- Apr 5, 2014
- 6,008
Malware researchers for Kaspersky Lab took to Reddit’s IAmA chat today and pronounced an affection for the hacker-hero TV show “Mr. Robot” but not NSA hacker Edward Snowden.
Responding to a question about how they like it, the team’s global director Costin Raiu says, “Mr Robot is a strong 9.5 for me. Most of the scenes are top class and the usage of tools, operating systems and other tiny details, from social engineering to opsec is very good. I guess having help from some real world security experts (the folks at Avast did a great job!”
“Particularly enjoyed seeing their depiction of how quickly a phone can get backdoored with the right preparation,” which in one episode was less than the time it took someone to take a shower, says another team member, Juan Andres Guerrero-Saade.
Not so popular, “CSI: Cyber”. Asked if he watches, researcher Brian Bartholomew says, “Yes and it’s terrible. But I do enjoy laughing out loud at it.”
Meanwhile the 46-member Global Research & Analysis Team (GReAT) says it has no affiliation with the NSA hacker. “We have no connection whatsoever with Edward Snowden,” says Raiu.
A questioner asked whether the team used information from the Snowden leaks to uncover the long-lived advanced-persistent-threat gang Equation Group. “We didn’t use any of the information from the Snowden leaks to discover the Equation Group,” he says. “We discovered the first Equation sample while analyzing a multiple infection on a computer we call “The Magnet of Threats”. This computer has been infected by many other APTs, including Regin, Turla, Careto, Animal Farm, in addition to Equation.”
The research team said attributing attacks such as Stuxnet and the theft of Democratic National Committee emails is very difficult. “There is really little that can’t be faked or manipulated and this is why the industry has such heated debates sometimes over attribution,” say Bartholomew and Guerrero-Saade.
Top of Form
They say languages used in code, times it was compiled, the target, possible motivations and IP addresses are the type of information weighed when trying to assign responsibility. “In the case of the DNC attacks for example, many experts agree that the malware used in the attacks as well as some of the infrastructure used, only belong to two ‘groups’,” they say.
When it comes to nation-state actors, often the major economic powers are accused of engaging in cyberattacks, the researchers say. “That does not mean that developing countries don’t participate in such operations, however many times they use external resources as it is cheaper than developing major ‘cyber-capabilities,’” says researcher Vicente Diaz. “That, among other things, makes attribution more difficult (is not the same as developing an advanced and unique weapon rather than using a common one).”
When governments got involved in cyberattacks, the world of security research got much more complicated, Raiu says. “Then almost overnight, nation state sponsored attacks appeared,” he says. I guess the first big one was Aurora, which hit Google, Yahoo and others [in 2009]. Ever since, my job has been getting more and more complex, from all points of view.”
For example, basic questions like which attacks to investigate are tricky. “In my opinion, we are living in a world where our work has an impact, and ethics should be properly set,” says Diaz. “I like to think of ourselves like doctors or scientists, working based only on technical stuff and not letting other factors to decide for ourselves. And that´s not always easy.”
What do these cyberattack experts use to protect their own gear? It’s very personal. “To be honest, each person on the team has their own security quirks,” Diaz says, “ranging from things as simple to tape over the webcam to sniffing everything on your own home network.”
And his advice is for individuals to gauge how likely they are to be a target and how much time and effort someone might reasonably be expected to exert attacking them. “What I mean is: what sort of attackers and attacker resources can you reasonably expect to be spent on you?” he says. “Would I advise to my grandmother to have an out-of-band network tap? No. But if you’re handling sensitive IP, scientific research, gov secrets, etc., it may not be the most outlandish thing.”
Watch out for mobile malware, says Raiu. “Our analysis of high end APTs such as Equation seems to suggest many threat actors have developed mobile implants, which means that sooner or later, they will be found - just like we found the HackingTeam mobile implants for instance,” he says. “Running a security solution on your Android device will definitively help not just with protection against known threats but hopefully catching some new ones.”
And you can kiss privacy good-bye. “It’s important to limit what we post and understand what information we are leaking out … but privacy is a relative term and at a time when every system appears to be designed to divine where you’re going, what you’re doing, what you like, and who with, (and deriving a lot of that information from those you associate with, not just you) it’s unreasonable to consider anything like absolute privacy is possible.”
