CyberWire Daily - German doxing incident remains under investigation. Marriott breach update. Dark Overlord watch. Can cryptocurrency become less burdensome in terms of energy consumption?
Episode Date: January 7, 2019In today’s podcast, we hear that investigation into the doxing campaign German political leaders suffered continues, and the Interior Minister promises a transparent inquiry. Attribution remains uns...ettled, but a lot of people are looking toward Russia. Marriott thinks fewer guests were affected by its Starwood breach than initially feared. Online gamers affected by breaches. The Dark Overlord continues to make a pest of itself. And can alt-coin production become less of an energy hog? Awais Rashid from Bristol University on securing large-scale infrastructure. Guests are Karen Waltermire and Harry Perper from NIST, discussing the NIST National Cybersecurity Center of Excellence (NCCoE). For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2019_01_07.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Investigation into the doxing campaign German political leaders suffered continues,
and the interior minister promises a transparent inquiry.
Attribution remains unsettled, but a lot of people are looking toward Russia.
Marriott thinks fewer guests were affected by its Starwood breach than initially feared.
Online gamers have been affected by breaches. The Dark Overlord continues to make a pest of itself.
And can altcoin production become less of an energy hog?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday,
January 7th, 2018. Investigation into the doxing campaign against German political figures continues.
The magazine BILT reports that German's BSI intelligence service asked its U.S. counterparts, in NSA especially,
to lean on Twitter to isolate and take down accounts involved in distributing the leaked material.
Bloomberg says the BSI argued to NSA that some U.S. citizens were also victims of the incident, thus assistance would be in order.
Interior Minister Zahoffer has promised transparency in the investigation, with an interim report due out by midweek.
Attribution, as one would expect, remains unclear.
Speculation centers for now on either a right-wing party that was largely
unaffected by the incident or on Russian information operators. Trend Micro has pointed
the finger toward Russia's Pond Storm group, and the amount of patient preparation that seems to
have gone into the attack is more often seen in intelligence services than partisan operators.
As Herr Seehofer has promised, we should know
more later this week. It's worth noting again that the material released so far doesn't appear
to contain much, if anything, that's either shocking or particularly discreditable.
On Friday, Marriott released more results of investigation into its Starwood Reservation
Systems breach. The good news is that fewer customers than feared were affected.
The bad news is that the compromised data include a lot of unencrypted passport information.
Marriott had initially believed that the number of guests affected was around 500 million.
The hospitality company now regards 383 million as the upper limit
and believes with a fair degree of certainty,
that the actual number is lower still. But the hackers accessed 5.25 million unencrypted and
more than 20 million encrypted passport numbers. Roughly 8.6 million encrypted pay cards were also
exposed in the incident. Marriott doesn't believe the attackers got the master
encryption keys. In 2012, a public-private partnership was formed between NIST, industry
stakeholders, the state of Maryland, and Montgomery County in Maryland to launch the National
Cybersecurity Center of Excellence, the NCCOE, with the mission to build and publicly share solutions to cybersecurity problems
faced by U.S. businesses.
Joining us today are Karen Waltermeyer and Harry Perper,
both cybersecurity engineers at NIST and the NCCOE.
We are an applied group that takes next-generation standards,
technologies that you can commercially buy and apply those
in the best way possible for the fastest way to adopt secure technologies. And we're really
looking at this from a business perspective, not just a federal government perspective.
It's a public-private partnership. So what we do here, being so transparent, is we provide guidance and solutions that could fit all sectors of industry, small, medium, and large-sized businesses, as well as the federal government and our partners.
What is the type of engagement that you get from the private sector? Do they provide financial support? Are you working with them hand-in-hand to solve problems together?
We work hand-in-hand with industry, executives, and thought leaders, also vendors and integrators, but it's all considered in-kind.
There is no membership. There is no fee.
Again, we're a federal agency and a group within a federal agency.
federal agency. So the work and the collaboration that we do is on a voluntary basis, and it is bound by an agreement that is called a Cooperative and Research Development Agreement, CRADA.
Now, can you give me some examples of some of the types of things that you're working on?
Through discussions with commercial industry, we've identified a number of projects. I've been
working in the finance sector, so the three projects that we've identified a number of projects. I've been working in the finance sector,
so the three projects that we've identified and worked on so far there is address IT asset
management, identity and access management, and most recently we published a practice guide on
privileged account management. We identify those problems or issues to address through conversations with thought leaders and
organizations in the commercial space, primarily the critical infrastructure sectors of the economy.
