I had a vacuum cleaner, it never really occurred to me to empty the vacuum cleaner.
So they just naturally stopped working on the three times during the year that we used it.
So they just naturally stopped working on the three times during the year that we used it.
So we don't need to worry about ordering foul genetic creations on the internet. There's a hoover somewhere that's never been emptied in some student flat somewhere.
So what about your doorbell? What would you do if your doorbell stopped working, do you think?
So what about your doorbell? What would you do if your doorbell stopped working, do you think?
I'd replace the battery in the doorbell. Or the piece of string.
I'd assume people would knock.
That's true, that's true. Continue to use the door as has been used for centuries. Easy. Well, what about your lights? What would you do if your lights didn't turn on?
Headlamps.
Start a fire? Turn on the oven?
If all these three things happened at the same time in my house, I think I would be thinking poltergeist, actually.
No, I think the fuses have gone.
Okay, poltergeist or fuses, one of the two. Last one, last one. What about your computer? What would you do if your computer wasn't working properly?
Well, has it ever worked properly? I'd try and fix it and then go and buy another one if I was unsuccessful. What about turning it off and on again?
Oh yeah, you've got to turn it off and on again. That's the first thing you learn, isn't it? What's the first thing IT tell you to do, people in IT support?
Oh yeah, you've got to turn it off and on again. That's the first thing you learn, isn't it? What's the first thing IT tell you to do, people in IT support?
Have you tried turning it off and on again?
Yeah. Sometimes I've made the mistake of saying, "Have you tried turning it on and off again?" which is the wrong way round. That's a mistake.
If they said no, then you have to say, "Aha! I have diagnosed the problem. We need to turn this thing on, baby." Funny.
If they see a brief flicker and then it goes dead, then it was off in the first place.
Now, the reason I'm asking the question is because on November 25th, so just last week, a bunch of people in the eastern United States suddenly found themselves with exactly these problems.
So, vacuum cleaners that didn't do what they were supposed to do, doorbells and thermostats that stopped working, podcasts that wouldn't upload.
Don't know if that affected you guys.
Now, the reason I'm asking the question is because on November 25th, so just last week, a bunch of people in the eastern United States suddenly found themselves with exactly these problems.
So, vacuum cleaners that didn't do what they were supposed to do, doorbells and thermostats that stopped working, podcasts that wouldn't upload.
Don't know if that affected you guys.
Oh, this is all smart tech stuff, isn't it?
Lights that wouldn't turn on. Very clever.
Yeah, yeah, yeah, okay.
And basically, a bunch of mysterious technical issues apparently unrelated.
And of course, as Carole has guessed, what all of these things had in common was that they are all modern, internet-connected smart devices, or what we like to call part of the Internet of Things.
So in other words, they are part computer. Now unfortunately, what was affecting these devices is that the computer part was on the fritz.
And so computers, when they break, as we just discussed, what you need to do when it breaks is you just need to turn it off and on again. But there was a problem.
Because these things were all part of the Internet of Things.
So they're internet-connected devices, and what that means is the computer part, or at least a very important part of the computer part, isn't in the device.
In fact, it's not even in the same house. It's actually out there somewhere in the cloud. And so the question is, how do you turn the cloud off and on again?
And of course, as Carole has guessed, what all of these things had in common was that they are all modern, internet-connected smart devices, or what we like to call part of the Internet of Things.
So in other words, they are part computer. Now unfortunately, what was affecting these devices is that the computer part was on the fritz.
And so computers, when they break, as we just discussed, what you need to do when it breaks is you just need to turn it off and on again. But there was a problem.
Because these things were all part of the Internet of Things.
So they're internet-connected devices, and what that means is the computer part, or at least a very important part of the computer part, isn't in the device.
In fact, it's not even in the same house. It's actually out there somewhere in the cloud. And so the question is, how do you turn the cloud off and on again?
Well, yes, you don't have the plug for that, do you? Someone else does.
So yeah, but if your router goes down, it would impact all these things. Or your router.
But if all the routers went down at the same time, that would be something else. This isn't some guy whose Hoover stops and his light switch.
This is a whole bunch of people in the eastern USA, suddenly all these vacuum cleaners stop and all these light switches stop and all these thermostats stop working.
This is a whole bunch of people in the eastern USA, suddenly all these vacuum cleaners stop and all these light switches stop and all these thermostats stop working.
So, so something's gone wrong with the cloud.
Something has gone wrong with the cloud. And if when something goes wrong with the cloud, you have to talk to Amazon, right?
Because in this case, the part of the cloud that failed was actually an Amazon service called Amazon Kinesis, which is one of thousands of Amazon cloud services that you've probably never heard of.
That it turns out your entire life depends on. It's amazing, isn't it?
Because in this case, the part of the cloud that failed was actually an Amazon service called Amazon Kinesis, which is one of thousands of Amazon cloud services that you've probably never heard of.
That it turns out your entire life depends on. It's amazing, isn't it?
I think, because I think the average person in the street, I'm sure our listeners aren't this, but the average person in the street thinks of Amazon as a company which delivers you cardboard boxes with small things inside them.
But in fact— Massive boxes, small things.
Yes, exactly. But they also have so many services which rely upon Amazon cloud computing services.
It is mind-blowing. I mean, I can't keep track of all the different names of things that they have. And it's all happened very, very quickly.
So, I mean, it's a very interesting story actually, because you think about Amazon as, you know, back in 2000, Amazon was just— it was basically a shop, wasn't it?
It was a bookshop. But it was a very, very big bookshop, and it was on the internet.
And what they wanted to do was they wanted to start letting other people use their shop, sort of create websites for other people. Who could use their shopping technology.
And they realized that all their stuff was a total mess.
And so as they kind of cleaned it up and worked out how to get all the bits of their own company working smoothly together, they realized in about 2003 that they had this fantastic cloud infrastructure.
Yeah. And they could start selling that infrastructure to other people.
And I first heard about this in about 2007, and it was mind-blowing even back then, but it was just the whole idea of these sort of servers that weren't servers, they were just computing blobs.
So, I mean, it's a very interesting story actually, because you think about Amazon as, you know, back in 2000, Amazon was just— it was basically a shop, wasn't it?
It was a bookshop. But it was a very, very big bookshop, and it was on the internet.
And what they wanted to do was they wanted to start letting other people use their shop, sort of create websites for other people. Who could use their shopping technology.
And they realized that all their stuff was a total mess.
And so as they kind of cleaned it up and worked out how to get all the bits of their own company working smoothly together, they realized in about 2003 that they had this fantastic cloud infrastructure.
Yeah. And they could start selling that infrastructure to other people.
And I first heard about this in about 2007, and it was mind-blowing even back then, but it was just the whole idea of these sort of servers that weren't servers, they were just computing blobs.
And all these people who tried to, you know, think, actually, maybe I won't shop at Amazon to try and, you know, rebalance the landscape out there.
They actually looked at their houses and how much of their services rely on Amazon.
They actually looked at their houses and how much of their services rely on Amazon.
Or the websites they're going to, which are probably still being hosted by Amazon. Exactly, yeah.
So one of the services, one of these many, many services is this thing called Amazon Kinesis. Yeah.
Which in its own words, it's there to collect and process and analyze real-time streaming data.
So it's things like video and audio, but it's also telemetry from Internet of Things devices.
So what that means is you have apps and devices and websites that use Kinesis, and Amazon uses it as well. So its own services make use of Kinesis.
So there's a thing called Cognito, which is used for authentication that relies on Kinesis.
There's something called CloudWatch, which is used for monitoring, that relies on Kinesis.
And what happened was Amazon decided, because Kinesis is so popular, it needed to increase the capacity of Kinesis in its US-East-1 data center.
Which in its own words, it's there to collect and process and analyze real-time streaming data.
So it's things like video and audio, but it's also telemetry from Internet of Things devices.
So what that means is you have apps and devices and websites that use Kinesis, and Amazon uses it as well. So its own services make use of Kinesis.
So there's a thing called Cognito, which is used for authentication that relies on Kinesis.
There's something called CloudWatch, which is used for monitoring, that relies on Kinesis.
And what happened was Amazon decided, because Kinesis is so popular, it needed to increase the capacity of Kinesis in its US-East-1 data center.
Okay.
So the Amazon universe is divided into a kind of small number of these fantastically boringly named data centers. Yes. So they were increasing the capacity in US-East-1.
I can sense something bad is about to happen. They've produced this fantastically impenetrable very, very serious document to explain what happened.
But I am going to attempt to translate this into short words that, you know, that simple people and Carole will understand. My attempt for an explanation for people like you.
