Application Security , Artificial Intelligence & Machine Learning , Next-Generation Technologies & Secure Development
ISMG Editors: The White House Drive to Secure Code With AI
Also: Crypto's Bonnie and Clyde Plead Guilty; Hackers Hacking Hackers Anna Delaney (annamadeline) • August 11, 2023In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including the White House's debut of a $20 million contest to exterminate bugs with AI, a New York man admitting to being behind the Bitfinex hack, and a new malware campaign that is targeting newbie cybercriminals in order to steal sensitive information.
See Also: OnDemand | Secure Your Vendor's Access from Attacks on Third-party Vulnerabilities
The panelists - Anna Delaney, director, productions; Tony Morbin, executive news editor, EU; Rashmi Ramesh, assistant editor, global news desk; and Mathew Schwartz, executive editor, DataBreachToday and Europe - discuss:
- The White House's launch of a cybersecurity challenge designed to harness the power of artificial intelligence to better find and fix vulnerabilities in critical software code;
- New York resident Ilya "Dutch" Lichtenstein last week confessing to hacking billions of dollars from virtual currency exchange Bitfinex and laundering the stolen funds with his wife;
- A new campaign by cybercriminals designed to steal data from less-experienced threat actors and whether law enforcement should actively hunt them down.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the July 28 edition on the MOVEit breach fallout and cybercrime innovation and the Aug. 4 financial services special edition.
Transcript
Anna Delaney: Hi, and welcome to the ISMG Editors' Panel. I'm Anna Delaney, and this is a weekly editorial review of the top information and cybersecurity stories. We have a brilliant trip this week. Rashmi Ramesh, senior sub editor for the global news desk; Mathew Schwartz, executive editor of DataBreachToday and Europe; and Tony Morbin, executive news editor for the EU. Good to see you all.
Tony Morbin: Good to see you, Anna.
Mathew Schwartz: Great to be back.
Delaney: Mathew, we've established that AI is having its moment. And the White House has got a bit of news, it seems to be putting some cash behind its mission for AI to improve cybersecurity. So tell us more about what's to come.
Schwartz: Yes, it seems like AI, AI, AI is the new cyber, cyber, cyber, or maybe the orange is the new - you can work with me and Tony. But Rashmi and I this week, both we're joining forces to report on this interesting new announcement from the White House made at the Black Hat annual conference in Las Vegas - that cybersecurity extravaganza. And the White House is ponying up $20 million. Now, this might not sound like much, but they're doing something interesting with it. They have tasked DARPA, the Defense Advanced - am I going to get this name right? - Research Program Association; we can we can dub that in later, right? Anyway, DARPA has been tasked with running a competition to harness the power of AI, an echo effects behind me when I say that, but what's interesting to me about this challenge is they're putting up some money and they're saying, Look, everyone knows that secure coding is difficult. Everybody knows that there are software vulnerabilities everywhere - commercial software, open-source software. And in a lot of the core tools and the protocols that we use, this gets magnified, because some of the core stuff gets used in so many different places throughout the software supply chain. So what they're saying is, we want to give you cash, if you can use AI to give us better tools for quickly identifying and fixing software flaws, flaws in code bases, as I said, be they in commercial software or open-source software. So I'm not going to get into all the details. This is a two-year contest. There is going to be some finalists that end up at DEF CON. That's the more hacker-focused conference that runs right after Black Hat next year 2024. And then we're going to see the finalists at DEF CON 2025. And to win the first place prize, the top prize of $4 million, the finalists for this 2025 final contest are going to need to build a system that can rapidly defend critical infrastructure code from attack. Will we get there? I don't know. But I love that DARPA is taking some money and trying to take some intelligent people and the promise of AI for boosting national security, which is cybersecurity and vice versa and going with the problem to see what happens. I think that's the kind of innovation and excitement and hopefully application that we're going to need in order to improve code because we've been talking about secure code forever. It puts people to sleep, unfortunately. And if we can find something that does give us a demonstrable impact, demonstrably improves the quality of code, so that it's less easy to hack, it's more resilient. That would be a wonderful place to get to.
Delaney: That sounds very, very positive. Rashmi, I know, you've been working on this story, too. So what's your take?
Rashmi Ramesh: Just to add to what Matt already said, I like that they've also partnered with giants like Google Microsoft, OpenAI, and I forget the fourth one, I think it was Anthropic. So these firms will not just sort of lend the platforms to the participants, but also offer them in house expertise to guide the participants. And what I like about this is that DARPA looks to level the playing field a little bit, and it will award 1 million to each of the seven small businesses that want to partake in this competition. So I thought that these two points were worth highlighting.
Delaney: Very good. Well, we'll know more when it's released at Black Hat this week, and have the reaction from the community. But this is great news for now. Rashmi, we are revisiting the Bitfinex hack. A New York man arrested last year for laundering cryptocurrency from the Bitfinex hack has now admitted to being the hacker behind the incident. So tell us about this unexpected turn of events.
