CyberWire Daily - Daily: US voting security, cyber M&A action, OPM breach post mortem, Pokémon, and more.
Episode Date: September 8, 2016In today's podcast we explore ongoing concerns about Russian attempts to influence US elections. The US Congress has harsh words for OPM in their data breach report. Google has a plan for countering I...SIS messaging online. Ransomware may prove self-limiting for criminals, and St. Jude Medical sues Muddy Waters Capital and MedSec. We hear about next-generation SOCs from Siemplify's Amos Stern, and University of Maryland's Jonathan Katz explains a vulnerability in homomorphic encryption. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Continuing concerns over U.S. elections,
Congress has harsh words for the OPM,
ransomware may prove self-limiting for criminals,
and St. Jude Medical strikes back. I'm Dave Bittner in Baltimore with your Cyber Wire summary for Thursday, September 8,
2016. As concerns about alleged and apparent Russian attempts to influence U.S. elections continue,
the Secretary of Homeland Security seeks to reassure voters that the election will be conducted without the vote being hacked.
Both presidential candidates said in back-to-back appearances on a defense policy forum last night
that they intended to make cybersecurity a priority in their prospective administrations.
There's general consensus that the Russian government is interested in influencing U.S.
public opinion during this election cycle, probably in the direction of undermining confidence
in the electoral process itself.
U.S. Secretary of Defense Ashton Carter is the latest U.S. official to call Moscow out
for aggressive policies, telling students at Oxford University that Russia's government
has the clear ambition
to erode the principled international order with what he characterized as unprofessional conduct
in Ukraine, Syria, and cyberspace. Unprofessional strikes us as an odd characterization, but we get
his drift. That the U.S. now considers itself to be in a cold war with Russia in cyberspace
has been much in evidence so far at the Intelligence and National Security Summit.
Speakers mince no words in characterizing Russia as the adversary,
along with lesser powers like Iran and North Korea.
China is also mentioned, but in the context of more ordinary intelligence collection
and an unseemly interest in intellectual property theft.
The IP theft, most seem to feel, is something the U.S. and China might negotiate over to their mutual interest.
The Congressional report on 2015's major data breach at the Office of Personal Management came out earlier this week.
It offers a harsh critique of OPM's state of security at the time of the incident,
although it also points to certain improvements OPM has since made.
at the time of the incident, although it also points to certain improvements OPM has since made.
At the Intelligence and National Security Summit, we spoke about this briefly with intrepid CEO Richard Helms, no relation to the late Director of Central Intelligence.
He pointed out as significant the fact that none of the data stolen in the breach seemed to have
turned up for sale in the black market. This suggests that the intrusion into the databases
was an intellectual operation as opposed to a conventional cybercrime. Helms suggests that the intrusion into the databases was an intellectual operation,
as opposed to a conventional cybercrime. Helms noted that the identity theft protection OPM is offering to the millions whose personal information was exposed is unlikely to help
them much, since criminal identity fraud is unlikely to have been the goal. He thinks the
victims are more likely to become targets for an intelligence service. We'll hear more inside
perspective on the OPM breach tomorrow
when we talk with Cylance's Malcolm Harkins about his company's investigation.
Another cyber threat much discussed at this week's Intelligence and National Security Summit
is the ongoing jihadist radicalization ISIS and other groups are carrying out online.
Google believes it may have a response.
Google's tech incubator, Jigsaw, is using its redirect method
so that search advertising algorithms will display counter-messaging
beside jihadist-themed search results.
Thus, you would get your ISIS results, but displayed beside them would be,
for example, YouTube video of imams counseling against terrorism,
regrets of ex-jihadists, and so on.
Some new threats and vulnerabilities have come to light.
Rapid7 reports discovering a new threat to network management systems, NMSs.
They can be exploited using the Simple Network Management Protocol, SNMP.
Both cross-site scripting and SQL injection attacks are possible.
And Kaspersky Labs describes Mox, a backdoor built for Macs.
Ransomware remains a problem, but there are some early signs it may be self-limiting,
at least as far as the criminal ecosystem is concerned.
The extortionists are increasingly not decrypting files even after ransom is paid.
As many as a third of companies affected by ransomware aren't getting their data
back upon payment. This suggests the criminals may be killing their business model. There will
soon be little incentive for anyone to pay. The U.S. government's advice is now unambiguous.
Don't pay. And by all means, back up your data. We heard from some security companies about other
current issues. Prompted by the report earlier this week of a breach at the Nashville Hutton Hotel,
Lastline's Brian Lang spoke about point-of-sale issues.
Quote,
Point-of-sale POS systems tend to rely on older operating systems,
nearly all Microsoft Windows, he told us.
Interestingly, it's very common to find Windows XP in current distribution for POS systems even today.
End quote.
There are many exploits available for XP, and many of them operate at the kernel level.
Users of vulnerable point-of-sale systems should be aware of this
and take measures to mitigate that risk.
Tripwire's Craig Young commented on the problems surrounding sharing cryptographic keys and certificates.
This is particularly a pain point, he said, with respect to embedded
devices. He said, quote, the best advice for consumers is not to access devices over shared
networks, including the internet, without first installing a properly signed security certificate,
end quote. It's no longer, he pointed out, as expensive to do so as it once was.
Many organizations feel it necessary to stand up their own Security
Operations Center, or SOC, to defend themselves against cyber threats. We spoke with Amos Stern,
CEO at C-Amplify, about what it takes to build what he calls a next-generation SOC.
