Dateline – June 27, 2016. The morning started out as expected: a fast-moving chat behind the scenes getting ready to launch Kaspersky Lab’s first ever foray into the world of Reddit’s Ask Me Anything (AMA) with Costin Raiu, Vicente Diaz, Vitaly Kamluk, Ryan Naraine, Brian Bartholomew, and Juan Andres Guerrero-Saade of Kaspersky Lab’s Global Research and Analytics team (GReAT).
We made the links, made sure everyone was online and then pushed the button that launched the chat, not really knowing who would show up and what they would ask. It was an AMA, after all. The plan was to answer questions for approximately 1.5 hours starting at 9:00 in the morning Boston time. Ultimately, the chat lasted much longer and was much more engaging than we initially anticipated (the last question was answered after 1:28 in the afternoon EDT).
Over the course of the conversation, we saw more than 855 comments on the thread (including our responses), with topics ranging from TV shows all the way to why attribution of APT is difficult for security researchers. There were fans, trolls, reporters, and some looking to get into the industry throwing questions in the direction of GReAT. During the four-plus hours of answering questions, our researchers gave some insightful and candid responses — and they really did answer anything…
— Kaspersky Lab (@kaspersky) July 27, 2016
I am sure if you asked the six participants their favorite question, each would name a different one, and and all of them would struggle to choose just one. In trying this exercise myself, I couldn’t do it and had to settle on six (in no particular order). Below are my favorites (note: we did edit a couple of typos from the original AMA text) and some thoughts about why it stuck with me.
Let’s get this one out of the way early. A lot is written on why you do not see attribution in many reports from security researchers when it comes to the who-done-it. It did not take long for this one to come up in the AMA. It was answered twice, actually, and can hopefully put the question to rest.
Could you explain to us non-techies how metadata and other data can be used to attribute hacks such as the DNC attack and Stuxnet? What can and can’t be altered such that firms like Kaspersky can attribute accurately?
Brian and Juan here: This is a great question and very rarely answered in detail, partly because letting the adversaries know what you use in attribution allows them to manipulate the very same data. There is really little that can’t be faked or manipulated, and this is why the industry has such heated debates sometimes over attribution.
The main pieces that seem to be used a lot in attributing attacks usually focus around languages used in the code, the times when the malware was compiled, motivation behind the attacks, types of targets, IP addresses used during the attack, where the data is being sent to after, etc. All of this is used in a sort of “matrix” to determine the potential players when discussing attribution. In the case of the DNC attacks for example, many experts agree that the malware used in the attacks as well as some of the infrastructure used, only belong to two “groups.”
Hello Kaspersky Lab researchers,
I know you avoid attribution as a policy, but it seems fairly evident that most state-level targeted attacks seem to be carried out by the so-called major cyber powers (U.S., U.K., Russia, China, Iran, etc.). For the sake of this question, let’s assume attributional indicators reflect reality. Why don’t we see more state-level hacking activity carried out by developing or undeveloped nations? It would seem that the cyber espionage game is completely democratic with the wide availability of cheap and free remote access and post exploitation tools.
Vicente here: Following your assumption, it would make sense that countries with more resources to spend in such operations would be the most active, which would reflect the list you mentioned. That does not mean that developing countries don’t participate in such operations; however, many times they use external resources, which is cheaper than developing major “cyber-capabilities.” That, among other things, makes attribution more difficult (is not the same as developing an advanced and unique weapon rather than using a common one).
Also, you should consider the “media exhaustion” factor that unfortunately also might limit the information distributed for some campaigns. If someone discovers a campaign of a small tiny country targeting their small tiny neighbor, you probably won’t read about it in any major publication.
Security breaches…can government help?
Any reader of Kaspersky Daily knows that we cover hacks and security breaches all the time. “What can I do to stay safe?” comes up a lot in our social media feeds from users reading the stories. In the AMA, it came up again:
Security breaches are not going to go anywhere any time soon to the extent that the United States now has a cyber incident severity schema. My question is, what are your thoughts on how the government can tackle this issue or should the government not be involved in the civilian sector?
