CyberWire Daily - Elections and information operations, but not necessarily the elections you expect. Apple purges dodgy security apps. Who are the Silence criminals? BA's breach. Cyber moonshots.
Episode Date: September 10, 2018In today's podcast, we hear about foreign information operations surrounding elections in Israel and Sweden. Domestic information operations surround local elections in Russia. Apple purges questionab...le security apps from its store. Are the Silence cyber criminals security industry veterans? British Airways continues to recover from its data breach. What a "cyber moonshot" might actually mean. And ProtonMail says the coppers have collared an Apophis Squad member. Zulfikar Ramzan from RSA with a reality check on blockchain hype . Guest is Yehuda Lindell from Unbound Tech on the Foreshadow vulnerability. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/September/CyberWire_2018_09_10.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Foreign information operations surround elections in Israel and Sweden.
Domestic information operations surround local elections in Russia.
Apple purges questionable security apps
from its store.
Are the silent cyber criminals
security industry veterans?
British Airways continues to recover
from its data breach.
What a cyber moonshot might actually mean?
And ProtonMail says the coppers
have collared an Apophis Squad member.
says the coppers have collared an Apophis Squad member.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, September 10, 2018.
Information operations directed toward influencing
or disrupting elections have surfaced in several countries.
ClearSky reports finding an Iranian disinformation campaign aimed at planting bogus stories in
and around Israel.
One Hebrew-language site, Tel Aviv Times, published plagiarized stories altered to support
Iranian interests.
Fourteen bogus Facebook profiles and eleven inauthentic Twitter accounts were coordinated with the campaign.
Several of the sites involved in the operation targeting Israel closed after the exposure.
The operation's playbook seems to have resembled the one uncovered late last month in the U.S.
Swedish authorities have warned of foreign disinformation designed to affect recently concluded elections, which were indeed contentious.
Swedish authorities framed the issue of foreign information operations
as a matter of national defense, as preparation for a foreign attack.
There's little doubt as to who would be doing the attacking, of course.
It's Russia.
And in Russia itself, a domestic campaign is running
with the apparent intent of suppressing
dissenting voters. A lot of people are upset about a pension reform the government is instituting.
It's a broadly unpopular piece of austerity that would raise the retirement age for men from 60 to
65 by 2028 and for women from 55 to 63 by 2034.
Apple continues to eject questionable security apps from its store.
Over the weekend, it developed that researchers are apparently associating some of those apps with Trend Micro.
The story is still developing and early reports may well be confused.
Apple took the questionable apps down after Cupertino was notified of their behavior.
Some call the ejection fast.
Others say it was still too slow,
but all of them say good riddance.
Nothing yet on Trend Micro's blog.
We stress that this story is still developing.
Group IB thinks it likely that at least one of the two members
of the Silence cybercriminal crew have worked or may even still work in the security industry.
Where in the industry, they haven't yet said. Their evidence looks mostly circumstantial.
Silence has been most active against Russian financial institutions.
British Airways continues to struggle with its large data breach.
Observers say that the airline's payment site was loading scripts from at least seven domains other than its own,
and that it was out of PCI compliance.
Some think the incident involves third-party compromise, similar to the one that hit Ticketmaster in the UK.
The airline itself may be facing a heavy £500 million fine and a customer boycott.
British Airways is in the process of notifying affected customers.
We've been tracking ongoing revelations of potential vulnerabilities baked into the
hardware of the CPUs we use, the result of speculative processing routines,
issues that researchers have named
specter, meltdown, and recently foreshadow. Yehuda Lindell is co-founder and chief scientist
at Unbound Tech, and he's also a professor at Bar-Ilan University in Israel. And he joins us
with these insights. Moore's law stopped working for us a number of years ago. We had many, many years of growth where every year
and a half or so the speed of processors doubled. At some point, due to physical limitations,
that stopped and chip manufacturers had to look for alternative novel ways to get speed improvements.
Intel is one of the most innovative. They excelled very much at this type of work.
What we ended up getting is a very, very complex chip that no one truly understands.
And it uses many sophisticated techniques to get performance speed ups, but also at the expense of exposing vulnerabilities.
That, to be fair to Intel, no one was aware of until recently,
but that's the current situation that we have. Now, when you say we have these complex chips
that no one really understands, can you dig into that a little bit? What do you mean there?
