CyberWire Daily - Meltdown and Spectre, risks and mitigations. Aadhaar compromised. Blockchain bubbles.
Episode Date: January 5, 2018In today's podcast we hear how Meltdown and Spectre have put the fear of hardware flaws into enterprises everywhere. No family of systems can be safely assumed to be immune. Most are positively id...entified as vulnerable. Proofs-of-concept show that remote attacks exploiting chips' speculative execution features are feasible. India's Aadhaar national identification database is compromised. Justin Harvey from Accenture with his outlook on 2018. Guest is Dinah Davis from Code.likeagirl.io and Arctic Wolf Networks. We’re discussing trade shows and conferences, and the importance of having diverse panels. Cryptocurrency speculative mania continues. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Meltdown and Spectre put the fear of hardware flaws into enterprises everywhere.
No family of systems can be safely assumed to be immune.
Most are positively identified
as vulnerable.
Proofs of concept show
that remote attacks
exploiting chips'
speculative execution features
are feasible.
Dinah Davis from
codelikeagirl.io checks in.
India's Athar National
Identification Database
is compromised,
and cryptocurrency
speculative mania continues.
I'm Dave Bittner with your CyberWire summary for Friday, January 5th, 2018.
Today's news continues to be dominated by the meltdown and Spectre bugs.
Contrary to earlier reports, essentially all platforms are affected, not just those running on
Intel processors. Most major vendors, including Microsoft, Intel, and Google, have fixes out,
and others, including Apple, will release theirs soon. These can be expected to exhibit the usual
fraction of unintended and unexpected consequences. Microsoft's Windows 10 update, for example,
is reported to interfere with the
functioning of some, but not all, antivirus products. The fixes will also generally have
the effect of slowing down many processes. Individual and business internet users will
probably see this manifested in the cloud services they use. Both Microsoft and Amazon say they've
largely mitigated the security risks associated with the bugs.
Performance issues are a work in progress.
So how real is the risk?
Mozilla, for one, has independently confirmed that both Spectre and Meltdown can be used via JavaScript, for example,
to extract information from a CPU when the user visits a malicious website.
So it turns out that both Spectre and Meltdown can indeed be exploited remotely by malicious
code embedded in ordinary JavaScript files.
Mozilla has itself issued an interim mitigation that involves a workaround.
Since the side-channel attacks Spectre and Meltdown enable depend upon precise timing,
they've reduced the precision of Firefox's internal timer.
A full fix will be out with the next edition of Firefox.
Microsoft has been out quickly with patches for both Edge and Internet Explorer.
These appeared Wednesday as an out-of-band update for Windows.
Google is getting ready to address the bugs in Chrome 64, expected to be out on January 23rd.
But in the meantime, the company points out that users can protect themselves
by enabling a new security feature that was incorporated into Chrome 63.
That feature is strict site isolation.
You'll find that it calls itself highly experimental,
but Google encourages you to put strict site isolation in place.
Apple Systems had earlier been reported as immune to the bugs,
but Apple has been quick
to correct this misapprehension. All of their products, whether iOS or macOS, are also at risk.
Cupertino has issued some mitigations already, and others are promised soon.
The attention being paid to exploitation through the browser is no accident. If the bugs are to
be remotely exploited, it's likely that attackers will do so
in the ways Mozilla has outlined.
It remains to be seen whether any exploitation
that develops will be broadly executed
or highly targeted, scattergun or rifle shot.
U.S. CERT has decided that Spectre is too tough
to deal with and recommends replacement
of effective CPUs.
But industry has decided that's impractical
and seems determined to continue patches and mitigations.
Google's Project Zero researchers are widely credited with having discovered the bugs
and quietly disclosed them to Intel at least late last summer.
Indeed, Google deserves credit for the discovery,
but there were other, roughly contemporaneous discoveries that should also be acknowledged.
Cyberous technology and the Graz universe of technology also found meltdown.
Spectre is said to have other independent discoverers too.
The University of Pennsylvania, the University of Maryland, tech firm Rambus, the University
of Adelaide, Graz University of Technology, again, and the independent security researcher
Paul Coker.
The bugs came to full public attention this week.
Google had quietly disclosed them some months ago, but working on fixes inevitably involved
bringing in a large number of developers and a number of companies, and that inevitably
meant that the news was leaking out.
A growing conviction that the leaks couldn't be contained
apparently prompted the public disclosure.
It also explains the partial preparation of the vendor fixes we're seeing this week.