And so what you want to imagine is that this isn't one thing. This is actually thousands and thousands of servers, right? Yeah. That are all receiving these requests.
And all of these thousands and thousands of servers are all aware of each other. So they all keep count of each other.
So you imagine that each of these servers has got two hands, okay? And they're counting on their hands all the other servers. And what happened was Amazon added too many new servers.
And so the existing servers, which have to keep count of all the other servers, they no longer had enough fingers on which to count all of the servers.
I can sense something bad is about to happen. They've produced this fantastically impenetrable very, very serious document to explain what happened.
But I am going to attempt to translate this into short words that, you know, that simple people and Carole will understand. My attempt for an explanation for people like you.
And so what you want to imagine is that this isn't one thing. This is actually thousands and thousands of servers, right? Yeah. That are all receiving these requests.
And all of these thousands and thousands of servers are all aware of each other. So they all keep count of each other.
So you imagine that each of these servers has got two hands, okay? And they're counting on their hands all the other servers. And what happened was Amazon added too many new servers.
And so the existing servers, which have to keep count of all the other servers, they no longer had enough fingers on which to count all of the servers.
So they added servers but didn't tell the other services, hey, expect new servers to connect.
Modern computing, you don't have to tell them, they figure it out for themselves.
So what happens is you have this pool of computers, and they're all kind of watching each other going, "Oh, I see more computers are being added. I need to keep track of that one.
I need to keep track of that one." And it exceeded each computer's capacity to keep track of other computers.
So they ran out of fingers to count the number of computers on, and then they all stopped working. So how do you fix a problem like that?
So what happens is you have this pool of computers, and they're all kind of watching each other going, "Oh, I see more computers are being added. I need to keep track of that one.
I need to keep track of that one." And it exceeded each computer's capacity to keep track of other computers.
So they ran out of fingers to count the number of computers on, and then they all stopped working. So how do you fix a problem like that?
Maria. You turn it off and on again.
You turn it off and on again.
So was there some poor soul in an office somewhere who has the extension cable which is controlling all of these computers, and he went flick.
Is that what happened?
It reminds me of my time on Air Canada, every single flight I've ever taken where they have to stop and restart the television or whatever entertainment system due to some glitch somewhere.
It reminds me of my time on Air Canada, every single flight I've ever taken where they have to stop and restart the television or whatever entertainment system due to some glitch somewhere.
So the question is, yes, they had to turn it off and on again.
Meanwhile, people are crying over the fact they can't vacuum.
Why will my vacuum cleaner not automatically start?
I think Roombas are depressed.
The guy I felt most sorry for was the one who couldn't turn his lights on.
I mean, limited sympathy, because obviously he did decide to buy lights that depended on the existence of a supercomputer. And I don't understand—
I mean, limited sympathy, because obviously he did decide to buy lights that depended on the existence of a supercomputer. And I don't understand—
No sympathy, actually.
I don't understand why that's important. But it does raise the question, what are we doing?
Now, back in the '60s, when they invented the internet, they had this idea of a communications network that was so resilient, it could withstand a nuclear attack.
The whole point of the internet is that it routes requests through the undamaged part of the network.
And then our generation has taken this amazing blueprint and gone, what we're going to do is we're going to put this massive centralized system smack bang in the middle of it, and all of your devices are going to be dependent on this centralized system, which occasionally will fall over and someone will have to kick, and then it will restart.
Maybe. What's clear from the write-up of it is that there was an awful lot of sweating. And, you know, I imagine there was a lot of whiteboarding.
Now, back in the '60s, when they invented the internet, they had this idea of a communications network that was so resilient, it could withstand a nuclear attack.
The whole point of the internet is that it routes requests through the undamaged part of the network.
And then our generation has taken this amazing blueprint and gone, what we're going to do is we're going to put this massive centralized system smack bang in the middle of it, and all of your devices are going to be dependent on this centralized system, which occasionally will fall over and someone will have to kick, and then it will restart.
Maybe. What's clear from the write-up of it is that there was an awful lot of sweating. And, you know, I imagine there was a lot of whiteboarding.
I'm glad he didn't say defecating.
I mean, how do you model and test something like a data center? What will happen if we add 1,000 computers to our data centre?
Or what will happen if in an emergency we take 1,000 out?
Or what will happen if in an emergency we take 1,000 out?
You'd think that there'd be simulated environments to do exactly that before you do it live though.
But even if there are, they clearly don't work perfectly because you wouldn't get in a situation like this in the first place.
I mean, if they had a fire or something, maybe you'd understand. But this was of their own volition. They added more computers and caused their own problem.
If there are simulations, the simulations are obviously incomplete.
I mean, if they had a fire or something, maybe you'd understand. But this was of their own volition. They added more computers and caused their own problem.
If there are simulations, the simulations are obviously incomplete.
Have people dried their tears now and their lights are back on and the vacuum's running?
Well, now their internet-connected fans are working again. They can get some assistance in drying the tears.
But I think that the worrying aspect of this is this is just where we are now. Like the speed with which we are acquiring devices that are dependent on an internet connection. Yeah.
Not just that have one, but don't work without one. It's rather alarming.
Okay, if your Hoover doesn't work, well, Graham managed to get through 3 years of being a student without a Hoover that worked.
So, you know, it's not that bad, but there are all sorts of things connected to the internet now.
So if you own a Tesla car, for example, your Tesla car is effectively part of the Internet of Things.
Tesla can turn off your car whenever they want to, because it's dependent on that umbilical. And who knows what else?
But I think that the worrying aspect of this is this is just where we are now. Like the speed with which we are acquiring devices that are dependent on an internet connection. Yeah.
Not just that have one, but don't work without one. It's rather alarming.
Okay, if your Hoover doesn't work, well, Graham managed to get through 3 years of being a student without a Hoover that worked.
So, you know, it's not that bad, but there are all sorts of things connected to the internet now.
So if you own a Tesla car, for example, your Tesla car is effectively part of the Internet of Things.
Tesla can turn off your car whenever they want to, because it's dependent on that umbilical. And who knows what else?
And come back in 10 years. Yeah, we'll have Mark back on the show with an update.
I told you so, from my cave.
Well, that was cheery. Thanks, Mark. Any solutions? Any sort of wise words on how to improve the world?
How dare you accuse him of cheeriness after you talk about biological cyber warfare? I mean, he's talking about Roombas going offline for a bit.
Carole, what have you got for us this week? Well, we have a very cheery topic, Graham.
The 1986 Computer Fraud and Abuse Act. The CFAA. Okay. And the reason we're talking about this is it's in front of the US Supreme Court this week.
This is the first time the Supreme Court has ever heard arguments to or against how the Computer Fraud and Abuse Act is currently designed.
This is America's main anti-hacking statute. Okay. And the Supreme Court are looking at the scope of the CFAA law and how it is and can be interpreted.
And so you have the court's nine justices have a range of views on the question. And I'm inviting you all to don your Supreme Court judge hats or robes, rather. A wig?
This is the first time the Supreme Court has ever heard arguments to or against how the Computer Fraud and Abuse Act is currently designed.
This is America's main anti-hacking statute. Okay. And the Supreme Court are looking at the scope of the CFAA law and how it is and can be interpreted.
And so you have the court's nine justices have a range of views on the question. And I'm inviting you all to don your Supreme Court judge hats or robes, rather. A wig?
Do they have wigs? No, no, no.
They don't have wigs there, but they'll have certainly robes, I believe. And we'll see what you would do here. All right, I'll get my bathrobe on.
I'm wearing my robe already and my wig, but I always wear those for podcasts.
So I'm going to start with the year 1986. That was when the CFAA was put into law, and that is almost 35 years ago.
Now, is it just me, or do we feel like, as you've just talked about, Mark, we're going through this incredibly huge technical revolution, and one of the richest countries in the world is depending on a 35-year-old law?
Now, is it just me, or do we feel like, as you've just talked about, Mark, we're going through this incredibly huge technical revolution, and one of the richest countries in the world is depending on a 35-year-old law?
I find that shocking. This law is designed to stop teenage hackers breaking into WOPR and playing tic-tac-toe, basically. That's what it's there for.
Well, that's interesting. What it's there for and what it actually covers, that's what we're going to talk about, okay? All right, okay.
So it turns out that many, many Americans and organizations in the US have inadvertently broken this federal law repeatedly because inside the 1986 law, there is a broad definition of what's considered hacking.
Okay, so quote, the law considers any intentional access to a computer without authorization to be a federal crime.
Okay, now as CNET point out, this is broad enough that sharing a Netflix password could be considered a CFAA violation. So that's a—
So it turns out that many, many Americans and organizations in the US have inadvertently broken this federal law repeatedly because inside the 1986 law, there is a broad definition of what's considered hacking.
