CyberWire Daily - NetSpectre proof-of-concept. Election hacking, in the US and Australia. Cyber industrial espionage. Cyber threats to power grids. Hacking JPay.
Episode Date: July 30, 2018In today's podcast, we hear about NetSpectre, a new speculative execution proof-of-concept. Australia's Electoral Commission says there were no signs of hacking recent by-elections. US states remain ...concerned about election hacking. Missouri Senator McCaskill confirms that Fancy Bear made an unsuccessful attempt to access her staff's network. Russian threats to power grids. Industrial espionage continues to go after corporate IP. And news you can use about JPay (we know: you're asking for a friend). Jonathan Katz from UMD on the timeline for practical quantum computers. For links to all of these stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/July/CyberWire_2018_07_30.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Net Spectre is a new speculative execution proof of concept.
Australia's Electoral Commission says there were no signs of hacking recent by-elections.
U.S. states remain concerned about election hacking.
Missouri Senator McCaskill confirms that Fancy Bear made an unsuccessful attempt to access her staff's network.
Russian threats to power grids.
Industrial espionage continues to go after corporate IP.
And use you can news about J-Pay.
We know you're asking for a friend.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday,
July 30th, 2018. Researchers at Austria's Technische Universität Graz have described another Spectre-class speculative execution hack.
They call this one NetSpectre, a CPU speculative execution hack that can read arbitrary memory over a network.
Unlike the other Spectre exploits that have been described over the past several months,
NetSpectre doesn't require the attacker to get the victims to download and run malicious code on their machine.
Instead, it's a remote hack.
NetSpectre achieves its effects by probing network ports.
The good news amid the bad is twofold.
First, NetSpectre's data exfiltration speeds are slow, very slow,
only about 15 bits per hour for attacks on data stored in the CPU's cache that are carried out over a
network connection. Second, the mitigations that help stop Spectre version 1 should also work
against NetSpectre. If you're in a mood to worry, bleeping computer suggests an analogy with
Rowhammer attacks. Those saw increasing exfiltration speeds as researchers spent more time on them,
and they also saw barriers to entry drop.
Still, on this one, the glass looks half full. Election hacking and influence operations remain
in the news. In Australia, where authorities and public opinion have tended to worry about
Chinese influence, it appears that the recent by-elections went off without a hitch.
The Australian Electoral Commission says the country's voting infrastructure
showed no signs of having been subjected to any hacking.
Parliament and the government, however, aren't disposed to rest easy,
and protecting elections continues to be a matter of concern, deliberation, and debate.
In the U.S., various state election officials are expressing concern over their system's vulnerabilities.
Wisconsin and Montana are among the worried,
with Montana officials now saying they saw some signs of Russian probing during the 2016 elections.
More immediately, Fancy Bear is thought to have debuted in the midterms,
as Senator McCaskill, a Democrat of Missouri,
has confirmed that there was a GRU attempt to gain access to her network.
She said that the attempt was unsuccessful and that she's outraged.
She added that Russian President Putin is a thug and she doesn't care if he knows she thinks so.
Exactly what Fancy Bear was up to in Senator McCaskill's system isn't clear
because her staff and investigators are being fairly tight-lipped about the whole matter, apart, of course, from noting Vladimir Vladimirovich's thuggishness,
but it appears likely that it was the usual fishing expedition.
Observers draw a lesson from the McCaskill case.
The most vulnerable points in the U.S. political system, at least from the point of influence
operations, appear to be its campaigns and the staffs who run them.
It's worth reviewing the different activities people have in mind when they talk about election hacking.
What we might call election hacking proper is direct interference with either the data or availability of electronic voting systems.
That's the sort of thing the Australian Electoral Commission didn't find.
That's the sort of thing the Australian Electoral Commission didn't find.
Then there's reconnaissance, snooping into electronic voting systems, accessing voter data, and so on.
That's the sort of incident some U.S. state election officials are reporting.
A somewhat different kind of cyber attack is accessing campaign data, usually emails and usually through social engineering, in the service of influence operations.
In this case, the attacker is interested in finding and releasing material
that's either discreditable or can be framed as such.
This is what Fancy Bear is alleged to have done to the Clinton presidential campaign.
A fourth kind of election hack involves trolling, often with a fake persona and automated bots,
as the St. Petersburg-based Information Research Agency
has done. The aim here is to influence public opinion. And finally, of course, there's fake
news and disinformation, planted and disseminated in more or less traditional ways. In general,
U.S. officials think there's a lower degree of Russian activity directed toward election
hacking and influence operations during the current midterm election season than was observed in 2016.
Instead, it's believed that Russian intelligence services are devoting more attention to the power grid.
Observers find this disturbing.
Temporary outages, which might not have much more effect than an ice storm,
or perhaps not even as much, are worrisome.
A number of security
experts have advised to keep calm and carry on view of this level of disruption. But simply
causing a power outage that affects part of the grid for a few hours is much less serious than
an attack that damaged or destroyed difficult-to-replace power generation systems. The U.S.
Department of Homeland Security demonstrated the potential effects of such an
attack in its 2017 Aurora tests at the Idaho National Laboratory. In that demonstration,
the rapid out-of-phase cycling of protective relays was shown to cause physical damage to
generators and induction motors. That sort of attack would be of greater concern than a temporary
outage. Last week's report from the U.S. National Counterintelligence and Security Center remains the topic of much chatter.
