Collective Intelligence

It's New Year's Eve, the perfect day to reflect on the year's best episodes of the Collective Intelligence Podcast. It also happens to be the 50th episode, so thanks for subscribing, listening, and sharing the podcast so far. Enjoy the recap.  Flashpoint's Allison Nixon on SIM swap fraud (1:04) Troy Hunt on changing behaviors around password reuse (11:27) Marty Roesch reflecting on 20 years of Snort and growing a commercial company around security's most popular open source project (21:05).  Patrick Wardle relives research he did on synthetic clicks in MacOS (31:10) Alex Klimburg discusses how ideologies shape conflict in cyberspace (38:41) Bruce Schneier talks about the need for public-interest technology (48:02) And Flashpoint's Eric Lackey shares his experience and insight on mitigating the insider threat (58:05). 

Flashpoint's Ian Gray and Max Aliapoulios discuss trends happening inside illicit underground online markets where everything from credit cards and personal information, to drugs and other physical goods, are sold. Ian and Max help characterize these markets, the impact of law enforcement and self-imposed shutdowns on the overall landscape, the ecosystem supporting these markets, as well as trends we can expect to see formulating in the coming months. 

Chris Cochran, threat intelligence lead at a media services company, shares his personal and professional journey to a career in information security and intelligence. Cochran, who co-hosts the secdevops.ai podcast, shares his unique career path, one that spans the military, public service, a startup, and now a major enterprise. He's an innovator in developing a culture inside the enterprise that embraces security, doing so by introducing unstructured play into the environment with a large degree of success. In the podcast, he describes how play helps train teammates, increase visibility, and remediate security gaps.  

Longtime Fortune 100 CISO and current managing partner at DelveRisk Anthony Johnson discusses what it takes to drive information security culturally inside the enterprise and smaller organizations. Anthony explains the trends that helped to elevate security to a C-suite and board-level discussion, how employees must be an extension of the security operation, and the consequences of current security skill shortage in the industry. 

In this episode of the Collective Intelligence Podcast, recorded during the recent Black Hat conference in Las Vegas, Alexander Klimburg of the The Hague Centre for Strategic Studies discusses how the East—Russia and China specifically—don’t view cyber conflict and cyberwar as a battle for critical infrastructure, as the West might. Instead, regime change is the nightmare scenario in these regions, Klimburg said, adding that Russia is attempting to extend to the internet the Communist tradition of the information sphere being the dominant sphere of decision making. By changing the multistakeholder governance model to a multilateral one, Russia believes it would have more stable control over cyber. 

Jeffrey Smith, managing partner of Cyber Risk Underwriters, explains why the adoption of cyber insurance is turning a corner and becoming a constant fixture inside enterprises, smaller companies, and even managed security service providers. Smith discusses how cyber insurance products options are improving, with input from a number of prominent security researchers and managers. He also discusses what current cyber insurance products look like, what industries are gravitating toward adoption, and why he believes it will someday soon be on par with standard insurance businesses currently buy as a baseline. 

Security researcher Mathy Vanhoef discusses two new vulnerabilities he and colleague Eyal Ronen discovered in the Dragonfly cryptographic handshake in the WPA3 WiFi protocol. The vulnerabilities, nicknamed Dragonblood, are the continuation of research and additional security flaws in the protocol the two disclosed in April.  The bugs include side-channel timing attacks and downgrade attacks that allow a hacker to leak memory from a client connection to a wireless access point and decrypt passwords in offline dictionary attacks. The Dragonblood attacks bypass mitigations in WPA3 designed to blunt these types of offline attacks.  The vulnerabilities are design and implementation flaws that are being addressed by the WiFi Alliance. Vanhoef discusses his and Ronen's interactions with the group. He also looks back at the KRACK attack he developed three years ago against WPA2. 

LAS VEGAS—Akamai Director of Security Strategy Tony Lauro table-sets the annual Black Hat hacker conference with a wide-ranging discussion about some of the threats facing private- and public-sector organizations. Lauro discusses the changing motivations of threat actors, and describes the challenges facing defenders stuck between hackers seeking profit, social change, or those motivated by espionage. He also digs into the shifting trend of targeted ransomware attacks, how attackers are leveraging bots to carry out credential-stuffing attacks at scale to perform account takeover attacks, and how sharing of threat data across industries needs to move beyond only industry-specific groups. 

Eric Lackey of Flashpoint discusses the risk to businesses and the public sector posed by privileged insiders. The insider threat—characterized by a rogue or disgruntled employee, or an accidental disclosure by an employee—requires a mix of technology and understanding of human nature to properly mitigate the risk to the bottom line. Lackey covers common risks posed by insiders, mistakes made by defenders trying to mitigate insider threats, and what it takes to successfully develop and implement an insider threat program. 