I wouldn't say it's one thing. It's a set of capabilities that enables organizations to
identify what are the real threats out of the
thousands of different alerts and detections that they have and initiate a response much faster.
I say there are four key factors. One, you need to be able to take all the different signals in
and bridge the gap between the different tools. So you just have a lot of different tools,
each focused on detection of some other aspects in the organization, like a network detection tool, an endpoint detection tool, access control,
data leakage, and so on and so on.
You need to be able to bridge the gap between those and look at the big picture.
You need to be able to run analytics and add context to everything, apply intelligence
on top of that, and then bring external sources together with whatever is being detected internally.
And finally, you need to be able to automate whatever possible and where you can't to empower the incident response process of the human expert.
So let's dig into the automation aspect of it.
I mean, is automation really a requirement now because of the velocity at which the data comes in now?
Automation has a few different dimensions to it.
So you can automate the investigation process, which I like to call analytics more than automation,
because there is a huge volume, like you said, of data that comes in.
You need to be able to process it really fast.
So processing it means identifying the important threats,
filtering out the noise, adding contacts,
all the things that you can do by applying analytics.
And then the other part of automation
is automating the response.
So basically being able to define different workflows
and orchestrate a list of actions and say,
if these things happen,
we can take these measures automatically and either enrich the data, you know, if these things happen, we can take these measures automatically
and either enrich the data, block user, just start a workflow and automate some of that response.
And this helps reduce the time for the response, but it can't always be the case. So we would
never replace the human factor completely. If someone is in the process of setting up a security operations center, what kind of
advice do you have for them?
I think first they need to think about the entire process.
It's not just technology, right?
It's a combination of security operations, it's a combination of the technology, the
people, the process, the whole thing.
You need to take into account all different signals.
You need to be able to add some analytics and to put them all into one context. There are many tools to do this today.
You need to be able to apply intelligence and threat intelligence to that. And you need to be
able to orchestrate whatever part of the response you want. Otherwise, if you miss one of these
components, you can build a SOC, but would not be the most efficient that it can be.
That's Amos Stern. He's the CEO at C-Amplify.
In industry news, St. Jude Medical is suing both Muddy Waters Capital and MedSec over their allegations
that St. Jude's pacemakers and similar devices are dangerously exposed to hacking.
St. Jude disputes that allegation.
devices are dangerously exposed to hacking. St. Jude disputes that allegation. It also dislikes the way Muddy Waters and MedSec seem to have
used the disclosure in the service of shorting St. Jude stock. Intel has spun
off its McAfee cybersecurity unit, which will now operate as an independent
company. And RSA begins its new life as a unit of Dell.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Joining me is Jonathan Katz.
He's a professor of computer science at the University of Maryland.
He's also director of the Maryland Cybersecurity Center.
Jonathan, I saw a story come by on the Register website recently
about some researchers who apparently have had some success cracking homomorphic encryption.
Now, that's something we've talked about on the show before.
Can you start off by just giving us a quick review?
What are we talking about with homomorphic encryption?
So this technique of fully homomorphic encryption is actually something quite amazing that was
developed in a breakthrough just under a decade ago. And what this basically allows you to do
is to perform arbitrary computations on encrypted data. And people are really excited about this,
because what it would allow you to do potentially is encrypt your data and send it off to be
processed by another party who could, like I said, do arbitrary processing
on that data to compute an encrypted result, send it back to the original user who could
then recover that result, all without leaking any information to the party doing the computation.
So this is really exciting, and there's been a lot of progress in developing schemes over
the past few years with either better
security or better efficiency or some combination of both.
So what is the vulnerability that these researchers claim to have discovered?
Well, it turns out there was a scheme published in 2014 that was claiming to have a new approach
to developing a polyhomomorphic encryption scheme that would be much more efficient than
previous schemes.
developing a polyhomomorphic encryption scheme that would be much more efficient than previous schemes. But what researchers showed just recently is that they were able to actually
take that scheme and break it in a variety of different scenarios. One of those scenarios was
if it happened to be the case that the same data were being encrypted under multiple different
public keys, then the researchers were actually able to recover that original data.
And in another attack, they were actually able to mount what's called a chosen ciphertext attack,
which is a kind of an active attack on a communication protocol, to recover the entire
private key of the homomorphic encryption scheme. So basically taken together with what these
results demonstrated that the original scheme proposed in 2014 was actually insecure.
So how big a blow is this against homomorphic encryption in general?
Well, I think it actually doesn't say very much about the fully homomorphic encryption
schemes that have been proposed and analyzed in the mainstream cryptographic literature.
I think what this really demonstrates is just the importance of peer review in general.
So basically, cryptographers will very often publish a new scheme and kind of throw it out there and see whether anybody else
can break it. And in this particular case, researchers just a couple of years later,
were in fact able to break it. With a lot of modern cryptosystems and a lot of the,
like I said, the fully homomorphic encryption schemes that are proposed in the mainstream
literature, they actually come with proofs of security that show that the underlying encryption scheme can be reduced
to some hard mathematical problem. And so this gives a lot more confidence in such a scheme.
And, you know, I think it's really a good demonstration of the importance of this kind
of proof of security. The scheme that was attacked didn't come with any proof to begin with.
All right, Jonathan Katz, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's defenses is by targeting your executives and their families at home?
defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.