Dateline – June 27, 2016. The morning started out like we thought: a fast-moving chat behind the scenes getting ready to launch Kaspersky Lab’s first ever foray into the world of Reddit’s Ask Me Anything (AMA) with Costin Raiu, Vicente Diaz, Vitaly Kamluk, Ryan Naraine, Brian Bartholomew, Juan Andres Guerrero-Saade of Kaspersky Lab’s Global Research and Analytics team (GReAT).
We made the links, made sure everyone was online and then pushed the button which launched the chat, not really knowing who would show up and what they would ask. It was an AMA after all. The plan was to answer questions for approximately 1.5 hours starting at 9:00 in the morning Boston time. Little did I know, it would be much longer and much more engaging than initially anticipated (the last question was answered after 1:28 in the afternoon EDT).
Over the course of the conversation, we saw over 855 comments on the thread (including our responses) with topics ranging from TV shows all the way to why attribution of APT is difficult for security researchers. There were fans, trolls, reporters and those looking to get into the industry throwing questions in the direction of GReAT. During the four-plus hours of asking questions the researchers gave some insightful and candid answers and really did answer anything…
We did say ask us anything: If you could be stuck on an island w #Jesus or @POTUS which 1 would it be? https://t.co/86GMv68yBF
— Kaspersky (@kaspersky) July 27, 2016
I am sure if you asked the six participants their favorite question, they would all give you something different and would probably struggle to give you just one. In trying this exercise myself, I couldn’t do it and had to settle with five (in no particular order). Below are my favorites (note: typos edited from original AMA text) and some thoughts as to why it stuck with me.
Attribution
Let’s get this one out of the way early. A lot is written on why you do not see attribution in many reports from security researchers when it comes to the who-done-it. It did not take long in the AMA for this one to come up and was answered, twice actually and can hopefully put the question to bed once and for all.
Could you explain to us non-techies how metadata and other data can be used to attribute hacks such as the DNC attack and Stuxnet? What can and can’t be altered such that firms like Kaspersky can attribute accurately?
Brian and Juan here: This is a great question and very rarely answered in detail, partly because letting the adversaries know what you use in attribution allows them to manipulate the very same data. There is really little that can’t be faked or manipulated and this is why the industry has such heated debates sometimes over attribution.
The main pieces that seem to be used a lot in attributing attacks usually focus around languages used in the code, the times when the malware was compiled, motivation behind the attacks, types of targets, IP addresses used during the attack, where the data is being sent to after, etc. All of this is used in a sort of “matrix” to determine the potential players when discussing attribution. In the case of the DNC attacks for example, many experts agree that the malware used in the attacks as well as some of the infrastructure used, only belong to two “groups”.
Hello Kaspersky Lab researchers,
I know you avoid attribution as a policy, but it seems fairly evident that most state-level targeted attacks seem to be carried out by the so-called major cyber powers (U.S., U.K., Russia, China, Iran, etc.). For the sake of this question, let’s assume attributional indicators reflect reality. Why don’t we see more state-level hacking activity carried out by developing or undeveloped nations? It would seem that the cyber espionage game is completely democratic with the wide availability of cheap and free remote access and post exploitation tools.
Thanks!
Vicente Diaz,
Principal Security Researcher, Global Research and Analysis Team
Vicente here: Following your assumption, it would make sense than countries with more resources to spend in such operations would be the most active, which would reflect the list you mentioned. That does not mean that developing countries don’t participate in such operations, however many times they use external resources as it is cheaper than developing major “cyber-capabilities”. That, among other things, makes attribution more difficult (is not the same as developing an advanced and unique weapon rather than using a common one).
Also you should consider the “media exhaustion” factor that unfortunately also might limit the information distributed for some campaigns. If someone discovers a campaign of a small tiny country targeting their small tiny neighbor, you probably won’t read about it in any major publication.
Security Breaches… Can Government Help?
Any reader of Kaspersky Daily knows that we cover hacks and security breaches all the time. ‘What can I do to stay safe?’ comes up a lot in our social media feeds from users reading the stories. In the AMA, this came up once again:
Security breaches are not going to go anywhere any time soon to the extent that the United States now has a cyber incident severity schema. My question what are your thoughts on how the government can tackle this issue or should the government not be involved in the civilian sector?