Some in the industry news, notably Ars Technica and TechCrunch,
are noting that in November, Intel's CEO, Brian Kurzanich,
sold the maximum number of shares permitted under company bylaws.
This sale took place after Intel was notified of Meltdown Inspector,
but before the vulnerabilities were publicly disclosed.
Intel says this was a mere coincidence,
and that the bugs were not a factor in Mr. Krzanich's decision to sell.
His sales were properly reported at the time to the Securities and Exchange Commission.
There are a few other things going on in cyberspace this week.
India's Aadhaar National Biometric Identification Database is said to have been breached,
with access to its data for sale on the dark web for under $10.
Aadhaar has had its security issues before,
but this latest appears close to a complete compromise, affecting more than a billion people.
Several experts have noted that losing biometric data can be a serious matter indeed,
and the Indian government clearly has its security work cut out for it,
over the next several months at least.
And cryptocurrency is again in the news.
Observers at Barron's and elsewhere goggle in disbelief
at the more bullish projections of altcoin values.
Criminals are also affected by the speculative market in Bitcoin.
Rapid appreciation and volatility are driving them to alternative alt currencies.
But that hasn't taken the shine off the many chips in the old blockchain we're seeing these days.
Facebook is expressing an interest in seeing what the technology can do for it,
and there's another entrant into the field as well. Hooters, the American restaurant chain
known for its buffalo wings, has introduced a cryptocurrency rewards program. They were
perhaps inspired by our own favorite application of blockchain technology, the Vopper coin used
in Russian Burger King franchises, where diners have for nearly a year been able to eat their way to flame-broiled riches.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, Thank you. been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Justin Harvey. He's the Global Incident Response Leader
at Accenture. Justin, welcome back. You know, as we head into this new year, into 2018,
what are you seeing that you expect to be different from what we saw last year?
Well, actually, I think I'm going to take a I think I'm going to take a layup on this one, Dave.
I am going to go with my last couple of years of predictions that I've been turning out to be true every year.
Number one, I think we're going to see a lot more leaked data. In years past or in the last
decade up until two years ago, we were seeing the flavor of cyber attacks being really intellectual
property-based or nation-state secret-based, compromising defense industrial base, compromising
technology companies, and sucking out intellectual property. We're seeing a fundamental shift in the world
today where it's now about the nature of the data. It is being leaked. It is being held hostage. It
is being threatened. It's being ransomed. It seems like no one is safe behind this. So we're seeing
this in the political spectrum. We're seeing it in economic spectrum and also for personal individual celebrities and just regular people,
their data is being either sold or it's being leaked out into the open. With 2018 being a
pivotal election year for the House and the Senate, I think that we're going to see more and
more politically motivated cyber attacks against both parties. We saw how it went down
in 2016. So I do believe, heck, even without any nation state interference, I think election
hacking is here to stay and it will become more and more prevalent. My second prediction is going to be around more and more OT, operational technology attacks, and which would
also include more IoT. So anywhere where the digital or internet connected devices can affect
the real world, whether it be your car, your fridge, your toaster, a children's play toy. I think more and more adversaries will utilize these,
either through harnessing them through vulnerabilities and using them in massive
DDoS-style attacks. I think that you're going to see more and more of these being exploited to
perhaps do spying on people or to get information out of the physical world.
spying on people or to get information out of the physical world. And I think that that trend is here to stay for quite some time. I do believe that one of the key attributes to fixing this problem
is through legislation and enforcement. So I think that from a legislation point of view,
it's key that not only do we create regulations around IoT and OT, but also we're prepared to enforce those regulations, which could have an adverse effect on markets and the economy.
Since a lot of these IoT devices are coming in from overseas, from the Asia-Pacific region, they're actually helping to fuel some of our economy.
and they're actually helping to fuel some of our economy.
And then pursuant to that, I do believe in standards bodies and being able to create some IoT standards,
but standards are just that, they're standards.
They're not binding in any way.
So I do believe that Congress and the government
should look at regulating and enforcing the security
around these IoT devices.
All right, Justin Harvey, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant. My guest today is Dinah Davis. She's the founder of CodeLikeAGirl.io and director
of R&D at Arctic Wolf Networks. We check in from time to time to get the latest from codelikeagirl.io.
Dinah Davis joins us from Ontario, Canada.
So Code Like a Girl decided to sponsor InfoSec World,
which is a conference coming up in March down in Florida at Disney's Contemporary Resort.
But there's sort of an interesting story here.
Take us through how did this come to be?
Yeah, so we've never
sponsored a conference before. It's not even really something we were looking to do.