So there are a lot of different techniques that are used to out-of-order execution and
speculative execution and the way the caches work and the way these different things interact.
So you have experts on the microcode level,
and they'll understand very much what the chip is offering,
but it doesn't necessarily mean that people running the operating systems
have a full understanding of exactly what's going on.
And even when they do, there are the different interactions
between these different parts of the chip cause a problem.
I call it a lack of isolation.
What we typically think of when we run a piece of software is that it's running in isolation
from other pieces of software, from other code running on the chip.
And that's what operating systems are aimed to do.
The problem is that it's not the operating system that is breaking the isolation, which
was the case until a few years ago.
It's the actual hardware itself.
That complexity, the complexity of the way the chip gets its additional performance
and the interaction between the different pieces of code and the hardware
and the microcode altogether results in this very, very complex infrastructure
and ecosystem that we don't really understand.
And these are, as you say, they're sort of unintended consequences.
Do you suppose that we'll find future chips are going to give up some of their performance in exchange for better security?
That's what I would hope.
But that's my perspective as a security expert and as a cryptographer.
There are plenty of other people who the most important thing to them is performance.
But the way I view it is that we should have
two modes of operation on a chip.
We should have something which gives us
very, very high performance,
and we should have an isolated unit,
an isolated processor that we can use
for code that needs to be very secure.
And then that way we could sort of balance
these two different demands.
If I'm playing a game, if I'm a gamer,
I don't really care so much about security on my chip.
I really want just the best performance.
But in many other cases for enterprise use,
we very much need security.
And without isolation, I don't think it's going to happen.
What we're seeing now is sort of like putting a Band-Aid
on every single little vulnerability,
but we have enough of those vulnerabilities to understand that those Band-Aids are not the solution.
My recommendation is, of course, always patch and patch immediately,
because as soon as a vulnerability is released, the attackers learn it and exploit it.
But that, again, is just a Band-Aid. But you have to put the Band-Aid on.
You have to stop the immediate bleeding.
The longer-term recommendation for end users who don't have a control over the way Intel and other chip manufacturers build their chips
is to not rely on these trusted execution environments.
I don't think we can rely on them for high-security applications.
That's Yehuda Lindell. He's co-founder and chief scientist at Unbound Tech. trusted execution environments. I don't think we can rely on them for high security applications.
That's Yehuda Lindell. He's co-founder and chief scientist at Unbound Tech. He's also a professor at Bar-Ilan University in Israel.
There's a fair bit of coverage that emerged over the weekend of the notion of a cybersecurity
moonshot, it's thought the U.S. administration is preparing to announce.
Much of that coverage is sourced in part to remarks delivered at last Thursday's Billington Cybersecurity Summit during a fireside chat on the topic. We heard that chat,
but we heard it a bit differently from the way in which some others understood it.
A moonshot is a bold project that sets a challenging goal and a challenging timeline for achieving it.
A moonshot is an effort to solve a big, difficult, and well-defined engineering problem.
Remember, the original moonshot was the U.S. space program of the 1960s
that moved from Project Mercury through Project Gemini and into final success with Project Apollo.
A number of people seem to think that we're about to see something like this for cyber,
a race in cyberspace similar to the race we saw in outer space half a century ago.
That's not likely, and the administration officials who last week talked about and answered
questions about a coming moonshot understood this very clearly.
answered questions about, a coming moonshot understood this very clearly.
To call for a moonshot is fundamentally to issue a call to action,
and it may be useful as an inspiration,
but programmatically it's not like President Kennedy's space program at all.
As DHS Assistant Secretary Jeanette Manfra and U.S. Federal CISO Grant Schneider pointed out,
there's no single destination and there's no clear endpoint. What they hope to accomplish, should people be energized by a call of action, is a set
of cultural shifts. These include, but wouldn't be limited to, reinforcing the current awareness
of security as important that's emerging now outside the security industry itself,
inculcating in customers an attention to and
a demand for better security in the products they buy, educating young people in good digital
citizenship, and pushing the internet as a whole to better defaults, in a Freakonomic
kind of way.
As Manfred put it, it would be a gain if security became something you had to opt out of, as
opposed to it ever being the other way around.
So, a cyber moonshot, should we hear a call for one,
is much more likely to resemble a public health campaign than it is something out of NASA.