Okay, so quote, the law considers any intentional access to a computer without authorization to be a federal crime.
Okay, now as CNET point out, this is broad enough that sharing a Netflix password could be considered a CFAA violation. So that's a—
Does that make it a federal crime? Yes, a federal crime to share your Netflix password.
It makes it a federal crime. Granted, unlikely to warrant federal attention in a normal case-by-case basis, right?
But it does mean that Americans are extremely reliant on how individual prosecutors and individual judges understand and decide to enforce this law.
But it does mean that Americans are extremely reliant on how individual prosecutors and individual judges understand and decide to enforce this law.
But yeah, okay, but there are always extreme cases like this, aren't there? I mean, it's not like you say, it's not as though they're going to pursue it.
And sharing your Netflix password is a naughty thing to do.
And sharing your Netflix password is a naughty thing to do.
Have you ever done it? Oh yeah. Well, there you go. So you should be in jail.
So next time you go to the States and it says, are you a terrorist on the little thing?
Have you ever committed a crime?
You're going to have to— Yeah, well, I— You committed a felony, Graham, and you've admitted it.
So if you take that, so the law considers any intentional access to a computer without authorization to be a federal crime.
Would that mean that a 12-year-old who starts a Facebook page breaks the rules because she's basically not authorized to have an account? Does that mean it's a federal crime?
What if someone shares their logins with a third party in order to get IT support from someone?
Would that mean that a 12-year-old who starts a Facebook page breaks the rules because she's basically not authorized to have an account? Does that mean it's a federal crime?
What if someone shares their logins with a third party in order to get IT support from someone?
There are gazillions of laws this, and it's all down to interpretation. No, there's—
Well, we're talking— I don't know about the other laws. I know about this one.
And I think, as you'll see very quickly, there's a loophole here that is kind of scary for our industry, Mr. Cluley.
So the core issue that they're discussing is, should violating something the terms of use on a website or a computer system lead to legal trouble at a federal level?
Using the CFAA as your umbrella. So that's one. Now there's a second angle to consider.
There's a group of people who are not happy about this 1986 law and its potentially incredibly broad remit.
And this is our cybersecurity researchers, because many cybersecurity researchers' work involves finding vulnerabilities on software and gadgets without a company's authorization.
So election security researchers at MIT uncovered issues with voting machines without the approval of the manufacturers.
So they wrote it up and presented at the USENIX Security Conference earlier this year.
Okay, and that they called it 'The Ballot is Busted Before the Blockchain.' So this is a blockchain e-voting company known as Voatz, V-O-A-T-Z.
Oh yeah, these guys, piggybacking on an unrelated CFAA case, argued to the Supreme Court— Right? This has been September.
That security research conducted by MIT on their machines that found several security flaws breaks the CFAA and should not be allowed, not because the research was wrong, but because they were not authorized to conduct said research.
Right. And that's what's being discussed right now.
And I think, as you'll see very quickly, there's a loophole here that is kind of scary for our industry, Mr. Cluley.
So the core issue that they're discussing is, should violating something the terms of use on a website or a computer system lead to legal trouble at a federal level?
Using the CFAA as your umbrella. So that's one. Now there's a second angle to consider.
There's a group of people who are not happy about this 1986 law and its potentially incredibly broad remit.
And this is our cybersecurity researchers, because many cybersecurity researchers' work involves finding vulnerabilities on software and gadgets without a company's authorization.
So election security researchers at MIT uncovered issues with voting machines without the approval of the manufacturers.
So they wrote it up and presented at the USENIX Security Conference earlier this year.
Okay, and that they called it 'The Ballot is Busted Before the Blockchain.' So this is a blockchain e-voting company known as Voatz, V-O-A-T-Z.
Oh yeah, these guys, piggybacking on an unrelated CFAA case, argued to the Supreme Court— Right? This has been September.
That security research conducted by MIT on their machines that found several security flaws breaks the CFAA and should not be allowed, not because the research was wrong, but because they were not authorized to conduct said research.
Right. And that's what's being discussed right now.
That's a terrific example because you're absolutely right that the way that we think about computers now versus the way that we think about computers in '85, '86 is— Even the idea that there's computer security, I can almost remember the day that computer security arrived in my life as a thing.
It's a long time after that.
Do you know, it reminds me of if you ever read about people that try hacking into cars, because obviously, you know, cars are part computer now, just everything else.
The trouble that they have to go to, to avoid poking any of the bits that they're not allowed to poke. Is really quite excruciating.
And when you read it, my reaction on reading that stuff is certainly, there's something wrong here, that they are assuming that they are going to be ethical with what they discover.
It seems there's something wrong with them not being able to look. And in whose interest?
It's a long time after that.
Do you know, it reminds me of if you ever read about people that try hacking into cars, because obviously, you know, cars are part computer now, just everything else.
The trouble that they have to go to, to avoid poking any of the bits that they're not allowed to poke. Is really quite excruciating.
And when you read it, my reaction on reading that stuff is certainly, there's something wrong here, that they are assuming that they are going to be ethical with what they discover.
It seems there's something wrong with them not being able to look. And in whose interest?
Yeah, because I think we're all fans of responsible disclosure.
Yeah. Yeah. Yeah.
But whose interests are being— I guess maybe there's concerns about intellectual property or something like that, that, OK, here's a black box and it's full of proprietary stuff and you're not allowed to look inside it.
But it seems to me the greater good is normally served by people being able to poke around.
But whose interests are being— I guess maybe there's concerns about intellectual property or something like that, that, OK, here's a black box and it's full of proprietary stuff and you're not allowed to look inside it.
But it seems to me the greater good is normally served by people being able to poke around.
So how are people calling for the legislation to be changed, Carole?
Well, people, for example, a bunch of security researchers obviously have had a beef with Voatz's point.
And right, and soon after its tap dance in front of the Supreme Court, these guys responded publicly in an open letter saying, you know, security research is vital to the public interest.
And they say a broad interpretation of the CFAA, which is what we currently have, it risks undoing many of these positive advancements, being able to discover security vulnerabilities in election machines, for example, which is a big deal.
Voatz's actions threaten good faith security research are indicative of what may come should the courts decide that a breach of controlled terms constitutes a criminal CFAA violation.
They urge the courts to adopt a narrow interpretation of the CFAA.
And right, and soon after its tap dance in front of the Supreme Court, these guys responded publicly in an open letter saying, you know, security research is vital to the public interest.
And they say a broad interpretation of the CFAA, which is what we currently have, it risks undoing many of these positive advancements, being able to discover security vulnerabilities in election machines, for example, which is a big deal.
Voatz's actions threaten good faith security research are indicative of what may come should the courts decide that a breach of controlled terms constitutes a criminal CFAA violation.
They urge the courts to adopt a narrow interpretation of the CFAA.
Can you imagine if the outcome of this is that we will have to start reading the terms and conditions of every website we visit? If you think it's bad with the cookie pop-ups now.
Yeah. Combined with eye-tracking technology to see if you really have read it. As you scroll down, have you actually taken in each of those words?
As you plug your brain into your IoT device so it looks at your brain activity to make sure— maybe they should actually insert inside their terms and conditions some random words about unicorns or—
As you plug your brain into your IoT device so it looks at your brain activity to make sure— maybe they should actually insert inside their terms and conditions some random words about unicorns or—
I thought you were going to say they should insert something into the brains of the people who are looking.
Well, you could do that with a malicious synthetic DNA. There's a website for that.
So, I mean, this sounds very interesting, Carole, but surely there's a concern that this could go too far the other way as well.
So, I mean, this sounds very interesting, Carole, but surely there's a concern that this could go too far the other way as well.
We're not even close to going too far the other way. Right now is so, so broad. And what that means is, for example, let's say they wanted to arrest you, right?
But they couldn't for whatever reason, a side reason, and they couldn't get you. They could get you on this federally.
But they couldn't for whatever reason, a side reason, and they couldn't get you. They could get you on this federally.
What I did with the Hoover did not cause any harm or damage to any other individual because you brought up cyber biological warfare on the show, right?
The FBI now got you earmarked and they want you, right? Because you've now opened up this huge floodgate.
And the way they'll get you is by sharing your Doctor Who password with someone.
And the way they'll get you is by sharing your Doctor Who password with someone.
Anyway, it's Gary Kasparov, isn't it? Yeah.
Politico are the only ones that said, you know, they are hopeful, I feel, is the way I would interpret what they wrote, saying that they saw a number of the Supreme Court representatives indicating reservations questions about the ambiguity and the scope, and they feel maybe they need to review it.