Ramesh: Yeah, and this has got to be the most bizarre crypto case I've ever seen. And that's saying a lot. Because we're talking about a fully wacky universe, where every other day, we see headlines that seem like they're from the Onion, but not satirical. But back to Bitfinex story. So the news from last week, where a New York couple admitted to hacking and laundering billions of dollars, that's big for a lot of reasons. One, of course, there's a crazy amount of money involved - $4.5 billion, and law enforcement sees $3.6 billion of that money making it the DOJ's biggest financial seizure ever. So this also showcase that centuries old law enforcement agencies have the capability to track and bring to justice criminals using a relatively new technology. So to give you a quick brief, or for anyone, for that matter, who somehow missed out on this story. Two New York residents and their early 30s, pled guilty to multiple charges related to a 2016 hack of a virtual currency exchange called Bitfinex. So there's Ilya Lichtenstein, I hope I got the pronunciation right, who's popularly known as "Dutch" - And I'm going to continue with Dutch now - confessed to hacking the money from Bitfinex and laundering it with his wife, Heather Morgan, who's very, very popularly known as Razzlekhan. And she also pled guilty to money laundering. So until last week, like you said, we don't know who the hacker was. The couple was only charged with laundering, not stealing the money. And that admission, put a lot of things in place. It explained how Dutch was able to give prosecutors information on how that took place and how they laundered the money. And Anna, you must go through the details of how he had the platform. It's fascinating. It talks about how he accessed Bitfinex network, authorized more than, I think, 2,000 transactions to steal the cryptocurrency and how he retraced his steps into Bitfinex network and deleted any evidence of him ever being there. So this is a huge win, right? Because usually big hacks like this have nation-state actors behind them. But this time, it was by to larger than life, New York residents, who are by no means reclusive, and still managed to escape law enforcement for years. But no matter what, and Ari Redbord of TRM Labs who I spoke to, for the story, put it very succinctly, the evidence was forever on the blockchain.
Delaney: Yeah, so back to Bitfinex. What impact did this hack have on the perception of cryptocurrency exchanges?
Ramesh: Oh, well to just start off with, it got people's attention that just because a crypto company is centralized doesn't mean it's safe. And we know that too well now with a number of hacks that occur on both DeFi and CeFi, but remember that the Bitfinex happened back in 2016. So the financial impact of the hack was not as significant then as it is today. $71 million theft in 2016 is not a small number by any means. But the value is now inflated to 4.5 billion. And that's one of the primary reasons why it's getting all of this attention. And the years after that also saw quite a lot of regulations come in and even more proposed legislations being talked about. Crypto and the larger ecosystem of digital assets have become a topical focus for lawmakers. Even the White House, in fact, released several EOs on digital assets, right? And we're also seeing law enforcement stepping up crypto investigations, forming separate cryptocurrency investigations unit as well. But outside of these highlights, and maybe a couple of others, truth be told, it's not likely to have been the direct result of the Bitfinex case. So hackers are continuing to hack, thieves are continuing to thieve, and victims are continuing to get victimized, and crypto exchanges whether DeFi or CeFi continue to find loopholes in the scanty law that we already have to become richer.
Delaney: Sure, well, we did enjoy the crypto Bonnie and Clyde for a moment. But maybe this case is closed, at least for now. Rashmi, that was excellent. Thank you so much. Well, Tony, moving on to you. I think the phrase "there is no honor amongst thieves" rings true this week? News about a campaign designed to steal data from other threat actors. So what's this all about?
Morbin: Well, again, as you say, we're talking about criminals again. And it was your panel, last week. I was listening to the discussion that you had with Troy Leach of the Cloud Security Alliance. And he was talking about how malicious use of generative AI is accelerating the threats we face, especially things like WormGPT, deepfake authentication and other dark web tools, enabling less technically capable criminals to engage in cybercrime. , initially, that kind of reminded me about every time we hear about a major organization getting breached, the PRs that it was a sophisticated attack, probably by a state actor, or that it turns out to be some smart school kids, except now they don't even need to be smart. Unfortunately, that doesn't mean that smart cybercriminals are being replaced by dumb criminals. It's just that we now increasingly have both. And one of the first to take advantage of the less able are the more sophisticated cybercriminals targeting the crypto wallets of the less experienced. Script kiddies who rely on pre-existing scripts and tools are finding that the tools that are shared within the criminal communities often have malicious code bundled into them by more knowledgeable threat actors. So just this week, bot mitigation company Kasada's threat intelligence team reported about a malware campaign targeting uses of open bullet that's an open source pentest tool, popular within the criminal communities to automate credential stuffing and account takeover attacks. A telegram channel was set up to share open bullet configurations, but it contained a function ostensibly designed to bypass Google's reCAPTCHA anti-bot solution. But the researchers found it wasn't using the usual relatively simple process. And that turned out to be because it contained malware that delivered a remote access Trojan. It targeted stored credentials and cookies decrypted and harvested sensitive information. And it also sought out the crypto wallets and directories encrypting and exfiltrating their contents including potentially conducting an authorized funds transfers. Now of course, it's not just script kiddies using these tools. It's part of the commoditization of cybercrime. We have all sorts of criminals using the tools and services of specialists to simplify and speed up their own rate of