Responding to a question about how they like it, the team’s global director Costin Raiu says, “Mr Robot is a strong 9.5 for me. Most of the scenes are top class and the usage of tools, operating systems and other tiny details, from social engineering to opsec is very good. I guess having help from some real world security experts (the folks at Avast did a great job!”
“Particularly enjoyed seeing their depiction of how quickly a phone can get backdoored with the right preparation,” which in one episode was less than the time it took someone to take a shower, says another team member, Juan Andres Guerrero-Saade.
Not so popular, “CSI: Cyber”. Asked if he watches, researcher Brian Bartholomew says, “Yes and it’s terrible. But I do enjoy laughing out loud at it.”
Meanwhile the 46-member Global Research & Analysis Team (GReAT) says it has no affiliation with the NSA hacker. “We have no connection whatsoever with Edward Snowden,” says Raiu.
A questioner asked whether the team used information from the Snowden leaks to uncover the long-lived advanced-persistent-threat gang Equation Group. “We didn’t use any of the information from the Snowden leaks to discover the Equation Group,” he says. “We discovered the first Equation sample while analyzing a multiple infection on a computer we call “The Magnet of Threats”. This computer has been infected by many other APTs, including Regin, Turla, Careto, Animal Farm, in addition to Equation.”
The research team said attributing attacks such as Stuxnet and the theft of Democratic National Committee emails is very difficult. “There is really little that can’t be faked or manipulated and this is why the industry has such heated debates sometimes over attribution,” say Bartholomew and Guerrero-Saade.
Top of Form
They say languages used in code, times it was compiled, the target, possible motivations and IP addresses are the type of information weighed when trying to assign responsibility. “In the case of the DNC attacks for example, many experts agree that the malware used in the attacks as well as some of the infrastructure used, only belong to two ‘groups’,” they say.
When it comes to nation-state actors, often the major economic powers are accused of engaging in cyberattacks, the researchers say. “That does not mean that developing countries don’t participate in such operations, however many times they use external resources as it is cheaper than developing major ‘cyber-capabilities,’” says researcher Vicente Diaz. “That, among other things, makes attribution more difficult (is not the same as developing an advanced and unique weapon rather than using a common one).”
When governments got involved in cyberattacks, the world of security research got much more complicated, Raiu says. “Then almost overnight, nation state sponsored attacks appeared,” he says. I guess the first big one was Aurora, which hit Google, Yahoo and others [in 2009]. Ever since, my job has been getting more and more complex, from all points of view.”
For example, basic questions like which attacks to investigate are tricky. “In my opinion, we are living in a world where our work has an impact, and ethics should be properly set,” says Diaz. “I like to think of ourselves like doctors or scientists, working based only on technical stuff and not letting other factors to decide for ourselves. And that´s not always easy.”
What do these cyberattack experts use to protect their own gear? It’s very personal. “To be honest, each person on the team has their own security quirks,” Diaz says, “ranging from things as simple to tape over the webcam to sniffing everything on your own home network.”
And his advice is for individuals to gauge how likely they are to be a target and how much time and effort someone might reasonably be expected to exert attacking them. “What I mean is: what sort of attackers and attacker resources can you reasonably expect to be spent on you?” he says. “Would I advise to my grandmother to have an out-of-band network tap? No. But if you’re handling sensitive IP, scientific research, gov secrets, etc., it may not be the most outlandish thing.”
Watch out for mobile malware, says Raiu. “Our analysis of high end APTs such as Equation seems to suggest many threat actors have developed mobile implants, which means that sooner or later, they will be found - just like we found the HackingTeam mobile implants for instance,” he says. “Running a security solution on your Android device will definitively help not just with protection against known threats but hopefully catching some new ones.”
And you can kiss privacy good-bye. “It’s important to limit what we post and understand what information we are leaking out … but privacy is a relative term and at a time when every system appears to be designed to divine where you’re going, what you’re doing, what you like, and who with, (and deriving a lot of that information from those you associate with, not just you) it’s unreasonable to consider anything like absolute privacy is possible.”