So there is a silver lining if they do. I think they totally should. I think it's insane that we're relying on something that is almost 35 years old. It's insanity.
So there is a silver lining if they do. I think they totally should. I think it's insane that we're relying on something that is almost 35 years old. It's insanity.
Well, those Supreme Court justices, they all look pretty tech savvy. I'm not concerned.
Yeah, they've got their finger on the pulse.
Yeah, don't worry. Justice Thomas has got us well enough. You want to know how this all got in the Supreme Court? You might remember this story, actually. So this is back in 2017.
This guy says he's keen on this stripper, right? But he's nervous that she might be an undercover agent.
So he goes to a Georgia police officer, and he pays the police officer to look up her license plate in a confidential database.
You know, the way we see every single cop do in every single show that we've ever seen, right? Just check her out online.
Anyway, in a nasty twist, the unnamed guy, the one who was keen on the stripper and paid for the intel, was in fact the FBI agent.
This guy says he's keen on this stripper, right? But he's nervous that she might be an undercover agent.
So he goes to a Georgia police officer, and he pays the police officer to look up her license plate in a confidential database.
You know, the way we see every single cop do in every single show that we've ever seen, right? Just check her out online.
Anyway, in a nasty twist, the unnamed guy, the one who was keen on the stripper and paid for the intel, was in fact the FBI agent.
Sorry, no, I'm confused. There was a man who was interested in whether a stripper was actually an FBI agent, and he himself was an FBI agent?
Yes. And it was all a way to capture, to get the Georgia police officer. So it was kind of a— what's it called?
A sting? A honey trap.
Oh, so they were after the man who the FBI agent asked to do the looking up?
Yeah, they were after the Georgia police officer who did the looking up of the license plate.
Have they not got anything better to do?
But the point is, this is still being fought, right? Because he keeps— you know, some people are saying it's not right that he did have access, legitimate access to that database.
So therefore, it's not that he had unauthorized access to this database, but he did misuse that database for other purposes.
So everyone's discussing this, and this is the case that opened up all these floodgates and why it's in the Supreme Court. So it all came down to strippers.
So therefore, it's not that he had unauthorized access to this database, but he did misuse that database for other purposes.
So everyone's discussing this, and this is the case that opened up all these floodgates and why it's in the Supreme Court. So it all came down to strippers.
Well, he wasn't authorized to do that lookup, was he? He wasn't authorized to do that lookup because that hadn't come through the correct route.
Yeah, but that's not explicitly explained in the CFAA. So legal quagmire ensues.
So they're going to need some sort of sub-clause about stripper lookups.
Exactly. You understand. Graham's got it. Stripper lookups.
That's what we need. I've got this all under control, Mark.
So what you're saying is that this law has been around for 35 years, and the Supreme Court, because it's not clear what the law actually is.
The Supreme Court has never ruled on this law. And then a story about strippers came along, and now it's like, yep, that's the one. We'll have that one.
The Supreme Court has never ruled on this law. And then a story about strippers came along, and now it's like, yep, that's the one. We'll have that one.
All comes down to strippers. That's all you got. That's your takeaway.
Most people agree that the most effective way to reduce the cost of an attack is to prevent it from happening in the first place.
Deep Instinct strives to prevent all known and unknown threats using deep learning.
Making detection and response automated, fast, and effective for any threat that cannot be prevented.
Check out a report by the Ponemon Institute which studied the cost savings of adopting an efficient prevention model. Go grab it at smashingsecurity.com/deepinstinct.
And thanks to Deep Instinct for sponsoring the podcast. This episode of Smashing Security is sponsored by LastPass.
Now, everyone knows about LastPass's password manager for end users, but it's also a great solution for businesses.
In fact, tens of thousands of companies rely upon LastPass to protect themselves.
LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce. So whatever the size of your business, go and check it out.
Go and visit lastpass.com/smashing to find out more. And thanks to LastPass for supporting the show.
Security training sucks, it's boring, users hate it, they aren't paying attention, doesn't work.
For security training to actually work, you'd have to find out what each person in the company is doing that's risky, send them phishing emails, monitor logs, check for passwords and have I been pwned, and then you'd have to train them in a way that doesn't send them to sleep, try and track what they're doing to see if it worked.
Deep Instinct strives to prevent all known and unknown threats using deep learning.
Making detection and response automated, fast, and effective for any threat that cannot be prevented.
Check out a report by the Ponemon Institute which studied the cost savings of adopting an efficient prevention model. Go grab it at smashingsecurity.com/deepinstinct.
And thanks to Deep Instinct for sponsoring the podcast. This episode of Smashing Security is sponsored by LastPass.
Now, everyone knows about LastPass's password manager for end users, but it's also a great solution for businesses.
In fact, tens of thousands of companies rely upon LastPass to protect themselves.
LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce. So whatever the size of your business, go and check it out.
Go and visit lastpass.com/smashing to find out more. And thanks to LastPass for supporting the show.
Security training sucks, it's boring, users hate it, they aren't paying attention, doesn't work.
For security training to actually work, you'd have to find out what each person in the company is doing that's risky, send them phishing emails, monitor logs, check for passwords and have I been pwned, and then you'd have to train them in a way that doesn't send them to sleep, try and track what they're doing to see if it worked.
Who's got time for any of that? Culture AI do. What? Culture AI.
They make this amazing software that plugs into your company, runs your phishing campaigns, integrates with Slack, tests if your users accept phony MFA requests.
Yes, that's a biggie. And pulls in tons of other behavioral metrics from your existing apps.
It basically figures out what everyone needs to know and then creates personalized training that is not boring. And it even checks that it's working. And it's all done automagically.
And they've got a deal just for our listeners. Sign up at culture.ai/smashing and your first 50 employees are free. For life. Cool. More information, culture.ai/smashing.
Stop your whining, Graham.
They make this amazing software that plugs into your company, runs your phishing campaigns, integrates with Slack, tests if your users accept phony MFA requests.
Yes, that's a biggie. And pulls in tons of other behavioral metrics from your existing apps.
It basically figures out what everyone needs to know and then creates personalized training that is not boring. And it even checks that it's working. And it's all done automagically.
And they've got a deal just for our listeners. Sign up at culture.ai/smashing and your first 50 employees are free. For life. Cool. More information, culture.ai/smashing.
Stop your whining, Graham.
And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie via record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily. Better not be. Well, my pick of the week this week is something that I'm sure many people have already checked out.
I'm a few weeks late to this.
I did have a Smashing Security listener, a couple of them actually, contact me and saying, Graham, are you going to talk about this TV show on the podcast?
It seems right up your alley, mate. And eventually I got around to watching it. And I've nearly finished it.
I haven't quite— I've got a couple more episodes to go, but I can already tell—
Could be a funny story, a book that they've read, a TV show, a movie via record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily. Better not be. Well, my pick of the week this week is something that I'm sure many people have already checked out.
I'm a few weeks late to this.
I did have a Smashing Security listener, a couple of them actually, contact me and saying, Graham, are you going to talk about this TV show on the podcast?
It seems right up your alley, mate. And eventually I got around to watching it. And I've nearly finished it.
I haven't quite— I've got a couple more episodes to go, but I can already tell—
You've spoken about Doctor Who loads of times.
It's not Doctor Who, it is chess-related. There is, of course, a Netflix hit TV series called The Queen's Gambit, all about a chess prodigy in the 1960s called Beth Harmon.
And it's drama, she didn't really exist. And it's a really good show, it's quite enjoyable.
And the amazing thing is, of course, that normally when chess is presented on screen, it's all a load of old nonsense and it's not actually anything like chess.
But The Queen's Gambit, I'm sitting there saying, yeah, that is the Caro-Kann Defense. Yes, that is what, you know, the Queen's Gambit Declined or whatever.
And they're referring to things in chess and they're absolutely on the nail.
And maybe the reason for this is that Garry Kasparov, of course, is famous for being the former world chess champion and even more famous for being a past guest on Smashing Security, acted as a consultant on the show.
So well done, Gary. I know he's listening. Well done, Gary, for doing that. And coming up with a great TV series, The Queen's Gambit on Netflix. I enjoyed it.
Have either of you watched it?
And it's drama, she didn't really exist. And it's a really good show, it's quite enjoyable.
And the amazing thing is, of course, that normally when chess is presented on screen, it's all a load of old nonsense and it's not actually anything like chess.
But The Queen's Gambit, I'm sitting there saying, yeah, that is the Caro-Kann Defense. Yes, that is what, you know, the Queen's Gambit Declined or whatever.
And they're referring to things in chess and they're absolutely on the nail.