So we agree on a reference architecture that's practical for implementation, and then we get
vendors to volunteer their products and services to help us build a proof of concept of that reference
architecture here in our lab, where we have our cybersecurity engineers along with the vendors
work hand-in-hand to build an example of an operating example of that reference architecture
that we test. We do functional testing. Again, we are not recommending those products in our
practice guides. We state that they worked in the way we used them. They provided the capability that we state in the practice guide. Once we build
that proof of concept, then we know this works. We create the practice guide, and the practice
guide includes a description of the reference architecture, the theory of operation of that architecture, a mapping to the cybersecurity framework to help organizations that use the CSF to organize their cybersecurity program.
We also include documentation of that proof of concept, step-by-step instructions if somebody wanted to try to recreate what we built in the lab.
instructions if somebody wanted to try to recreate what we built in the lab. For the most part, I don't expect people to recreate, but it does give them a starting point for their own implementation.
It gives them an understanding of the kinds of skills that they need. And that practice guide
is published publicly at nccoe.nist.gov. At that point, once it's published, we advocate in different ways, including podcasts, other interviews, speaking engagements around the country to get people to know that these exist and that there are great ideas within them that they can use to help improve the way they do that particular area of cybersecurity.
Privileged account management happens to be the most recent one that we published. Another area of adoption for us is where we interact with vendors and they
make changes to their product generally to either improve the integration and the way
their product is compatible with standards or making more user-friendly or in some cases,
standards or making more user-friendly or in some cases maybe more secure. So an example of that is our wireless infusion pump project that we did for the healthcare industry where we believe that
the next generation of wireless infusion pumps will be more secure because of the work we did
here in conjunction with those manufacturers.
Our thanks to Karen Waltermeyer and Harry Perper from NIST for joining us.
You can learn more about the National Cybersecurity Center of Excellence by visiting nccoe.nist.gov.
The breach at Town of Salem, the role-playing game, not the Massachusetts City, affected around 7.6 million players.
As reported by Hack Read, the data exposed include username, IP address, email ID, and hashed password.
Blank Media Games, the proprietor of Town of Salem, says they don't handle money, so no pay card or bank data were exposed.
Salem, says they don't handle money, so no paycard or bank data were exposed.
The Dark Overlord, the gang that's trading in 9-11 insurance claims and suggesting conspiracy theories about the terror attacks, has continued to tease and dribble out stolen files on Steemit,
the same blockchain-based platform used for, by example, the Shadow Brokers.
The motive is purely financial. The Dark Overlord
crassly self-describes its greed for Bitcoin and disclaims any high-hacktivist purpose.
They've apparently received a few thousand bucks from misguided crowdfunders.
So, this blockchain thing. Have you heard of it? These bitcoins the Dark Overlord and the other kids
are all talking about? Here's something we've wondered about for a long time. You mine this
stuff, right? It's like free money, right? Not much money, maybe, if you're just using your phone.
But mining bitcoin and other cryptocurrencies takes computational resources, and those use
electrical power. Sure, we're all used to turning
our devices on, leaving them on, charging them up, and so on. Still, does power consumption place
limits on altcoin and those who love it? There was that school principal in China who was sent
up the river when municipal authorities wondered what was up with all that electricity being used
at the school during off hours. They investigated and found that the enterprising gentleman had plugged a coin mining rig into his school
and was accumulating Bitcoin on the city's dime.
True story.
Well, he went too far, but surely there's no problem with a little mining, no?
Maybe yes.
Our baby boomer desk reminds us of a public service ad that ran on New York TV back in the mid-1960s.
What's one little snowflake, the ad asked, and it answered,
nothing, but put enough of them together and you've got a blizzard.
Or what's one little grasshopper?
Nothing, but put enough of them together and you've got a plague.
And what's one little piece of litter?
Nothing, but put enough of them together and you've got a dirty. And what's one little piece of litter? Nothing. But put enough
of them together and you've got a dirty city. So too with Bitcoin. Testimony before the U.S.
Senate Committee on Energy and Natural Resources this past August estimated that Bitcoin mining
accounted for about 1% of the world's energy consumption. Last May, a study published in the
magazine Jewel looked at coin mining and
concluded that solving for cryptocurrency was then consuming at least two and a half gigawatts of
power, a little shy of what Ireland uses. And the researchers speculated that consumption would
exceed seven and a half gigawatts, or nearly Austrian levels, by the end of 2018. So that's a lot, right?
Wouldn't this mean that the cryptocurrency world was self-limiting?