But I found this article in September this year and it like screamed, where are all my ladies in
cybersecurity? And I'm like, hey, wait, I'm a lady in cybersecurity. I'm right here. What are you
talking about? It's written by this woman, Catherine, who is building the programming for the InfoSec World Conference itself.
She worked really hard to try and get, you know, even amounts of speakers, male, female.
She did great with their keynotes. They even have a dog speaking.
That's, you know, weird, but very interesting.
It's like a cybersecurity sniffing dog.
So I'm assuming the owner is actually talking, but it's kind of a nice play.
Their sessions also have a lot of women.
However, for their presenters, they're only received 6% of submissions from women.
So for her to then try and make the sessions 50-50 is pretty much impossible, right?
They go through a normal vetting process.
They would be favoring all the women who entered, which is not really what you want to do either.
What you want to do is really have, you know, more gender diversity on the submissions.
you know, more gender diversity on the submissions. And so this whole article was just her expressing how frustrated she was that more women didn't apply and trying to figure out why
didn't they apply. And really, it came down to, you know, a lot of women don't consider themselves
good enough to do the talks or ready enough. There isn't very many of us in cybersecurity. So
we also have to have the time to do it.
And she was just so disappointed by this.
And I saw this article.
I was like, oh, man, we have to have this article.
And then out of that, she reached out to me and said, hey, maybe there's something we could do together.
Like, I can't change the lineup of presenters for this year, but maybe I can change the lineup of presenters for the following year.
What if we could get as many women as possible to come to the conference to see what we're about,
to make sure that they see that we're an inclusive conference, and maybe then more
will apply the following year. And so what we came up with was a bit of a partnership.
So they have given us a discount code, which you can can go get at at our website
uh codelikegirl.io for 15 off the conference i will be writing um my review of the conference
after i'm done they're also going to be writing two articles of either the keynote women or
potentially some of the panel speakers to try and highlight, um, you know,
the, the really amazing women that are at that conference, us sponsoring it and having a discount
code is really about trying to reach more women to try and get them to come to this conference.
Um, cause it was really good. The topics are really interesting. It's at Disney. So, you know,
if you want to spend an extra weekend there, that's pretty fun, too. Yeah, plenty to do. For me, there's a big plus. It's in Florida in March,
and I live in Canada. So that's like maybe that's all that they really needed to do.
Right. It's interesting to me in the past year, in 2017, in early 2017, I was at the Women in
Cybersecurity Conference. And in interviewing a lot of the women there, there was something that came up time and time again. And that women told me was that they felt
like things were getting better in the workplace in terms of how they were being treated and
respected and paid and those sorts of things. They felt like there was really good momentum there,
but they felt like the conferences were a place where this was lagging.
And so I'm curious on your take on that.
I mean, a lot has happened in 2017.
You know, we had things like the Harvey Weinstein revelations and then the Me Too movement.
So I think there's certainly been a light that's been shown on this issue.
What is your sense as we come into this new year as to where we are where people's sensibilities are yeah i i totally agree that we're doing way better with in the workplace there is so much more
awareness uh than last year at this time like just so much more um and that's really exciting for me
because i think the more we talk about it, the more the change will happen.
But I still think there's like so far to go to really create that change and have lasting change.
Like, it's really awesome that it's a forefront of discussion right now.
There's a lot of work we need to do in many, many areas.
Pipeline is one.
So getting more women to even consider careers in cybersecurity,
we're really not going to fix the conference issue until we have more women to speak at it.
And we have to encourage the women that are there to speak, that they are good enough to speak,
that they should be out there speaking at conferences, and it's good for their career.
So I mean, it's really
multifaceted, but I think, you know, I'm just seeing lots of positive momentum in the past
year. So I'm really excited to see what's going to happen in 2018. And if you are a guy on an
all guy panel, you should maybe consider not doing the panel at a conference. So, and that's only going to get you positive votes from
other women, tweet about it, share about it, say you'll take, leave your spot or ask them to make
room for another spot that we bring on, you know, a woman or a person of color. You know, if it's
all white men, that's kind of a problem. You're really only getting one type of perspective. And panels are
most interesting when people have a lot of different perspectives. And that comes from
different educational backgrounds, different genders, and different ways of growing up.
Those are things you could do. Don't accept the status quo if you're on one of those panels.
All right. Well, the conference is coming up in March. It is March 19th through the 21st in Florida.
It is InfoSec World.
Dinah Davis, thanks again for checking in.
All your efforts at Code Like a Girl.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.