And maybe the reason for this is that Garry Kasparov, of course, is famous for being the former world chess champion and even more famous for being a past guest on Smashing Security, acted as a consultant on the show.
So well done, Gary. I know he's listening. Well done, Gary, for doing that. And coming up with a great TV series, The Queen's Gambit on Netflix. I enjoyed it.
Have either of you watched it?
Yeah, I told you about it repeatedly. In fact, the other day I told you, why don't you watch it tonight? You went, okay, yeah, maybe I'll do that. Yes, I will. Yes.
Yes, I will. Well, I've got round to it now. Yeah. And also chess related, but slightly security related.
I saw on Twitter in the last couple of days, security researcher Sarah Jamie Lewis discovered that they were able to exploit the popular Stockfish chess engine by feeding it malformed chess positions and can cause it to crash and do naughty things.
When trying to find a best move, or even trick it into believing there were no valid moves, even when it appeared that there were.
So if anyone's interested in that, it's a bit nerdy.
I saw on Twitter in the last couple of days, security researcher Sarah Jamie Lewis discovered that they were able to exploit the popular Stockfish chess engine by feeding it malformed chess positions and can cause it to crash and do naughty things.
When trying to find a best move, or even trick it into believing there were no valid moves, even when it appeared that there were.
So if anyone's interested in that, it's a bit nerdy.
Even if you're not, I fully endorse your pick of the week. I thought it was a brilliant series, but I would like to fully endorse Sarah Jamie Lewis as well.
And she does endless amounts of really, really interesting stuff, whatever she gets into. She does very interesting things with it.
So I'm not at all surprised to hear her name attached to this.
And she does endless amounts of really, really interesting stuff, whatever she gets into. She does very interesting things with it.
So I'm not at all surprised to hear her name attached to this.
Well, I am linking to her research in the show notes. You can check it out some more. It is security related. I'm sorry about that, Carole.
And on that point, I pass over to Mark Stockley for his pick of the week.
And on that point, I pass over to Mark Stockley for his pick of the week.
So it's basically an antidote to all this guff about hoovers that break when they can't talk to supercomputers and order your own anthrax online and all that stuff.
So it's a beautiful book. I listened to it as an audiobook over the summer. And it's by an unassuming Japanese research scientist called Masanobu Fukuoka.
And he basically turned away from science and back to quiet life on the farm after what he describes as a profound spiritual experience in 1937.
So he trained as a microbiologist and an agricultural scientist, and he became very disillusioned with what he saw as westernized ideas about agriculture and farming.
And this is back in 1937, remember?
So it's a beautiful book. I listened to it as an audiobook over the summer. And it's by an unassuming Japanese research scientist called Masanobu Fukuoka.
And he basically turned away from science and back to quiet life on the farm after what he describes as a profound spiritual experience in 1937.
So he trained as a microbiologist and an agricultural scientist, and he became very disillusioned with what he saw as westernized ideas about agriculture and farming.
And this is back in 1937, remember?
It turns out he was right.
Before World War II and before the mass use of chemical fertilizer. So even then he was—
Well, the Industrial Revolution had started though. Yes.
But it was a huge change in farming in particular, because you need nitrogen for explosives.
And our capacity to produce chemical nitrogen for bombs ramped up massively during the war.
There was this huge chemical industry that existed after the war that wasn't there before, which is where the sort of chemical fertilizer industry comes from.
Anyway, he predates that, but his alarm bells were going off. So long story short, he basically pioneered all sorts of techniques for growing food that were way ahead of their time.
So he called it his do-nothing technique, but we would call it things like no-till, organic sustainable agriculture, things like that.
But it's a fascinating read because it's not just an instruction manual, it's kind of part manual, part memoir, so it's his life story as well.
But also there's this kind of dose of Eastern mysticism in there as well. It's like one person described it as Zen and the Art of Farming.
And so there's a very kind of Japanese quality to it where you can see that he's trying to be a bit kind of mysterious and a little bit mystical with it as well, as well as being very practical.
So this great little book.
And our capacity to produce chemical nitrogen for bombs ramped up massively during the war.
There was this huge chemical industry that existed after the war that wasn't there before, which is where the sort of chemical fertilizer industry comes from.
Anyway, he predates that, but his alarm bells were going off. So long story short, he basically pioneered all sorts of techniques for growing food that were way ahead of their time.
So he called it his do-nothing technique, but we would call it things like no-till, organic sustainable agriculture, things like that.
But it's a fascinating read because it's not just an instruction manual, it's kind of part manual, part memoir, so it's his life story as well.
But also there's this kind of dose of Eastern mysticism in there as well. It's like one person described it as Zen and the Art of Farming.
And so there's a very kind of Japanese quality to it where you can see that he's trying to be a bit kind of mysterious and a little bit mystical with it as well, as well as being very practical.
So this great little book.
Yeah, I might get this for my in-laws for Christmas. This could be perfect for them.
So that's my pick of the week. It's called One Straw Revolution.
One Straw Revolution, cool. Carole, what's your pick of the week? Okay, my pick of the week is a podcast. Now it's hosted by the Telegraph journalist Cara McGoogan.
I'm not a Telegraph reader, but I happened upon this podcast and I decided to give it a whirl. It's called A Bed of Lies, or Bed of Lies.
Now, it's kind of true crime, kind of investigationy. And so in the intro, Cara says of the show that it looks at one of the biggest scandals in recent British history.
So I'm holding back on agreeing with that or not, because I haven't finished it yet.
I'm not a Telegraph reader, but I happened upon this podcast and I decided to give it a whirl. It's called A Bed of Lies, or Bed of Lies.
Now, it's kind of true crime, kind of investigationy. And so in the intro, Cara says of the show that it looks at one of the biggest scandals in recent British history.
So I'm holding back on agreeing with that or not, because I haven't finished it yet.
What's it about? What is the spin?
Well, that's the thing. I can't really give you the big reveal, okay? It starts off with the backstories. I can't, I can't.
So you gotta just trust me because that's part of the way she kind of does it, is she holds off on telling us what the biggest scandal is until episode 3 or 4.
So you gotta just trust me because that's part of the way she kind of does it, is she holds off on telling us what the biggest scandal is until episode 3 or 4.
But can you give us a sort of genre? Can you sort of say whether it involves corruption?
Yeah, yeah. Can you just hold on? I'm getting there, baby. It starts off with the backstories of 4 women, Rosa, Lisa, Alison, Lindsay, all pseudonyms.
They were all part of a lively activist community a few decades back, and they found partners who shared their passions for activism and seemed perfect until it totally wasn't.
So big 180 happens.
They were all part of a lively activist community a few decades back, and they found partners who shared their passions for activism and seemed perfect until it totally wasn't.
So big 180 happens.
Yeah, I think I know what this is going to be about.
Okay, well, don't say, don't say, because it's kind of part of the way it's built. I think it's kind of silly.
I think they should have given it away at the beginning and then just gone with the story personally, but you know.
The first episode is hesitant, but I don't know, it's almost like the host and the producer are finding their feet or something, but it gets a bit pacier and the story's pretty juicy.
And it's, I don't know, the stories from the women are actually pretty honestly told. It's quite good. So if it sounds like your thing, check it out wherever you get your podcasts.
It's called Bed of Lies, hosted by Cara McGoogan.
I think they should have given it away at the beginning and then just gone with the story personally, but you know.
The first episode is hesitant, but I don't know, it's almost like the host and the producer are finding their feet or something, but it gets a bit pacier and the story's pretty juicy.
And it's, I don't know, the stories from the women are actually pretty honestly told. It's quite good. So if it sounds like your thing, check it out wherever you get your podcasts.
It's called Bed of Lies, hosted by Cara McGoogan.
So I don't know what you're talking about, Carole, but if it's what I think it is, it is a fascinating news story which has spanned a few decades.
And, well, I don't want to give anything away.
And, well, I don't want to give anything away.
I know, I hear you.
I understand. But yes, involves activism and maybe law enforcement.
Why? Yeah. Is the punchline that it turns out they're all actually connected to US East 1?
Mark!
So mysterious. Now, Carole, it's time for our featured interview, isn't it?
Who have we got this week? We have an interview with Deep Instinct's Steve Salinas, who's gonna get us all up to speed on ransomware and what's going on today. So ears open, people.
So hi, Steve Salinas, product marketing manager at Deep Instinct. Thanks for having me.
So hi, Steve Salinas, product marketing manager at Deep Instinct. Thanks for having me.
I'm glad to be here.
It's really lovely to speak with you because we're gonna talk all about ransomware. But first, I wanted to ask you about the lady on your homepage.
So for our listeners, there's this woman who looks very lovely, and then you look at her and her eyes are neon phthalo blue, and then you zoom into her eye and it's all sci-fi.