Juan here: Difficult, difficult question. There’s definitely a big role for government to play in tackling this issue. More importantly, in a way it has to be the government doing some of these things. For example, the debate on “hacking back” is one that I’d rather not extend beyond the powers of the public sector (as what you might call an extension of the government’s “monopoly on the legitimate use of violence”). At a time when attribution is artisanal and reliable attribution is nearly impossible, I’d much rather let certain government agencies handle the recourse to hacking back entirely.
Now, as to what government can do right now, two things come to mind:
1. Private sector cooperation with law enforcement is essential in taking down certain types of very troubling malware, like ransomware. When the crypto is properly implemented, the best thing that can happen is to have law enforcement cooperation to seize C&C servers so we can make decryption software and services for the victims. We can’t seize the servers ourselves, so open and empowered cooperation is important.
2. Information sharing initiatives are awesome and there aren’t enough of them with really key sectors, like the financial sector, healthcare, and even certain specialized sectors of tech. These sectors need expertise but often feel they cannot or should not share for fear of the stigma of a hack or potential legal repercussions. It’s great when governments step in and provides a safe haven for companies to reach out, share what they know, what concerns them, and receive the help they need.
Who knew Costin liked Mr. Robot?
My colleagues on the social media team and in our NA office often talk about Mr. Robot. Given the show’s subject matter, it shouldn’t surprise me. I have yet to see an episode, but no worries — GReAT’s fearless leader as well as Juan had the answer for the AMA audience.
If you watch Mr. Robot, on scale from 0 to 10 rate how the show actually meet the reality in IT security and hacking field?
Costin here: Mr Robot is a strong 9.5 for me. Most of the scenes are top class, and the usage of tools, operating systems, and other tiny details, from social engineering to opsec is very good. I particularly enjoyed some of the quite realistic scenes, such as the poor developer who can’t help fixing the broken Bitcoin bank and the parking lot USB key attack.
Juan here: Admittedly having only watched the first season, some of the depictions of hacking are surprisingly good. Particularly enjoyed seeing their depiction of how quickly a phone can get backdoored with the right preparation (less than the span of a shower).
The user who asked this question was one of the most excited users on the #ASKGReAT thread on Twitter. When I gave her the link this morning, she was still excited and noted that she asked a good question. Actually it was four good ones.
1) If your system has been compromised, using an encrypted email service will not save you, right?
2) How can we use Android devices safely while retaining our privacy when we have to connect them to a Gmail account? (And Google collects data).
3) Is there any messaging app for Android that you use and that you know does not collect data?
4) IT security fascinates me, but I don’t have the expertise. How can we, normal users, contribute to a safer and freer internet?
Juan here: Wow there! Alright, let’s see.
1. I really love your first question because it reaffirms why I think we are working in the most important side of the “infosec problem.” Short answer: No, if your endpoint is compromised, using an encrypted email service will not save you per se. The more nuanced answer is that it won’t save you from an attacker using malware to have a presence on your device, it wouldn’t affect the fact that encrypted email (PGP for example) will keep your emails from being read in transit or in a breach of your inbox or that of the recipient. I say that we are working on an important part of infosec because security solutions tend to be built on the assumption of an uncompromised endpoint, so designing and supporting software meant to secure your devices is not a trivial thing.
— Securelist (@Securelist) June 29, 2016
Jumping through your other questions since there’s so much to cover here: 2. Android is a difficult platform to secure. If you’re concerned about privacy, a lot of the time your issues will come from excessive third-party app permissions and “games” taking the liberty to lift whatever information they see fit. Those concern me more (personally) than the Gmail integration itself.
