CyberWire Daily - Critical infrastructure resiliency. Lazarus Group’s FASTcash robberies. China’s ongoing industrial espionage. Trolls aside, Russian observers think the US elections were A-OK.
Episode Date: November 9, 2018In today’s podcast we hear that Britain’s NCSC has warned, again, that the UK is likely to face a Category One cyberattack within the next few years. In the US, Government-industry-academic partne...rships work toward making critical infrastructure more resilient to cyberattack. Pyongyang’s Lazarus Group continues to rob ATMs using malware. US officials complain that China is in violation of 2015’s agreement to avoid industrial espionage. Any Russian observers give the US a passing grade for fair midterm elections. Awais Rashid from Bristol University with thoughts on placing trust in blockchain systems. Guest is Bruce Schneier, discussing his latest book, “Click here to kill everybody.” For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_11_09.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Britain's NCSC warns again that the UK is likely to face a Category 1 cyber attack within the next few years.
In the US, government-industry academic partnerships work toward making critical infrastructure more resilient to cyber attack.
Pyongyang's Lazarus Group continues to rob ATMs using malware.
US officials complain that China is in violation of 2015's agreement to avoid industrial espionage.
Bruce Schneier joins us to discuss his latest book,
Click Here to Kill Everybody,
and Russian observers give the U.S. a passing grade for fair midterm elections.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Friday, November 9, 2018.
National Cybersecurity Center Deputy Director Peter Yap warned again that Britain hadn't yet experienced a devastating Category 1 cyberattack, but that such an attack is likely.
The NCSC has been sounding this alarm for the better part of a year, and one hopes they're being taken seriously.
The threat they see comes from hostile nation-states, especially Russia. To put this in
perspective, WannaCry, which had wide-ranging economic consequences, ranked only as a Category
2 cyber attack. A Category 1 attack in the UK's system would be a national emergency. It's defined as a cyber attack which causes sustained disruption of UK essential services
or affects UK national security, leading to severe economic or social consequences or to loss of life.
Warnings began late in 2017 and they continue today.
In the US, the Department of Homeland Security
and the National Institutes of Standards and Technology, that's NIST,
are working with private industry on a wide range of industrial control system
and IoT security measures to prevent or mitigate such an attack
on their side of the Atlantic.
DHS is continuing the progress it made towards securing election infrastructure,
and it's also working on increasing opportunities for critical infrastructure operators to receive
education and training that will help them keep their operations safer and more resilient.
NIST has a new proposed set of standards out in the form of NIST IR-8219 Capabilities Assessment
for Securing Manufacturing Industrial Control Systems, and they're taking comments through in the form of NIST IR-8219 capabilities assessment for securing manufacturing industrial control systems,
and they're taking comments through the 6th of December.
The industry partners in this effort to develop an anomaly detection and prevention capability
include CyberX, OSIsoft, SecureKnock, and Security Matters.
DARPA also conducted some power grid restoration exercises this week
at the decommissioned animal disease research station
that occupies Plum Island, New York,
an isolated island in Long Island Sound.
More reports on the exercise are expected in the coming days.
The Lazarus Group continues its efforts
to redress Pyongyang's financial shortfalls through theft.
They've been making recent use of a trojan known to researchers as FastCash.
Researchers at security firm Symantec have dissected and described FastCash,
which has been employed in ongoing campaigns to loot ATMs.
NSA cyber strategist Rob Joyce described at Aspen Institute meetings how China has
circumvented an agreement negotiated in 2015 that would have precluded industrial espionage in
cyberspace. Joyce said that China has been in violation of the accord for the last two years
at least. His statement is taken as a sign of growing frustration within the U.S. government
over continuing Chinese cyber operations conducted for economic gain, mostly through the theft of
intellectual property. With all this, Microsoft has renewed its pleas for an international accord
that would bring formal norms to cyberspace. It's circulating an online petition for digital peace that's brief, well-intentioned,
earnest, and frankly a little utopian. The petition decries the weaponization of our
shared online community. One certainly hopes for peace, of course, analog as well as digital,
but the record of state conflict in the other four domains of potential conflict,
land, sea, air, and space,
moves one reluctantly to pessimism. The Internet Research Agency, aka Fancy Bear's St. Petersburg
Troll Farm, seems to have conducted an odd Ask Me Anything Reddit with itself. The Daily Beast
noticed that the IRA used questions the Beast posed in response to an invitation
to ask them stuff to develop an illustrated audio interrogation suffused with hipster irony.
They never replied to the Beast, but just posted their own IMAs to an obscure corner of Reddit,
asked and answered them all by themselves,
while yucking it up about not being able to buy ads with rubles anymore.
It's like the old letters from the editors the National Lampoon used to run.
A study by behavioral scientists at MIT says, basically, that people fall for fake news
because they're careless and want to believe.
As Wired puts it in their coverage of the research, quote,
If you don't want to fall for fake news, don't be lazy,
end quote.