I mean, we need power for other things, right?
What good do all these profits do if someone ends up with a huge stack of altcoin
and winds up sitting in the cold dark with the rest of us?
And the rest of us would be a pretty tough crowd, we think.
Anywho, power consumption seems to be a bit down. Some of the drop is market-driven. As
Bitcoin's price crashed over the past year, speculators have turned to other more attractive
plays, probably like state lottery scratch-off cards, consumer debt portfolios, and so on.
But there are also some technical responses, maybe, in the offing.
IEEE Spectrum reports that Ethereum, the smaller but still significant alternative to Bitcoin,
its power consumption is about a fourth that of Bitcoin's at roughly Icelandic levels,
well, they're working to overhaul code to cut the electricity needed to mine Ether.
Roughly speaking, the change will involve a shift from proof-of-work to proof-of-stake,
an alternative approach to distributed consensus that the Ethereum Foundation thinks could
cut power use by a hundredfold by randomly assigning computation to one processor as
opposed to an indefinitely large number of competing processors.
Proof-of-stake validators, not miners' note, but validators,
would put up collateral in the form of Ether.
The more Ether, the more likely you are to be chosen.
And if you're caught cheating, you've got more to lose.
So good luck.
Returning to New York a half-century ago,
we're sad to say that the Boomerer desk remembers it as a pretty dirty city,
despite the PSA's best efforts. Thoughts of bad behavior, too. True story. One member of the desk
recalls that a kid brother had an elephant in the Central Park Zoo steal his deputy dog lunchbox
during a field trip to get at the peanut butter and jelly sandwich mom had packed for his sustenance.
Sad.
and jelly sandwich mom had packed for his sustenance. Sad. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000
off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Professor Awais Rashid.
He's a professor of cybersecurity at University of Bristol.
Awais, welcome back.
Today we wanted to touch on some of the challenges when it comes to securing large-scale infrastructures.
What can you share with us today?
Our critical infrastructures on which our society relies, such as water, power, transportation, digital healthcare, energy generation and distribution,
they are becoming increasingly connected.
And we are through, for example, industrial Internet of Things devices and so on, and connecting these systems also to enterprise systems.
We are increasing this connectivity all the time, and that has great business benefits.
But it also means that the size and interconnectedness of these infrastructures make security a very challenging problem. So I'll give you one example. For instance, as we roll out many smart devices,
including, say, for example, smart refrigeration across wide areas, then the scale of attacks can
be very large and attacker can potentially compromise smart refrigeration across a whole
area and hence overload the power grid. And you can imagine that the impact of attacks are
considerably larger as well, disruption to a large population and massive business losses.
Yeah, I've seen stories come by recently about potential problems with, for example, hot water heaters, you know, devices that require a large amount of energy.
And if you could spin up some sort of botnet to trigger them simultaneously, well, that could cause some trouble in the grid.
where that could cause some trouble in the grid.
Absolutely.
And I think this is really where the challenge comes because there is good business reasons
to not isolate these systems
from the rest of the environment in the first instance.
But we need to have more systematic ways
of having security assurances about their behavior.
And I will go even further and say
we need to have more resilience assurances
about their behavior.
So in Nigeria, in any world, you do not want to have to take your power grid offline because there is an attack going on.
What you want to do is you want the power grid to be able to respond to it gracefully and maintain perhaps its operation at somewhat reduced capacity and then recover very, very gracefully.
And I think this is really where I would say the frontier lies at the moment for cybersecurity,
because while we create these massively connected infrastructures from which we derive great value and they end up in our society,
we also have to think about as to this is not a case of these infrastructures being compromised and then being unavailable.
This is not a case of these infrastructures being compromised and then being unavailable.
They have to be able to be resilient in an increasingly adversarial world where secure and insecure devices and systems interact. The attack does not necessarily need to lead to a massive data breach or even a massive disruption of service.
It can just be what you would call a nuisance attack.
disruption of service. It can just be what you would call a nuisance attack. But that does not mean that it does not create a huge cost to the organization that operates the system or the
infrastructure and also those who are charged with maintaining and defending the infrastructure.
And ultimately, people who work on game theoretic notions of security, they would say, you know,
this is ultimately a game theoretic problem as to how do you, the attacker wants to, you know, increase the cost to the defenders and the defenders,
of course, want to minimize their costs, but increase the cost to the attackers. And here,
I go back to this point that we need to have more resilient systems who can actually
withstand these kinds of issues and gracefully recover.
Professor Awais Rashid, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. Check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.