So I just want to know what the thought process was behind that.
So for our listeners, there's this woman who looks very lovely, and then you look at her and her eyes are neon phthalo blue, and then you zoom into her eye and it's all sci-fi.
So I just want to know what the thought process was behind that.
Yeah, it's kind of a funny little picture there, but I think the whole point is, you know, we want to get across the point to someone that visits our website that we are using, applying artificial intelligence to solve cybersecurity problems.
And it kind of is an interesting way to get someone's attention.
So the idea of, you know, kind of the way a human brain works, the way that our brain makes decisions, we're using technology that works in the same way to solve cybersecurity problems.
So totally, it works.
And it kind of is an interesting way to get someone's attention.
So the idea of, you know, kind of the way a human brain works, the way that our brain makes decisions, we're using technology that works in the same way to solve cybersecurity problems.
So totally, it works.
It works. I mean, I just brought it up as the first question, and I'm sure loads of listeners are now going to your homepage to see what I'm talking about.
So tell me first, tell me a bit about Deep Instinct and what you do?
So tell me first, tell me a bit about Deep Instinct and what you do?
Sure. So the company name is Deep Instinct, and we are a deep learning cybersecurity solution provider.
So what that's kind of a long way to say is that we're applying artificial intelligence, which we interact with every day, all day.
We're applying a form of it, the most advanced form, which is known as deep learning, to identify threats as early as possible, which is known as pre-execution.
Using a deep learning neural network so that we can identify these threats and prevent them from ever having the chance to run in an environment.
So it's really our company, what we call it, we are a prevention-first company.
So our whole idea and philosophy around security is that the best way to protect yourself is to stop a threat from having the chance to run in your environment.
We offer a lot of different solutions that extend that, but that's where we start about preventing.
So what that's kind of a long way to say is that we're applying artificial intelligence, which we interact with every day, all day.
We're applying a form of it, the most advanced form, which is known as deep learning, to identify threats as early as possible, which is known as pre-execution.
Using a deep learning neural network so that we can identify these threats and prevent them from ever having the chance to run in an environment.
So it's really our company, what we call it, we are a prevention-first company.
So our whole idea and philosophy around security is that the best way to protect yourself is to stop a threat from having the chance to run in your environment.
We offer a lot of different solutions that extend that, but that's where we start about preventing.
So can you tell us a bit about deep learning? Just how does it work? And just for some of our listeners so they can understand exactly.
Sure. So the best way to kind of think about deep learning is if you think about, you know, ourselves, brains are very complex.
There are tons of things going on in there we don't have any idea. So if you think about when you're a child or anything, when you learned how to, let's say, ride a bike, right?
As a kid, you know, the first time you rode a bike, you probably fell off a lot. I did.
There are tons of things going on in there we don't have any idea. So if you think about when you're a child or anything, when you learned how to, let's say, ride a bike, right?
As a kid, you know, the first time you rode a bike, you probably fell off a lot. I did.
I broke my arm, actually. Ouch.
Yeah, I definitely had my share of scraped knees and whatnot. You know, then you got the hang of it, right? And as a kid, I rode my bike all over the place.
The phrase that we're all used to is it's riding a bike. That's not a mistake.
So even though you probably haven't been on a bike in years, if you saw a bike and you got on it, your brain would remember how to ride that bike. It just would.
Yeah, so our brains are very complex and they're very advanced.
So very smart people, a lot smarter than me, they looked at that, the way that the brain works, and they said, all right, we're gonna— we can take the same approach to solving lots of different problems.
So a very brief history about artificial intelligence: it's been around since the '50s.
If you're familiar with Alan Turing, you know, the whole idea of the Turing test was if you can distinguish between a machine asking questions compared to a person.
So that was a form of artificial intelligence, very initial forms.
And then, in the '80s or so, this concept of machine learning came out where you could train a machine based on a set of data to come up with some sort of decision or to take some sort of action.
And machine learning has been around for a while. The latest version of artificial intelligence is known as deep learning. So this is where— this is what we do.
So what we do is we take vast amounts of data. Machine learning, deep learning, artificial intelligence, all about data.
So we take a lot of data around threats, and then we take a lot of information about good files, you know, files we use all the time, applications we use all the time.
Not just a few, millions.
And we have data scientists, the founders of the company, they created algorithms, very proprietary set of algorithms that can take this data, we feed it into the model, which is called a neural network.
And the only thing that we tell the model about this data is this set of files and data is known as malicious. And this set over here is good.
So we feed it in and we look at the results.
And after training, and we train in the cloud, it takes a lot of horsepower to train it, develops an innate ability, getting back to my bicycle analogy, to identify a threat.
It's really astounding in that once it's developed this ability, it doesn't need to know anything else about the files at all so that when we point it at a file that it has never seen before, it's going to be able to come up to a decision whether it's malicious or what we call benign or good in milliseconds, and it's extremely accurate.
The phrase that we're all used to is it's riding a bike. That's not a mistake.
So even though you probably haven't been on a bike in years, if you saw a bike and you got on it, your brain would remember how to ride that bike. It just would.
Yeah, so our brains are very complex and they're very advanced.
So very smart people, a lot smarter than me, they looked at that, the way that the brain works, and they said, all right, we're gonna— we can take the same approach to solving lots of different problems.
So a very brief history about artificial intelligence: it's been around since the '50s.
If you're familiar with Alan Turing, you know, the whole idea of the Turing test was if you can distinguish between a machine asking questions compared to a person.
So that was a form of artificial intelligence, very initial forms.
And then, in the '80s or so, this concept of machine learning came out where you could train a machine based on a set of data to come up with some sort of decision or to take some sort of action.
And machine learning has been around for a while. The latest version of artificial intelligence is known as deep learning. So this is where— this is what we do.
So what we do is we take vast amounts of data. Machine learning, deep learning, artificial intelligence, all about data.
So we take a lot of data around threats, and then we take a lot of information about good files, you know, files we use all the time, applications we use all the time.
Not just a few, millions.
And we have data scientists, the founders of the company, they created algorithms, very proprietary set of algorithms that can take this data, we feed it into the model, which is called a neural network.
And the only thing that we tell the model about this data is this set of files and data is known as malicious. And this set over here is good.
So we feed it in and we look at the results.
And after training, and we train in the cloud, it takes a lot of horsepower to train it, develops an innate ability, getting back to my bicycle analogy, to identify a threat.
It's really astounding in that once it's developed this ability, it doesn't need to know anything else about the files at all so that when we point it at a file that it has never seen before, it's going to be able to come up to a decision whether it's malicious or what we call benign or good in milliseconds, and it's extremely accurate.
So this must play into ransomware because we're actually here to talk about ransomware today, right?
So talk to me about ransomware and how— what is deep learning telling you about ransomware.
So talk to me about ransomware and how— what is deep learning telling you about ransomware.
Yeah, so ransomware is one of the most insidious threats that can hit an organization.
And the attackers, they're pretty ruthless because the way that they deploy these threats, they could be either targeted or they can use some automation to target vast amounts of IP addresses and whatnot.
But the fact of the matter is, if an organization gets hit by ransomware, they could be crippled, right?
The whole way— if you're not familiar with, for anyone listening, essentially what ransomware does is it gets into an organization if someone initiates it and starts the ransomware, it will go through and encrypt all the data on your computer.
So think about all that data that's on your machine, stuff you rely on, use all the time. It encrypts it and it holds it hostage.
And what the attackers do then is they display on the machines a ransom note. It's very— I mean, it's called ransomware for a reason.
It's just like when someone, when a person gets held hostage, they get a ransom note said, here we have your data. You need to pay us X amount.
It's usually some sort of cryptocurrency. Bitcoin is their favorite.
Or we're either going to destroy your data, or some of the newer forms of ransomware, they say, we're not going to destroy it, but we're going to leak it, which is obviously very concerning to an organization.
You know, it's all sensitive data.
And the attackers, they're pretty ruthless because the way that they deploy these threats, they could be either targeted or they can use some automation to target vast amounts of IP addresses and whatnot.
But the fact of the matter is, if an organization gets hit by ransomware, they could be crippled, right?
The whole way— if you're not familiar with, for anyone listening, essentially what ransomware does is it gets into an organization if someone initiates it and starts the ransomware, it will go through and encrypt all the data on your computer.
So think about all that data that's on your machine, stuff you rely on, use all the time. It encrypts it and it holds it hostage.
And what the attackers do then is they display on the machines a ransom note. It's very— I mean, it's called ransomware for a reason.
It's just like when someone, when a person gets held hostage, they get a ransom note said, here we have your data. You need to pay us X amount.