Finally, remember the Apophis Squad, the skids who hacked ProtonMail,
and boasted that they'd be forever anonymous and that the feds can't touch us.
They've apparently been touched, although in fairness to Apophis, it wasn't the feds,
but rather the feds' cousins in Her Majesty's service.
George Duke Cohen, who last week pled guilty to distributing empty and idle but nonetheless
frightening bomb threats to schools, is also, according to ProtonMail, a prominent member of the Apophis
Squad, where he used a number of noms to hack, including double parallax, he'll be sentenced
on September 21st. Mr. Duke Cohen is expected to be detained at Her Majesty's Pleasure for at least
a year. Touché, George. Customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
And joining me once again is Zulfiqar Ramzan.
He is the Chief Technology Officer at RSA.
They are a Dell Technologies business.
Zuli, welcome back.
You know, we, how do I say this?
The blockchain, it's become almost a bit of a punchline lately with so many businesses trying to cash in on sort of the flavor of the month. I really wanted to check in with you
and see where do you think we stand with this? Where are we?
So I think you're absolutely spot on. There's this element of blockchain that has now
gotten this pixie dust like quality where it seems to be an elixir for any kind of problem
you can imagine from saving the whales to establishing world peace to achieving immortality.
But the reality is obviously not quite there where the hype is.
I think what people are fundamentally missing is the important question
of not whether you can use blockchain to solve a particular problem,
but should you use blockchain to solve a particular problem.
Look, the reality is I can buy a sledgehammer to push in a thumbtack.
I can also just use my thumb,
and I think the thumb is a much better solution to that same problem.
So how do we get past the hype to know if an application actually makes sense?
Well, I think you have to start asking yourself some more fundamental questions before you
even think about losing a blockchain. The first question is, should you use a blockchain? And
really, there are five questions that I have in mind that I think can quickly help you
make that determination. The first question is, are you trying to store any kind of state consistently? The second question is, do you have multiple peers who may be contributing to that
system? The third question is, are you trying to eliminate trust in terms of a trusted third party
or an intermediary? And the fourth question is, are you working with digital assets versus,
let's say, physical assets in terms of what you're trying to track? And then finally,
are you willing to sacrifice performance, in other words, transaction times?
And if the answer to any of those above questions is no, you should absolutely not use a blockchain.
There are better approaches for solving some of those same problems.
Like, for example, databases, which have been around for a long time and are really well understood.
But oftentimes I find that many problems people are using the blockchain to tackle end up being much more easily and much
more readily solvable using database type technologies or more basic prior art that's
existed for a long time in this space. Now, on the flip side of that, I mean,
what do you see as some of the ideal uses for the blockchain?
So I think the main use case for blockchain is in cryptocurrencies and cryptocurrency type
applications. If you think about it for a moment, those are the areas where blockchain really acquired its first level of prominence. And the reason for that is that
blockchain fundamentally is about trying to achieve a handful of properties. You know,
blockchains are exciting because they provide a degree of decentralization. They provide a
quality called immutability, where once you put something in, you can't change what's happening
easily. They enable you to have public access where anybody can potentially verify or validate
what's happening with respect to a certain set of items.
And if you translate that back into the original problem space for which blockchain was invented,
namely Bitcoin and other types of cryptocurrencies,
there are key properties you want in cryptocurrencies that blockchain help you to address.
Like, for example, in a cryptocurrency, you might want to eliminate a single root of trust. You may not want to trust any one bank
or one entity. So decentralization is very helpful. For cryptographic currencies, you want
to avoid what's called double spending. So any type of digital currency, there's a real risk
that if you were to spend that digital currency, somebody could take those same bits and bytes,
copy them, and try to re-spend that same currency. And so you need some mechanism for
public access or verifiability. You need some mechanism for ensuring that once a transaction
is in, you can always check that the transaction occurred as part of validating other transactions
as well. And so I think when you take a step back, all the types of properties around cryptocurrencies
and applications that are very closely aligned to cryptographic currencies tend to make better use cases for blockchain. But many of these other applications
that people talk about are probably not the right ones, or at least there may be better
ways to solve those problems if you take a step back and think about your requirements
more fundamentally. All right. Zulfiqar Ramzan, thanks for joining us. A pleasure as always.
A pleasure as always. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.