CyberWire Daily - Daily: RSA updates. DROWN SSL vulnerability. Apple vs. DoJ.
Episode Date: March 2, 2016Daily: RSA updates. DROWN SSL vulnerability. Apple vs. DoJ. Learn more about your ad choices. Visit megaphone.fm/adchoices...
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2where, the U.S. continues efforts to enlist industry against ISIS and cyberspace.
The drown vulnerability, patched yesterday by OpenSSL,
is thought to affect about a third of all HTTPS sites.
A new version of the Bifro's Trojan is out and designed for Linux systems.
And Europe watches closely as Apple and the FBI face off in court and Congress.
I'm Dave Bittner in San Francisco with your Cyber Wire summary for Wednesday, March 2, 2016.
We're at RSA again, podcasting from the floor of the world's leading cybersecurity conference and exposition.
The first order of business must be congratulations of the 2016 Turing Award winners.
Whitfield Diffie and Martin E. Hellman were honored for the pioneering work that gave us public key encryption.
The two also expressed themselves concerning the crypto wars, warning of the potential for abuse, tyranny as Diffie put it,
and the signing by Hellman of an amicus brief in sympathy with Apple.
Industry leaders were in full-throated, full cry in pursuit of guarantees of strong encryption.
Microsoft President Brad Smith was particularly direct, warning that, quote, the path to hell
starts at the back door, end quote.
His views found general agreement, although another crypto pioneer, Adi Shamir, did express a degree of understanding for the FBI's position.
While he found the possible precedence of a ruling in the Bureau's favor troubling,
he also thought that their request of Apple was more narrowly circumscribed than it's been generally represented.
And, standing at hell's back door or not, for what it's worth, it seemed to our stringers
that the Bureau's representatives at their booth have received basically cordial visits.
NSA's position in the crypto wars has been publicly much quieter and more nuanced than
those taken by the Justice Department, and far more accepting on the face of it of the
general availability of strong encryption, which is, as NSA Director Rogers has said,
here to stay.
Admiral Rogers delivered a keynote yesterday that's been widely reported as a plea for
more cooperation between industry and the intelligence community.
It was indeed that, but it also expressed an understanding that problems in cybersecurity
are complex and variegated, problems for foxes, not hedgehogs.
It's refreshing to see complexity acknowledged where one often hears glib calls
for moonshots or Manhattan projects, to hedgehog programs if there ever were any. Remember,
the fox knows many things, but the hedgehog knows one big thing. Admiral Rogers has also
been warning that an attack on U.S. infrastructure is a practical inevitability. He expects utilities
in the U.S. to sustain disruptions at least as severe as those
the Western Ukraine saw at the end of last year, and he continues to urge that the grid in particular
be prepared to parry and recover from industrial control system attacks. TechCrunch has declared
this year the year of security plus machine learning plus artificial intelligence at RSA.
That's a fair characterization of the technologies and approaches on offer,
but we would add some additional specificity to this characterization. It's also the year of
systems integration, OSINT, and above all, anomaly detection. There's a general interest in threat
intelligence, but that interest is more concerned this year with risk reduction than it is with
attribution. Turning from RSA to the wider world, the widely expected and hitherto mysterious OpenSSL patch arrived yesterday,
and we now know what was being plugged.
It's a TLS SSL vulnerability being called DROWN,
a forced acronym derived from decrypting RSA using obsolete and weakened encryption.
It's generally regarded as a serious bug.
About a third of all HTTPS servers are thought to be susceptible to drown attacks,
which depend upon the old export-grade backdoor formerly mandated for US-made security products.
Strong encryption partisans cite drown as further evidence of their central contention
that weakened encryption does far more damage than it does good.
Trendlabs finds a new variant of the Bifrost Trojan designed for deployment against Unix and Unix-like systems.
They attribute the development to the threat actors behind the shrouded crossbow campaign.
Verizon releases a breach report with a difference.
It doesn't replace the company's existing well-known annual report,
but it supplements statistical treatment with instructive case studies.
In the UK, the government prepares a new version of its surveillance bill.
The Apple FBI case is being closely watched in Europe,
where observers fear it will have implications for the implementation of Privacy Shield.
Partisans of both sides are squaring off this week in Congress and in court.
The U.S. Secretary of Defense has been in San Francisco this week,
jawboning industry about what it can do to help anti-ISIS operations.
We heard from Dave Amsler, president and founder of Raytheon Foreground Security.
He likes what the SecDef has to say.
Quote,
The Hack the Pentagon program is another example of Defense Secretary Ash Carter's efforts
to strengthen our national security by tapping the high-end talent capable of hunting cyber threats.
As cyber attacks become more sophisticated and persistent,
our defenses, critical infrastructure, and business organizations cannot sit and wait.
Instead, we must hunt.
The Hack the Pentagon program is a step in the right direction
to be more proactive in detecting and eradicating cyber threats.
End quote.
Finally, a group of Turkish hackers has claimed responsibility
for the ransomware attack on Hollywood Presbyterian Medical Center. While the motive behind the attack seems clear enough, criminal extortion,
those claiming responsibility cloaked themselves in a nationalist mantle.
They were also protesting American friendliness toward Kurds because they're, well, you know,
patriots, says they.
I'm, like, so worried about my sister. says they. That's what I want to know. Starring Kaley Cuoco and Chris Messina. The only investigating I'm doing these days is who shit their pants.
Killer messaged you yesterday?
This is so dangerous. I got to get out of this.
Based on a true story.
New season premieres Monday at 9 Eastern and Pacific.
Only on W.
Stream on Stack TV.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Malek Ben-Salem is the R&D manager for security at Accenture Technology Labs,
one of our academic and research partners.
We talk a lot on the Cyber Wire about big data,
and I'm curious, what are some of the particular challenges that big data presents
when it comes to security and privacy?
So, as you know, big data presents three challenges.
One is related to its share volume.
One is related to the variety of the data.
And one is related to the velocity of that data as we collect it.
With respect to volume, businesses are collecting fast amounts of data.
And in order to be able to process that data, they often rely on parallel processing frameworks, MapReduce-like frameworks, where
distributed mappers independently process data locally.
Now, those MapReduce-like frameworks, such as Hadoop, have not been built with security
in mind.
Google originally created Hadoop, which is the open source implementation of
the Mac-reduced programming model.
And at the time when they created it, they used it to store and to process public website
links.
So because those website links are public, they didn't think about security and privacy.
So security was an afterthought for Hadoop
and for the frameworks that are built on Hadoop.
So that's one issue with all these big data platforms,
the fact that security is an afterthought.
And now we have to deal with retrofitting those platforms with security functions.
Another challenge is the variety of data elements that are being collected.
So think of an insurance company, for example, that collects medical records that also have
financial information about its customers.
They need to build different data stores for each type of data because the medical
records and the financial information are subject to different compliance requirements.
And many companies are struggling with separating the data and assigning the right access controls
or fine-grained access controls on that data.
So what are some of the solutions that you all are seeing and that you're coming up with there?
We are trying to identify the gaps in existing frameworks.
Are there opportunities to enable privacy-preserving computational models
on these big data platforms
so that no private information is leaked?
How can we deal, again, with the velocity challenge
where data is coming at a high speed
and we're not able to label it correctly,
to label what's sensitive and what's not sensitive.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.