It's usually some sort of cryptocurrency. Bitcoin is their favorite.
Or we're either going to destroy your data, or some of the newer forms of ransomware, they say, we're not going to destroy it, but we're going to leak it, which is obviously very concerning to an organization.
You know, it's all sensitive data.
Oh, well, hey, if they were going to leak my diary, I'd be concerned. Right.
So if an organization finds themselves in this situation, you know, it's full-on panic at this point because, you know, there are definitely things that we can talk about mitigation strategies.
There are several you can use.
There are several you can use.
I was wondering first, are companies targeted more than individuals or is it more or less the same or?
Well, the attackers, they target companies a lot because they have deeper pockets, right?
So I mean, there are definitely lots of stories that you hear where this was a few months ago, I believe it was some, you know, I don't want to, I'm not going to say the name of the university because I don't want to get it wrong, but they were doing some COVID research and they got hit by ransomware and they had no choice but to pay the ransom.
And it was, you know, in the millions of dollars because this was extremely valuable data that they needed for their research.
A university is going to have a lot more money to pay than, you know, just Joe Public.
So I mean, there are definitely lots of stories that you hear where this was a few months ago, I believe it was some, you know, I don't want to, I'm not going to say the name of the university because I don't want to get it wrong, but they were doing some COVID research and they got hit by ransomware and they had no choice but to pay the ransom.
And it was, you know, in the millions of dollars because this was extremely valuable data that they needed for their research.
A university is going to have a lot more money to pay than, you know, just Joe Public.
Yeah, I mean, here's $50, does that work?
Yeah, you know, they're looking to get the big paydays. One of the other things that's happened is people's work environments have changed.
Oh, right. Yeah, yeah. So people are working from home, so that makes their kind of— now it's kind of an individual and a company problem, I guess.
Exactly. So it's really bad. I mean, I remember hearing a story. This was years ago, but it's relevant. I won't, again, save all the names to protect the innocent.
But at any rate, there was an executive from some large financial institution that would regularly use his home computer to access his work email and things like that.
Well, he also had a son that would use that machine to go play online games.
And somehow the attacker realized, you know, they were looking and they realized, oh, this kid is using this machine, and they did some sort of social engineering and got access and figured out, oh, this is an entryway into this bank.
But at any rate, there was an executive from some large financial institution that would regularly use his home computer to access his work email and things like that.
Well, he also had a son that would use that machine to go play online games.
And somehow the attacker realized, you know, they were looking and they realized, oh, this kid is using this machine, and they did some sort of social engineering and got access and figured out, oh, this is an entryway into this bank.
I don't think I know a parent these days that haven't under exhaustion handed over their phone or tablet or computer to kid just to have, you know, 10 minutes silence.
Especially now when you think kids are all doing school from home. Yeah, this is what this is. This is broadening the attackers' area that they can target.
So not only before it was all right, company, you know, they're all behind the firewall, they're in buildings.
Now the firewall has kind of virtually disappeared and everyone's at home.
So now the smart attackers, and they're doing it, they're identifying, oh, okay, all of these machines are now all over the place.
So if I can penetrate Steve's machine, I can get into the company. Let's face it, people's protections at home are a lot less sophisticated than an organization's would be, right?
So not only before it was all right, company, you know, they're all behind the firewall, they're in buildings.
Now the firewall has kind of virtually disappeared and everyone's at home.
So now the smart attackers, and they're doing it, they're identifying, oh, okay, all of these machines are now all over the place.
So if I can penetrate Steve's machine, I can get into the company. Let's face it, people's protections at home are a lot less sophisticated than an organization's would be, right?
So totally, that must be keeping so many IT security people awake at night just thinking about all the doom and gloom that could happen just because one employee doesn't have the right infrastructure in place to protect the company and protect themselves.
So let's talk a little bit about how you protect yourself against ransomware organization. So there are a couple of different ways you can do it.
The old school, which doesn't work very well, is I guess I'd call it legacy antivirus.
So this is where there's a piece of software that's installed on all the laptops just for simplicity, and it pulls down a list of known ransomware and its signatures.
So the software, if it identifies there's a file that matches one of these signatures, it doesn't let it run. But guess what?
The attackers know that, so they have gone long past that.
So it's easy for them to make small modifications to their ransomware, and it will completely evade that type of protection.
The old school, which doesn't work very well, is I guess I'd call it legacy antivirus.
So this is where there's a piece of software that's installed on all the laptops just for simplicity, and it pulls down a list of known ransomware and its signatures.
So the software, if it identifies there's a file that matches one of these signatures, it doesn't let it run. But guess what?
The attackers know that, so they have gone long past that.
So it's easy for them to make small modifications to their ransomware, and it will completely evade that type of protection.
So if you're looking for a specific thing, they can just change it slightly so it doesn't match specifically.
You know, if someone's looking for a person and they put a disguise on, you walk right by the police, right? Would never be seen.
So then there's the machine learning approach, which is kind of this category what I call the next-gen players.
They look at the features of ransomware, so it's a little bit better and they train a machine learning model to identify threats.
But then the attackers, really smart, all that what they've done is they've identified the features that these machine learning models are trying to use to identify the threat, and then they just simply don't use them or they change them.
They bypass two different types of protection. Now, our protection seems to be the best.
You know, one of the things that I do all the time is look at the latest ransomware and I run it against our model. And it's very, very effective because we're not using features.
Again, we're training against this vast amount of data and the deep learning neural network is making a decision. It's taking any sort of route to get to that decision.
It's hard to say impossible, but it's virtually impossible for an attacker to figure out what decisions it's making to avoid that.
So one good example, there's a really bad strain of ransomware that was hitting a lot of healthcare organization is called— I don't know how you pronounce it. I call it Ryuk.
It's R-Y-U-K. It's been causing major issues.
So the other day I pulled down, and there's a video on our website, I pulled down almost 100 samples of this ransomware, and I ran it against our neural network.
And one thing I want to be clear is once we've trained the model, no additional training happens. So the one that I was using was trained in November of 2016. So two years old.
And I said, okay, analyze all this ransomware. And it identified every single file as malicious. Wow. Yeah. So it's really powerful.
And that's why we're finding a lot of— to get back to the whole point of, all right, all my employees are all over the place, what do I do?
What you need is a protection that is what we call resilient, right? That doesn't need daily updates.
So I could provide this two-year-old model to most organizations in the country, the world, and they're going to get better protection probably than what they have today, even if I don't ever update it again.
So then there's the machine learning approach, which is kind of this category what I call the next-gen players.
They look at the features of ransomware, so it's a little bit better and they train a machine learning model to identify threats.
But then the attackers, really smart, all that what they've done is they've identified the features that these machine learning models are trying to use to identify the threat, and then they just simply don't use them or they change them.
They bypass two different types of protection. Now, our protection seems to be the best.
You know, one of the things that I do all the time is look at the latest ransomware and I run it against our model. And it's very, very effective because we're not using features.
Again, we're training against this vast amount of data and the deep learning neural network is making a decision. It's taking any sort of route to get to that decision.
It's hard to say impossible, but it's virtually impossible for an attacker to figure out what decisions it's making to avoid that.
So one good example, there's a really bad strain of ransomware that was hitting a lot of healthcare organization is called— I don't know how you pronounce it. I call it Ryuk.
It's R-Y-U-K. It's been causing major issues.
So the other day I pulled down, and there's a video on our website, I pulled down almost 100 samples of this ransomware, and I ran it against our neural network.
And one thing I want to be clear is once we've trained the model, no additional training happens. So the one that I was using was trained in November of 2016. So two years old.
And I said, okay, analyze all this ransomware. And it identified every single file as malicious. Wow. Yeah. So it's really powerful.
And that's why we're finding a lot of— to get back to the whole point of, all right, all my employees are all over the place, what do I do?
What you need is a protection that is what we call resilient, right? That doesn't need daily updates.
So I could provide this two-year-old model to most organizations in the country, the world, and they're going to get better protection probably than what they have today, even if I don't ever update it again.
Yeah, I agree with that sentiment totally. You don't have to have perfect protection, you have to have better protection.
You know, even though our solution shows extremely great results, you can't guarantee 100% all the time.
So we do do other things, behavioral analysis, to look for things that look like ransomware. It's very rare that a ransomware would be able to get past us, this first phase.
But that's why we're seeing a lot of interest in our approach because it's resilient. It doesn't even require being connected to the internet.
All the decisions are taken on the machine that it's protecting and it doesn't need updates.
So we do do other things, behavioral analysis, to look for things that look like ransomware. It's very rare that a ransomware would be able to get past us, this first phase.