The researchers are convinced that laziness and inattention
are more important than bias
and ideological prejudice
in causing people to swallow phony stories.
And finally,
TASS is authorized to disclose
that Russian election observers
reported to the Organization for Security
and Cooperation in Europe
that they
found no irregularities in the U.S. midterms. So sleep easy, America. The Russian election
observers, both of them, looked into exactly two polling places in D.C. and seven in Maryland,
and they solemnly concluded everything seemed on the up and up. But watch your steps, Yankees.
The Dumas certainly will if you don't.
We'd like to say thanks, guys, but you seriously need to up your game.
Nine locations are nothing. That number wouldn't cover even one congressional district.
And if Russian observers were in the presence of election fraud,
how would they even know it in the first place?
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Professor Awais Rashid.
He's a professor of cybersecurity at the University of Bristol.
Welcome back.
Today we wanted to talk about some blockchain issues,
particularly establishing trust when you're using blockchain-based systems.
What can you share with us today?
So blockchain is seen as the silver bullet
increasingly for everything. And it's not uncommon for us to hear discussions about
how blockchain will revolutionize everything from banking security in the Internet of Things,
from press to government, with the presumption that the transparency of the ledger will promote trust in the industry. And that's
true to a large extent because the underlying cryptographic protocols actually do provide
computational notions of trust. However, it's not to say that the more human aspects of trust
are not to be considered because ultimately it's people and organizations that
engage in transactions using these blockchain technologies. So describe to me, I mean,
what's the intersection between those two things, between the tech and the human side?
So there are multiple aspects of trust in this case. And the key thing that the underlying
cryptographic assurances provide us is that a transaction that takes place is
actually logged and is visible for everyone to see. But that does not necessarily provide
trust with regards to exchange of goods in the first instance, which still requires other aspects
of trust. And that's what we see in, for example, systems like Bitcoin, where then we have escrow
systems and those kinds of things. And they all indicate that
trust is more than just the underlying blockchain, but requires other institutional entities.
There are other aspects of trust. For example, we take it for granted that if a blockchain is
implemented, then it is implemented correctly. And there is immediately trust in the people,
the software engineers who are developing and maintaining the blockchain.
And of course, you know, trust can also be dependent on our sentiment towards the system.
And again, we see this in cryptocurrencies such as Bitcoin, because when you hear negative stories like exchanges falling down,
then that has an impact on how people behave in terms of their transactions and, for example,
trying to get rid of Bitcoin or trying to buy Bitcoin, depending on whether they're
positive or negative stories.
So it's not unreasonable to assume that we will see similar things when it comes to,
for example, doing energy trading or other kind of applications using blockchain.
And is it fair to say that I think blockchain has a bit of a PR problem right now? I mean,
it's almost become kind of a punchline in the industry sometimes.
Yes, but all technologies go through this hype cycle, the Gartner hype cycle, of course,
you know, and in the beginning, you know, there is great hype. And then there's the trough of, you know, almost disillusionment. And then there is sort of, you know, further progress.
And I think blockchain does have a lot of value to bring to a number of applications. But the key
that we need to think about is that no system is successful simply because it is computationally
sound in terms of the security guarantees that it can provide.
It's ultimately people and organizations and the structures around it which lead to adoption in the first instance.
And again, we are seeing that with regards to things like the cryptocurrencies that use blockchain.
And I think as other applications are developed, we can learn from those experiences
and understand what kind of structures do we need to create
around blockchain-based systems that will engender trust within people to actually
engage with them and use them. Professor Owais Rashid, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your
company safe and compliant. My guest today is Bruce Schneier. He's a well-known security technologist and author of a dozen books.
His latest is titled Click Here to Kill Everybody, Security and Survival in a Hyperconnected World.
It is a provocative title. It is my first clickbait title.
It's really not what I'm used to writing. I'm generally the anti-fear kind of person.
But remember, the goal of a title is
only to get someone to read the subtitle. You need something provocative to have people look.
And the subtitle is more what the book is about, security and survival in a hyper-connected world.
I think it's a great title. It really talks about something that is unique to computers and computer threats, and that's this
notion of a class break, that all copies of Microsoft Windows or website software or in the
future a car or a medical device can be hacked at once in a way that just isn't possible in real
world things. Well, let's dig into this.
I mean, you start in the introduction of the book with this notion that everything is becoming a computer.
But what are you getting at there?
The idea that computerization is affecting things.
You know, old computers are screens we stare at.
And our metaphor is really reflected that.
We go online.
They're very physical.
We upload, we download,
we enter a chat room. Computers were something we went to and interacted with, our phones and
our laptops. What's changing is that computers are becoming embedded in our environment,
our cars, our appliances, medical devices, large things like power plants, toys.
medical devices, large things like power plants, toys.
And it used to be that these devices had some kind of computerization.
Toaster has had chips and computing for a long time. But now they are really general purpose computers with peripherals attached to them.