3. As for messengers, we tend to play around a lot with different “secure” messengers. I’m in no position to audit the crypto or implementation on these but some of us are currently testing our Wire. SilentText, Signal, Threema, and Wickr have been old favorites. I don’t know that I can promise that they don’t collect data; you’d have to ask them.
4. Please secure your accounts!!! Use a password manager and two-factor authentication. Attackers do a lot with the accounts they pop.
Pokémon – Go or NO Go?
As you know, we’ve written a bit on the craze du jour that is Pokémon Go. GReAT was asked about it during the AMA. So yeah, it had to be included…
Do you guys have time to play Pokémon 😀 or some other games? Do you like MMO RPGs?
Juan here: I’m sure there are people in GReAT playing Pokémon Go, particularly with some latent Ingress fans. I don’t get a lot of time to play but like SC2 and Destiny. Brian and I have been playing some Overwatch on Xbox. And I may be slowly trying to make my way through Zelda (a link between worlds) on 3DS in different airport lounges…
Brian here: I do play with the Pokémons from time to time 🙂 My wife hates it, and honestly, I’m kind of a closet player. I’ll walk around the grocery store and hide my phone while I’m shopping. As for other games, when I have time, right now it’s all Overwatch. Before that, Fallout 4 all the way! And yes, I am a console guy. There is no PC Master race IMO.
Costin here. I don’t play Pokémon Go, but I play EVE Online. Minmatar ftw. 🙂
Vincente here: Big Street Fighter IV fan, disappointed with SFV, and occasional SC2 player. Waiting for the new Mass Effect.
Vitaly here. My job is my video game. Very realistic, 3D open-world with unexpected turns and hard problems to solve.
The Android platform is popular (disclosure: one of my phones is a Droid and it has Kaspersky Internet Security for Android) among not only users, but also crooks. Don’t take that on trust, look at the numbers. It was good to see this question come up in the AMA as a double-whammy in the same question.
Should I install an antivirus on my Android smartphone? Are virus and malware a real threat on mobiles?
Costin here: I think mobile malware can be compared with an iceberg — there is probably a lot that we have not seen yet. Even though the number of malicious programs for Android has been skyrocketing during the past years, most of them are adware and lockers. Our analysis of high-end APTs such as Equation seems to suggest many threat actors have developed mobile implants, which means that sooner or later, they will be found — just like we found the HackingTeam mobile implants, for example. Running a security solution on your Android device will certainly help not just with protection against known threats but hopefully with catching some new ones as well.
At the moment though, what are your predictions/instincts?
From what I gather, Android malware is mainly distributed from third-party stores, and Google actually does a good job keeping the Play Store nice and clean.
However, tons of Android phones are out-of-date (thanks to all manufacturers, doing an awesome job at keeping us safe): do you think we’ll see massive infections one day because someone decides to abuse Stagefright and send a MMS to everyone on the planet?
You also mention APT (Equation): Do these really represent a threat to a random Android user or just VIPs?
Costin here: What worries me the most is the uncontrollable usage of advertising libraries in Android “freeware.” Think of that Flashlight app that requires internet connection, right? Nowadays, way too many applications are linked with standardized advertising libraries that allow the developer to make a quick buck. Many of the companies developing these libraries are getting sold left and right, and what used to be a rather harmless advertising library can suddenly become the entry point of a sophisticated attack to tens of thousands of phones. In the future, I think threat actors will purchase companies that create advertising libraries and trojanize them with malicious code. This can be a much cheaper solution to compromising targets, and it doesn’t require any sophisticated zero days.
On the other hand, massive attacks abusing something like Stagefright is not completely impossible, however. What we see nowadays seems to indicate the best attacks come from nation states, which prefer more focused approaches.
So there you have it, my top six moments from the GReAT AMA. What do you think? What should have been added? What should have been removed? Let me know on our Facebook or Twitter accounts. And from the GReAT (and everybody here at Kaspersky), THANK YOU again for being a part of our virgin voyage on AMA.