But that's why we're seeing a lot of interest in our approach because it's resilient. It doesn't even require being connected to the internet.
All the decisions are taken on the machine that it's protecting and it doesn't need updates.
So what about behaviors that individuals— so we're talking about these employees who are working from home, right?
So I'm guessing rule number one, please don't lend your computers to your kids if you can avoid it. But what other advice do you have? What do you— what do you do at home?
What do you tell, you know, your family to do?
So I'm guessing rule number one, please don't lend your computers to your kids if you can avoid it. But what other advice do you have? What do you— what do you do at home?
What do you tell, you know, your family to do?
If you get an email from someone you don't know that has a link on it, don't open it.
Or if you get an email that says, oh, I'm from a company that you work with a lot, someone you buy stuff from, but it looks a bit weird, you know, has, oh, we need you to update your information here, or we're going to terminate your account, be very suspicious.
You can also look at the URLs.
If it has a really weird URL, it says it's from a big box store, I don't know, a Target or something, but the URL is completely different, it's probably not them.
Or if you get an email that says, oh, I'm from a company that you work with a lot, someone you buy stuff from, but it looks a bit weird, you know, has, oh, we need you to update your information here, or we're going to terminate your account, be very suspicious.
You can also look at the URLs.
If it has a really weird URL, it says it's from a big box store, I don't know, a Target or something, but the URL is completely different, it's probably not them.
These are really, really good points because right now we're kind of sitting ducks because a lot of us are looking up for information on elections that may have just happened.
We're looking for information on coronavirus and what's going on there. We're getting ready for the holidays.
We're buying loads of stuff online because a lot of us are not allowed out. So we've kind of told the bad guys exactly how to get us.
We're looking for information on coronavirus and what's going on there. We're getting ready for the holidays.
We're buying loads of stuff online because a lot of us are not allowed out. So we've kind of told the bad guys exactly how to get us.
I know. And I'll give you one example. You mentioned the COVID.
Some attackers, they said because people were looking for information desperately, they actually had embedded malware in an actual map, an interactive map of COVID. No way.
And fortunately though, we supported that file type. So someone downloaded it, we would identify it as malicious, but not everyone would.
So, you know, the attackers, they don't have any qualms about doing things like that.
Some attackers, they said because people were looking for information desperately, they actually had embedded malware in an actual map, an interactive map of COVID. No way.
And fortunately though, we supported that file type. So someone downloaded it, we would identify it as malicious, but not everyone would.
So, you know, the attackers, they don't have any qualms about doing things like that.
Well, I'm glad there are people like you, Steven, and Deep Instinct to help protect us in this crazy, crazy world we live in right now.
No, we're doing our best. But I think, you know, again, you know, just be vigilant, be suspicious. It's okay to be suspicious. You're not going to hurt anybody's feelings.
Yeah, and stay calm maybe is another good piece of advice. A lot of these things try to incite, you know, some kind of outrage or emergency scenario.
You know, just maybe just take a second. It's okay to think for a minute or two and ask, you know, a trusted friend who knows more about this stuff if you're not sure.
You know, just maybe just take a second. It's okay to think for a minute or two and ask, you know, a trusted friend who knows more about this stuff if you're not sure.
And one last thing I'll mention too, from a personal standpoint, this is good for just individuals.
There are lots of online solutions or ways to back up your data, you know, they're not very expensive.
So if you do happen to—oh man, I actually get hit by ransomware—well, I always say don't pay the ransom.
You know, it only makes the attack—they're only doing it because they get paid.
So if you have other mitigation strategies, have backups, I use a solution like ours, obviously if you're an organization, the lower we can make the incentive as far as the attackers are not going to get paid you know, they'll go down in the long term.
There are lots of online solutions or ways to back up your data, you know, they're not very expensive.
So if you do happen to—oh man, I actually get hit by ransomware—well, I always say don't pay the ransom.
You know, it only makes the attack—they're only doing it because they get paid.
So if you have other mitigation strategies, have backups, I use a solution like ours, obviously if you're an organization, the lower we can make the incentive as far as the attackers are not going to get paid you know, they'll go down in the long term.
Choke the green, right? Choke the green. Exactly. Steven Salinas, product marketing manager at Deep Instinct. Thank you so, so much for coming on Smashing Security.
Thank you.
Well, that was terrific. And that just about wraps it up for this week. Mark, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
You can find me on Twitter @MarkStockley.
Terrific. And you can follow us on Twitter @SmashInSecurity, no G. Twitter won't allow us to have a G. You can also join the subreddit for Smashing Security.
And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app such as Apple Podcasts, Spotify, or Pocket Casts.
And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app such as Apple Podcasts, Spotify, or Pocket Casts.
A few announcements first. You each have a VIP invitation to our YouTube Live Smashing Security Christmas special on Thursday, 17th of December, 8 PM UK time.
If our last session was anything to go by, where hundreds of you joined us, asked questions, made friends with other Smashing Security listeners, it was just awesome.
And if our plan for this one on December 17th comes together, it's going to be a YouTube sesh to remember.
We really hope to see you there, guys, because we need to see this shitshow of a year out in style.
And remember, Patreon supporters, any support we receive via Patreon during the month of December 2020 will go directly to our local food bank.
And can I urge you all to look at your communities to see how you can help bring a little joy this season to those who are having a hard time? There's some awful stories out there.
Lastly, a huge shout out to this week's Smashing Security sponsors: Deep Instinct, Sophos, and Bitdefender.
For details on past episodes, sponsorship details, or how to join our Patreon community, check out SmashingSecurity.com.
Plus, you'll find all the details for how you can get in touch with us.
If our last session was anything to go by, where hundreds of you joined us, asked questions, made friends with other Smashing Security listeners, it was just awesome.
And if our plan for this one on December 17th comes together, it's going to be a YouTube sesh to remember.
We really hope to see you there, guys, because we need to see this shitshow of a year out in style.
And remember, Patreon supporters, any support we receive via Patreon during the month of December 2020 will go directly to our local food bank.
And can I urge you all to look at your communities to see how you can help bring a little joy this season to those who are having a hard time? There's some awful stories out there.
Lastly, a huge shout out to this week's Smashing Security sponsors: Deep Instinct, Sophos, and Bitdefender.
For details on past episodes, sponsorship details, or how to join our Patreon community, check out SmashingSecurity.com.
Plus, you'll find all the details for how you can get in touch with us.
Until next time, cheerio, bye-bye. Bye-bye.
Do you think anyone's going to show up on December 17th, Graham?
What, on to our live show? Well, hopefully Mark will, and a chicken.
Are you thinking of giving it a pass, Graham?
No, I'm going to be there if my internet connection holds up. Be interesting to see.
Sorry, I couldn't quite make that.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Mark Stockley:
Show notes:
- Smashing Security's Christmas 2020 live stream — Join us on YouTube on Thursday 17 December.
- Increased cyber-biosecurity for DNA synthesis — Nature Biotechnology.
- New cyber-biological attack can trick biologists into generating dangerous toxins — News Medical Life Sciences.
- Screening Framework Guidance for Providers of Synthetic Double-Stranded DNA — Department of Health and Human Services (PDF).
- AWS: Amazon web outage breaks vacuums and doorbells — BBC News.
- The Supreme Court will finally rule on controversial US hacking law — Ars Technica.
- 18 U.S. Code § 1030 – Fraud and related activity in connection with computers≈ — Legal Information Institute, Cornell University.
- Online-voting company pushes to make it harder for researchers to find security flaws — CNET.
- The Supreme Court will hear its first big CFAA case — TechCrunch.
- Response to Voatz’s Supreme Court Amicus Brief. — An open letter from the security community.
- The Queen's Gambit Netflix series — Wikipedia.
- Twitter thread by Sarah Jamie Lewis.
- Win by Segfault and other notes on Exploiting Chess Engines — Sarah Jamie Lewis.
- One-Straw Revolution — A book by Masanobu Fukuoka.
- Bed of Lies podcast — The Telegraph.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: CultureAI
CultureAI isn’t just another security awareness training provider. It helps you measure and improve every end-user’s cyber security behaviour, providing a management system for IT, Security and Awareness teams.
Learn more and try it for yourself at culture.ai/smashing
Visit culture.ai/smashing now.
Sponsor: Deep Instinct
Most people agree that the most effective way to reduce the cost of an attack is to prevent it from happening in the first place!
Deep Instinct strives to prevent all known and unknown threats using deep learning, making detection and response automated, fast and effective for any threat that cannot be prevented.
Check out a report by the Ponemon Institute, which studied the cost savings of adopting an efficient prevention model. Go grab it at smashingsecurity.com/deepinstinct
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