So a refrigerator is really
a computer that keeps things cold. And a microwave oven is a computer that makes things hot.
And an ATM machine is a computer with money inside. And a car is a computer with four wheels
and an engine. Now this is this reconceptualization going on, where the computer becomes the core,
and then everything else is the peripheral
attached to the computer.
Your book is organized into two main sections.
Part one is trends.
Part two is solutions.
In the trend section, you have a chapter called Everyone Favors Insecurity.
What's your notion there?
Surveillance capitalism is the business model of the internet.
notion there? Surveillance capitalism is the business model of the internet.
The way companies make money on the internet is they spy on us and they use the information against us generally for advertising, right? That's the business model. That's the core
business model of the internet. As these computers go into physical devices, devices that do stuff,
we're seeing a different model emerge. and that's a model of control.
This is a model where the company that sells you the thing controls how you use it.
So an example might be, an easy one might be a Kindle.
You own the Kindle, but Amazon can reach into your Kindle and remove a book if they want.
They can decide whether a particular book you're allowed
to do text to speech. They could, if they want, decide if the Kindle works in different geographical
areas or maybe for different books, you can expand or contract the text different amounts.
They have an amount of control. And we're seeing this with John Deere and the tractors they sell to farmers.
We're seeing this with high-end espresso machines sold into restaurants.
So this notion of control that allows the company to extract a lot more money from their
customers by separately charging for different features and access and repairs, sort of the entire life cycle.
Both of these business models, the surveillance and control, rely on the manufacturer getting
into your device after they've sold it to you.
And that is an insecurity.
To do that, you must have these devices be insecure.
So we are seeing everything being built with these insecurities.
At the same time, governments also want to reach into your devices for law enforcement purposes in the U.S., for social control in China, and other reasons in between.
And there again, that access relies on insecurity. So it's very hard
to build security into the internet when all these interests favor insecurity.
So how do you see this playing out as we continue down this path?
How are these risks going to show up and what effects are they going to have on us?
So we don't know. My worry is we're going to see the same kind of computer
attacks against all of these new computers.
So ransomware against cars and
DDoS attacks against power plants, spam being set
in your refrigerator. Some of these we are seeing. The difference really
is that these
new computers, Internet of Things, I'm going to call it, affect the world in a direct physical
manner. That they're no longer about data, they're about life and property. And I worry about
real physical risks. I worry about what happens when someone hacks all of the computer door locks in a city and they open or they refuse
to open or something happens. We've already seen demonstrations of remote hacking of cars
where at speed, a hacker can disable the steering, disable the brakes.
That used to be just about data. Now it's about life and property. Why don't I talk
about it in the book? And that sort of echoes the title that suddenly computers can kill people
in a way they couldn't five years ago because they were just about data.
So let's go through some of the possible solutions. That's the second half of the book.
How do you suppose we can get a handle on this? So I really see this as a policy
issue, that the problem is less tech and more policy. I mean, yes, there are tech problems,
and they're real, and they'll require money and engineering to solve, but they are, you know,
sort of go to the moon hard and not faster than light travel hard. They're things we can do.
and not faster than light travel hard.
There are things we can do.
The real problem I see is that the policies don't favor more security.
The current policies in place favor less security.
They favor the security we saw with Equifax
or we're seeing with Facebook.
Underspend on security and weather any storm
if bad things happen and just hope you don't get regulated.
And that's just not going to fly when it is actual dangerous things. So I look at a whole series of
solutions. It's never going to be one thing. I look at regulations and actual government mandating levels of security, like we saw just recently when California passed an IoT security law.
I mean, they did a little bit, but it's a start.
I look at things that different regulatory agencies can do, Federal Trade Commission and others.
others. I look at international agreements, liabilities, ways that we can sort of generally raise the cost of insecurity so companies are more likely to choose security. And then how that would
spur innovation in new techniques of security once there is a market for it.
You know, we see companies like Facebook, Twitter, and I guess to a lesser extent Google,
saying that they would welcome some sorts of regulation.
So at least they'd have some certainty there.
Do you think they're being sincere in that request?
I mean, they're not being sincere.
No company wants regulation because it tells them to do things.
So what's going on is interesting.
The states are starting to look at regulation.
I mentioned California, also New York and Massachusetts.
So we're going to start to see states regulate both security and privacy.
And these companies don't like that because the states are likely to be effective and there's sort of less lobbying that they can do.
What the big companies want now is if the federal government to step in, pass very lax regulation
that these companies can influence to forestall the states. So I see it as very self-serving,
as a way to avoid regulation while pretending
to like it. Additionally, there's another dynamic, and that regulation, if done badly,
favors incumbents. It becomes a barrier to competition. So I see these larger companies
looking at this in two ways, as a barrier to forestall state action
and as if they can craft it right a way to forestall competition our thanks to bruce
schneier for joining us his latest book is titled click here to kill everybody
security and survival in a hyper-connected world.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.