CyberWire Daily - Daily: RSA update - SecDef sounds libertarian? Ashley Madison extortion. DROWN update. More on Ukraine grid hack.
Episode Date: March 3, 2016Daily: RSA update - SecDef sounds libertarian? Ashley Madison extortion. DROWN update. More on Ukraine grid hack. Learn more about your ad choices. Visit megaphone.fm/adchoices...
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
RSA updates where the Secretary of Defense is sounding a bit like a techno-libertarian.
The Attorney General, not so much.
The democratization of technology moves the Defense Department
to seek help from the commercial sector.
We talk with Phantom, winner of this year's RSA Innovation Sandbox.
More evidence on the Ukrainian grid hack is out.
The ACLU files an amicus brief in the Apple v. FBI case.
We hear from the University of Maryland's Jonathan Katz on quantum computing.
And the Ashley Madison hackers are now sending extortion notes through the mail.
I'm Dave Bittner in San Francisco with your Cyber Wire daily podcast for Thursday, March 4th, 2016.
We're wrapping up our time at RSA this afternoon,
podcasting from the floor of the world's leading cybersecurity conference and exposition.
U.S. Defense Secretary Ashton Carter took a fairly unambiguous position in the crypto wars.
He's in favor of strong encryption, and he's opposed to backdooring systems.
So it seems that NSA Director Rogers' neighborhood really does encompass the larger
defense establishment, lest anyone think the director has been freelancing on the issue these
last few months. Secretary Carter was also in San Francisco to solicit industry support for U.S.
efforts against ISIS and other threats. He's been talking not only to the expected big companies,
but to small businesses as well, even participating in a shark tank event
to hear pitches from entrepreneurs on promising technologies.
One area of need the Secretary highlighted was data security.
We know, he said, that we're behind the commercial sector in this area.
That the U.S. Department of Defense could use some help isn't surprising.
It's been known for some time that collaboration across the Internet has significantly democratized
technology, especially information technology,
at a time when technology, again, especially information technology,
has solidified the central position it holds in conflict.
It's unclear how traditional powers can continue to enjoy a decisive advantage in the area,
but it's clear that the Department of Defense is intent on trying.
Its Hack the Pentagon program is one
manifestation of that determination. The U.S. continues to pursue ISIS in cyberspace, intent
on disrupting the caliphate's communications infrastructure. Effective cyber capabilities
are beginning to make their appearance at the tactical level. Special operations forces,
specifically including the U.S. Navy's elite SEALs, are taking on an increasing interest in social media.
So there should be no surprise should SEAL teams show up on Twitter.
We'll see how successful they prove to be at delivering a counter-narrative against ISIS.
Attorney General Lynch was also at the RSA conference.
She defended Department of Justice efforts to compel Apple's assistance in unlocking an iPhone
used by one of the San Bernardino jihadist shooters, making a plea to, quote, not let one company decide this issue for
all of us, end quote.
But it must be said that her presentation and position were not generally received favorably.
Sentiment at the expo is largely against the Department of Justice on this one.
There's a general sense that the assistance the FBI is requesting would set a dangerous
precedent.
But one executive in a side conversation did note a curious fact.
We're willing to trust the police to protect us physically,
but it seems no one is eager to trust the government with protecting our data.
The ACLU, in an amicus brief filed in the case,
thinks it sees another problem in the Department of Justice position.
If the DOJ wins, the ACLU says, then you can bid farewell to
trustworthy software updates. What assurance, they ask in effect, will users have that they're not
being pushed another government OS? We've had interesting talks with many companies here at RSA.
One we were particularly pleased to speak with is the winner of this year's Innovation Sandbox,
Phantom. We asked Phantom CEO Oliver Friedrichs what it was like to win
the competition. It was interesting. I think all of the vendors up there, you know, the 10 most
innovative vendors at RSA, you know, were high quality companies. You know, so when you look at
that list, you know that you've got your work cut out for you. I think it was a real privilege and
honor to win that. Great to recognize the hard work that we've done, but also validates this problem.