That report described extensive foreign, especially Russia, collection against intellectual property.
Politico describes increased espionage against California tech industry targets,
California tech industry targets, where the new gilded age marriage of progressive hipster sensibility and buccaneer capitalism have not exactly produced a culture of security.
Facebook and Twitter have recently fallen out of favor with investors and speculators.
Analysts connect their issues, especially Facebook's record-setting market cap freefall
last week, to concern that their user communities have either begun to plateau
or entered a period of decline. A Washington Post op-ed sees the downside of the network effects
that build the social media platform and put it this way, the ghost of MySpace is haunting social
media. Facebook and Twitter also continue to struggle with content moderation and that too
seems a difficult problem without solutions that will satisfy a majority of users.
Finally, we are shocked, shocked to report that convicts are stealing.
You won't believe it, but guests of the governor of Idaho are abusing their access to J-Pay
to accumulate lots of credits they can spend for games, email services, tunes, and the like.
Also educational services and positive entertainment,
although how much of these are actually consumed is unclear.
J-Pay is a tablet-based system designed to give inmates limited and healthy connectivity to the outside world,
where their friends and family can not only communicate with them,
but also post money to their accounts that they can use for J-PAY credits.
More than 300 inmates in Idaho correctional facilities have succeeded in hacking J-PAY
to jack credits up to almost a quarter million dollars, which is a lot in a prison economy
where wages, according to Wired, run from 10 to 90 cents an hour.
where wages, according to Wired, run from $0.10 to $0.90 an hour.
It costs $0.47 to send an email on Jay and as much as $3.50 to download a tune.
So the Freakonomic incentives are aligned
so that signs point to hacking.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. And joining me once again is jonathan katz he's a professor of computer science at the university
of maryland he's also director of the maryland cyber security center jonathan welcome back we
had an article come by from scientific american and it was called how close are we really to
building a quantum computer uh you and i revisit this topic from time to time,
and I've joked with you that quantum computing seems to me sometimes kind of like fusion energy,
where no matter when you ask, it's always 20 years away. But does it seem like we're getting
closer? When might we see some real practical applications for this? So first of all, you know
that people are very concerned about the possibility of quantum computers, because if a real quantum computer were ever built, a large enough quantum computer
were ever built, it would be able to break all the public key cryptography currently being used
on the internet. So obviously, we don't want to be caught unprepared. It would be really a terrible
thing if, from the point of view of security, if a quantum computer came out a year from now,
and we were just caught completely, you know,-footed and didn't have replacements in line
to replace our public-key crypto systems.
And so people really do want to know how feasible it might be
to construct a large-scale quantum computer over the next 5, 10, 15 years.
And a lot of people are seriously looking at this.
What I think seems to have happened more recently is that there has been a lot of people are seriously looking at this. What I think seems to have happened more
recently is that there has been a lot of interest from industry. Several companies now, including
Google and Microsoft, now have significant efforts in quantum computing. And I think this is making
people a little bit more worried that quantum computer might be closer than we previously
thought. Now, is it fair comparing this to something like
the Manhattan Project, where if one nation state had significant advances in quantum computing,
that would give them a global advantage over other nations? Absolutely. I mean, I would say that if
an intelligence agency in a particular country had access to a quantum computer and other intelligence agencies were not aware
or didn't have access to their own quantum computer,
then the results could be really devastating, right?
Like I said, that would allow one country
to be able to essentially decrypt transmissions
that the other country was sending over the internet
even without the other country knowing it.
And that could be really very significant.
Of course, the situation will be a little bit different if you had a quantum computer being built publicly,
if it were built by a company, for example, and then they would publish it and then everybody would know about it.
The situation would be a little bit different,
but it could definitely give a big advantage to whoever is able to solve this problem first.
How much is this going to change how we approach computer science? Are there
fundamental differences in the way that these computers function that, for example, your
students are going to have to come at this from a different direction? That's a really good question.
And it's funny, I haven't really heard people talk about that a lot before. I think, you know,
my guess is that if and when quantum computers first come out, they're going to still remain very niche.
I don't think we're going to see desktop quantum computers, personal quantum computers anytime soon, in part because they're likely to be very expensive and very large at first.
But also because I think most people wouldn't have a need for quantum computers.
quantum computers. I think quantum computers are especially good at particular types of problems that cryptographers are interested in and also some other problems that physicists are interested
in, for example. But the average user might not be really interested in having a quantum computer
available to them. But thinking ahead longer term, if quantum computing becomes the norm,
then absolutely, it would require people to learn basic quantum mechanics in order to understand what's going on.
It would require people to think a little bit differently when they program,
because programming for a quantum computer is different and maybe more challenging than programming on a regular computer.
And so, yeah, there's definitely going to have to be a shift in the way computer science is taught if quantum computers ever become a reality like that.
And hopefully by then, both you and I will be retired.
I guess it depends on when they come out.
Right, right, exactly.
All right, as always.
But it certainly makes for interesting times.
Yeah, absolutely, absolutely.
All right, Jonathan Katz, as always, thanks for joining us.
Thank you.
Katz, as always, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you
informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, We'll see you back here tomorrow. Your business needs AI solutions that are not
only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.