Digita Security Chief Research Officer Patrick Wardle discusses a macOS Mojave vulnerability he recently disclosed whereby an attacker can abuse synthetic clicks allowed by the OS to spy on users, access private data, or install additional malicious code.  Wardle disclosed the vulnerability during the Objective By The Sea conference in Monte Carlo earlier this month. He previously had privately disclosed the issue to Apple, which has yet to patch it, but has introduced a temporary mitigation.  The bug bypasses additional security protections Apple introduced in Mojave that specifically ban synthetic clicks without the user physically clicking through and permitting this action. 

Flashpoint Director of Security Research Allison Nixon discusses SIM swap, a lucrative form of fraud that is turning profits for criminals and quickly gaining more attention from the security research community and law enforcement alike.  In this podcast, Allison describes the machinations of a SIM swap scheme, starting with the criminals who cook up these capers and often recruit insiders at a telecommunications company to take part in these scams, to the places where the industry is coming up short in defending against it.   

Peri Doerfler of the NYU Tandon School of Engineering discusses a recently published paper and research conducted by NYU and Google looking into the efficacy of login challenges in deterring account takeover attacks. The research examined a sample of 1.2 million users and 350,000 hijacking attacks and the success of things like knowledge-based challenges, on-device prompts, SMS two-factor authentication and more in holding off account takeover attacks.

David Maimon, an associate professor and director of the Evidence Based Cybersecurity Research Group at Georgia State University, describes work he and his colleagues did investigating the prevalence and availability of SSL and TLS certificates on the dark web. A paper published by the group explains the results and demonstrates a thriving market for SSL and TLS certificates, which in some of the leading underground markets are getting more interest than ransomware, for example. 

Troy Hunt’s Have I Been Pwned website recently turned 5 years old, and for much of that time it has been the definitive place for computer users to determine their exposure from data breaches. Have I Been Pwned is also a model for usability in security, enabling a free and clearly spelled out answers as to whether account information has been compromised, where, and how. Hunt hopes that it and its sister service Pwned Passwords continue to be the catalyst for improved behaviors online. In this episode of the Collective Intelligence Podcast, Hunt discusses the brief but impactful history of his site and not only how it’s grown into one of the top 5,000 sites on the Internet, but also how many critical web-based services have integrated its data via an API to improve privacy and security.

Bruce Schneier, a cryptography pioneer, and fellow and lecturer at Harvard’s Kennedy Business School, has taken up the cause of public-interest technology and is trying to bring awareness to the current state of affairs, and how not only security professionals but technologists in all fields can make a difference. In this episode of the Collective Intelligence Podcast, Schneier discusses how technologists can—and should feel an obligation to—make a difference. Schneier uses the analogy of public-interest law and would like to see technologists, beyond security and privacy professionals, carve out pro-bono time to assist marginalized communities or built software tools that are public-interest focused.

In this episode of the Collective Intelligence Podcast, Kris Mansson, chief executive officer of technology company Silobreaker, explains how organizations are struggling with unmanageable volumes of security data, and their desire for context around that data in order to make better decisions about threats to their networks, resources, or people. Even with threat intelligence platforms or security information and event management systems, organizations can still be overwhelmed by security alerts and data culled from dozens and dozens of sources. As Mansson said, “Now it’s a prioritization game.”

Dr. Avi Rubin, professor of computer science at Johns Hopkins University and technical director of the JHU Information Security Institute, explains the challenges associated with securing IOT devices, and the strides companies such as Harbor Labs, founded by Rubin, are making in analyzing IOT firmware for flaws. Rubin also addresses whether IOT is the unsolvable problem in security, how legislation may impact manufacturers and distributors of connected devices, and whether the Mirai botnet and malware is the IOT equivalent of the Morris worm. Rubin wraps up the discussion with some insights into another area of his expertise, election security. He discusses influence operations against our elections and whether paper ballots are the safer alternative to electronic voting.

Flashpoint Director of Americas Research and Analysis Ian Gray discusses the proliferation—or lack thereof—of cryptocurrency usage and interest among cybercriminals operating in Latin America. While some criminal elements do cash out or mine cryptocurrency in the region, a lack of legal oversight and technical sophistication makes legitimate payment processors viable options. Gray and co-presenter Carles Lopez-Penalver of Chainanalysis presented on the topic this week at RSA Conference 2019 in San Francisco.

Verodin CTO Colby DeRodeff talks to Mike Mimoso about his company's new Threat Actor Assurance Program and partnership with Flashpoint. DeRodeff explains the need for threat intelligence to support an examination and evaluation of an enterprise's security controls against advanced and commodity malware and exploits. 

Flashpoint Director of Research Chris "Tophs" Elisan discusses the development and business structure behind the GandCrab ransomware. Elisan, along with co-presenters from Microsoft and F5 Networks, discussed GandCrab and other malware and exploits turning a profit for criminal gangs during a talk this week at RSA Conference 2019 in San Francisco. Hear Elisan describe the evolution of GandCrab, services and partnership aspects to the operation, and the profits generated from these attacks.