You know, I think that we've had so many products and so many unique individual solutions now
that it's great to see it recognized that we now, you know, we believe that we do need a layer,
something that's going to tie all of those existing products together.
We'll hear more from Phantom in an upcoming RSA special edition of our podcast.
Turning from San Francisco to the larger world,
the Western Ukraine grid hack remains a matter of intense interest
as a warning and a cautionary tale.
The attackers, whom investigators describe with grudging admiration and sophisticated,
conducted a long-running and patient campaign to establish persistence
in the Ukrainian utilities network and then to harvest control system credentials.
These credentials were used to disrupt power in late December.
The attack is widely regarded as a harbinger of things to come, and some experts think
it was intended to send a message to the United States, at least as much as it was intended
to affect Ukraine.
The consensus on the drown vulnerability is in.
The SSL hole is thought to not be as bad as Heartbleed, but still bad enough.
Schneider Electric's structureware building operation software
is found to be exploitable by remote hackers in ways that could enable them to affect building security,
and the attackers need not, say researchers, be particularly skilled.
The problem is said to lie in weak default credentials and a command execution bug.
Krebs on Security reports that the pay card breach at Wendy's chain restaurants
is producing significant debit card losses.
Credit unions are said to be especially affected.
Google has issued a Chrome update. Users and admins take note.
And finally, Ashley Madison is back in the news.
This time, there's no moralizing, just frank extortion.
The Ashley Madison wives has clueluley calls the spouses of men whose patronage of the online hanky-panky emporium was exposed in last year's breach,
are now receiving physical letters through the physical post demanding payment in Bitcoin, lest their husband's shame be exposed.
And the extortionist note, in an aside to any husband who might want to try to
intercept a letter to the wife, tampering with someone else's mail is a crime. The brass of some
people. But physical mail usually bears physical clues, and we're sure the postal inspectors will
be on the case.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Thank you. a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. I'm joined by Jonathan Katz.
He's a professor of computer science and the director of the Maryland Cybersecurity Center.
They're one of our academic and research partners.
Jonathan, quantum computing comes up, particularly when we're talking about encryption.
Let's start off by giving us an overview.
How does quantum computing differ from run-of-the-mill binary computing? Well, it's a bit hard to describe in detail,
but at a very high level, quantum computers take advantage, of course, of quantum mechanics.
And what quantum mechanics allows you to do is to manipulate systems that are in a superposition
of very many states at the same time. So you can think about this very informally as if you have a computer
that's running several different computation paths
in parallel, as it were,
even exponentially many.
And that's what gives quantum computers
ultimately their power.
So help me understand it.
It's my understanding that quantum computers,
as opposed to dealing with absolute answers,
they deal with probabilities.
Is that accurate?
Yeah, that's right.
And that's why the analogy I was giving before isn't quite exactly right.
You have these parallel computations that are running, but then in order to extract anything
useful from them, you need to manipulate things in such a way that you get the answer you're
looking for with high probability. But that's right, that quantum mechanics and quantum computers
don't give you an answer with certainty, they only give it to you with some high probability. And so looking ahead, how does quantum computing potentially
impact computer security? Well, we've known since 1994 that quantum computers are able to break all
the public key algorithms that are currently deployed on the internet. That's because of
Shor's algorithm, which shows that quantum computers can efficiently solve the factoring and discrete logarithm problems.
So if quantum computers were to become a reality tomorrow,
we'd have a huge problem on our hands because all the public key crypto systems
that are currently used on the Internet would be insecure.
So for that reason, people have begun starting to think about
what kind of systems they could transition to in the next 5, 10, 20 years
that would be secure even
against quantum computers.
And what's your sense for where we are?
Are we getting close to where quantum computing may be a reality?
Well, I wouldn't say close, and I'm not an expert in this field, but the latest estimate
I saw at a recent workshop was that there's about a 50-50 chance of getting quantum computers
capable of breaking current public key encryption schemes
within the next 15 years. So that gives us reason for concern, especially because we know that it
can take quite a long time to begin transitioning to new systems. Jonathan Katz, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also
practical and adaptable.
That's where Domo's AI and
data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.