Juan here: Difficult, difficult question. There’s definitely a big role for government to play in tackling this issue. More importantly, in a way it has to be the government doing some of these things. For example, the debate on ‘hacking back’ is one that I’d rather not extend beyond the powers of the public sector (as what you might call an extension of the government’s ‘monopoly on the legitimate use of violence’). At a time when attribution is artisanal and reliable attribution is nearly impossible, I’d much rather let certain government agencies handle the recourse to hacking back entirely.
Now, as to what government can do right now, two things come to mind:
1. Private sector cooperation with law enforcement is essential in taking down certain types of very troubling malware, like ransomware. When the crypto is properly implemented, the best thing that can happen is to have law enforcement cooperation to seize C&C servers so we can make decryption software and services for the victims. We can’t seize the servers ourselves so open and empowered cooperation is important.
2. Information sharing initiatives are awesome and there aren’t enough of them with really key sectors, like the financial sector, healthcare, and even certain specialized sectors of tech. These sectors need expertise but often feel they cannot or should not share for fear of the stigma of a hack or potential legal repercussions. It’s great when governments step in and provides a safe haven for companies to reach out, share what they know, what concerns them, and receive the help they need.
Who Knew Costin Liked Mr. Robot?
My colleagues on the social media team and in our NA office often talk about Mr. Robot. Given the show’s subject matter, it shouldn’t surprise me. I have yet to see an episode, but no worries GReAT’s fearless leader as well as Juan had the answer for the AMA audience.
If you watch Mr.Robot, on scale from 0 to 10 rate how the show actually meet the reality in IT security and hacking field?
Costin here: Costin here: Mr Robot is a strong 9.5 for me. Most of the scenes are top class and the usage of tools, operating systems and other tiny details, from social engineering to opsec is very good. I particularly enjoyed some of the quite realistic scenes, such as the poor developer who can’t help fixing the broken Bitcoin bank and the parking lot USB key attack.
Juan here: Admittedly having only watched the first season, some of the depictions of hacking are surprisingly good. Particularly enjoyed seeing their depiction of how quickly a phone can get backdoored with the right preparation (less than the span of a shower).
Four-Way Dance
The user who asked this question was one of the mst excited users on the #ASKGReAT thread on Twitter. When I gave her the link this morning, she was still excited and noted that she asked a good question. Actually it was 4 good ones.
1) If your system has been compromised, using an encrypted email service will not save you, right?
2) How can we use Android devices safely, while retaining our privacy when we have to connect them to a Gmail account? (And Google collects data).
3) Is there any messaging app for Android that you use and that you know does not collect data?
4) IT security fascinates me but I don’t have the expertise. How can we, normal users, contribute to a safer and freer internet?
Juan here: Wow there! Alright, let’s see.
1. I really love your first question because it reaffirms why I think we are working in the most important side of the ‘infosec problem’. Short answer: No, if your endpoint is compromised, using an encrypted email service will not save you per se. The more nuanced answer is that it won’t save you from an attacker using malware to have a presence on your device, it wouldn’t affect the fact that encrypted email (PGP for example) will keep your emails from being read in transit or in a breach of your inbox or that of the recipient. I say that we are working on an important part of infosec because security solutions tend to be built on the assumption of an uncompromised endpoint so designing and supporting software meant to secure your devices is not a trivial thing.
#KSN #Report: #Mobile ransomware in 2014-2016 https://t.co/zmvSlscN0X #klreport pic.twitter.com/mxDUxrnIJe
— Securelist (@Securelist) June 29, 2016
1. Jumping through your other questions since there’s so much to cover here: Android is a difficult platform to secure. If you’re concerned about privacy, a lot of the time your issues will come from excessive third-party app permissions and ‘games’ taking the liberty to lift whatever information they see fit. Those concern me more (personally) than the Gmail integration itself.
2. As for messengers, we tend to play around a lot with different ‘secure’ messengers. I’m in no position to audit the crypto or implementation on these but some of us are currently testing our Wire. SilentText, Signal, Threema, and Wickr have been old favorites. I don’t know that I can promise that they don’t collect data, you’d have to ask them.
3. Please secure your accounts!!! Use a password manager and 2factor authentication. Attackers do a lot with the accounts they pop.
Pokémon – Go or NO Go?
As you know, we’ve written a bit on the craze du jour that is Pokémon Go. GReAT was asked about it during the AMA. So yeah, it had to be included…
Do you guys have time to play Pokémon
Tips