criminal activity. So this made me think, to what extent is law enforcement doing more of the same? , we have had successes in this area, such as 2021, when it was reported how the FBI created a company that sold encrypted devices to hundreds of organized crime syndicates. And that ended up with 800 arrests. Now that we have all these would be cybercriminals looking for AI-enabled tools, I'm just saying that I do hope law enforcement is creating their own backdoor tools. And even if it isn't, it should probably be spreading rumors that it is so as to have a deterrent effect. We're not talking about entrapment. We're talking about more aggressive hunt forward disruption of activities of already active criminals, such as those that are already taking place by law enforcement activities. I was watching a BBC program Scam Interceptors in which phone scammers were being caught in real time and potential victims were being warned. Now the fact that the scammers infrastructure on another continent had been hacked, demonstrated another example of the kind of activity that does need to be increased, so in support of law enforcement engaging in hack forward, I'll draw the comparison with the military is changing attack were offensive cyber is now already accepted as an appropriate response to attacks already being made. In the U.K., the country's military offensive hacking unit, the National Cyber Force, is said to be engaged in daily operations to disrupt terrorist groups distributors of child sexual abuse material and military opponents of the U.K. and in the U.S., General Paul Nakasone, confirmed that hunt forward operations, were allowing the U.S. to search out foreign hackers and identify their tools before they were hacked, or used against America. So we've got law enforcement agencies such as the FBI, U.S. Secret Service, the U.K. National Crime Agency, Germany's Federal Criminal Police Office, many others closely collaborating with the cybersecurity community, basically conducting investigations for prosecution purposes. So I just like to add my support that these moves to increase cooperation and harmonization of approaches to clamp down, especially on the newbies before cybercrime becomes the new pickpocketing, or even more complex than it is today.
Delaney: Sure, well, that's great overview. Tony. Matt, care to add anything? Your thoughts on law enforcement going on the offensive? What were your thoughts when you heard, Tony?
Schwartz: Tony's called out some great examples. There was the ANOM network that the FBI used to lure criminals. They said it was, I don't know, probably some kind of bulletproof. I forget the exact terminology but a messaging service they could use to escape from law enforcement. Of course, law enforcement already was running it. So there's some interesting examples of that, which undercut the continuing call from many politicians and law enforcement officials, many not all, that there should be no such thing as strong encryption, for example, on messenger services. We see these sorts of very innovative, I know, it's cliche, but out of the box thinking, the FBI's thinking, how do we take down people who want to use secure messaging? I know, we'll give them a secure messaging service. And it's very elegant. And I think it's worked very well. All of these different things and infiltrations they've done these sorts of networks are continuing to pay dividends, you still see these cases, moving through the court system, new people being identified using intelligence gleaned from these operations. So it's all a big step in the right direction.
Delaney: Very good. Well, thank you so much, both of you. Finally, just for fun, there's a lot of AI noise as we know at the moment, who are you turning to for sound comprehensive commentary on this topic, whether it's a journal, a podcast, whatever it may be?
Ramesh: I have a few personal favorites when it comes to doomsday AI fiction. But for today, I want to recommend a series called In Machines We Trust that's produced by MIT Technology Review, which is a weekly deep dive into how AI has transformed our lives in tangible ways. So it talks about everything from facial recognition and used by governments and even how it impacts gun control. So it's a pretty cool series that I began to understand how deeply AI use cases affect us and what its impact is beyond fiction.
Delaney: I'm going say, yeah, I like that podcast. And that deep dive on what's happening and interviewing inventors and founders and how they're developing the new forms of AI. So thumbs up to that. Tony?
Morbin: Well, I have been a bit of a cop out, because AI's impact is just so pervasive, it's affecting everyone and everything and their insights coming from all quarters. So you can't look at your favorite source, you just got to look at everything, because there are insights coming from all over the place. Having said that, this also sounds like a bit of a cop out. But OpenAI.com is useful on everything from practical usage to oversights and concerns. But I'd say that you have to be open to everything, because there are insights coming from everywhere at the moment.
Delaney: Open to everything but selective. We love it. Matt?
Schwartz: I'm going mirror what Tony was saying. I keep a close eye on a daily basis anyway, on a lot of different news feeds. Some of it's technology-focused, some of it's more government-focused or more general news. And you see the use cases popping up all over the place. So there's the theory of how AI is going to work. And as we were talking about before, we see governments attempting to affect policy and get people to play nicely in the AI ecosystem or sandbox or whatever. But it's also just fascinating to watch where the pedal is hitting the metal because you can't always predict where the things are going to happen. You're seeing it on the medical front, for example, but not always in ways that you expect. So I'm keeping track of a few different things. But I love just the daily surprise of what next?
Delaney: Great answers. But I also like the AI Breakdown hosted by Nathaniel Whittemore, which is a daily analysis of all things AI, but as you say, there's so much information out there at the moment. It's important to just look at it all. And as Rashmi said, I like the MIT podcast. Well, thank you very much. Informative, as always. Thank you, Matt, Rashmi and Tony.
Schwartz: Thanks to you for having us.
Morbin Thanks very much.
Delaney: And thank you so much for watching. Until next time!