CyberWire Daily - Power grid hacking fears running high. Social media problems. Election DDoS reported in Russia. FTC and SEC cyber enforcement actions. NSA hoarder case update.
Episode Date: March 19, 2018In today's podcast, we hear that tensions between Britain and Russia remain high, as the UK fears a cyberattack. US power utilities are also on alert to an ongoing Russian cyber campaign. Despite a c...laimed DDoS attack, President Putin is re-elected in Russia. Facebook under fire for Cambridge Analytica data incident. More political bots in Twitter. YouTube tries content moderation. FTC takes on an alt-coin Ponzi scheme. SEC has "dozens" of ICO investigations in progress. Notes on the Hal Martin alleged NSA-hoarder case. Malek Ben Salem from Accenture Labs with tips on cryptography deployment. Guest is Paul Brigner from the Security and Software Engineering Research Center (S2ERC) at Georgetown University, discussing their research on Virtual Browsers. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Tensions between Britain and Russia remain high as the UK fears a cyber attack.
U.S. power utilities are also on alert to an ongoing Russian cyber campaign.
Despite a claimed DDoS attack, President Putin is re-elected in Russia.
Facebook's under fire for Cambridge Analytica data incidents. More political bots on Twitter.
YouTube tries content moderation. The FTC takes on an altcoin Ponzi scheme. The SEC has dozens
of ICO investigations in progress,
and some notes on the Hal Martin alleged NSA hoarder case.
I'm Dave Bittner with your Cyberware summary for Monday, March 19, 2018.
As tensions between Britain and Russia mount, the UK braces for cyberattacks on critical infrastructure,
especially its power grid and water supplies.
Police in Wiltshire, where the attempted assassination of Sergei Skripal took place,
deny that their networks came under Russian attack.
Expect more false alarms during this period of heightened tension.
The US power industry is similarly preparing itself for attack.
The Department of Homeland Security has warned that Russian operators successfully intruded
into electrical grid industrial control systems, albeit without working damage in this first stage of their campaign.
Direct and official attribution of a cyber operation to a specific named nation-state is unusual in American practice.
Cyber attack on power grids are particularly worrisome,
especially if they affect industrial control systems in ways that enable attackers to drive to destruction
difficult-to-replace critical components like turbines.
Such destruction was shown to be possible, ICS security experts say,
by demonstrations like the US Energy Department's Project Aurora.
Such attacks could bring down grids for months, with great attendance suffering.
Commenting on the UK's situation, security experts have offered the sobering, if rather breathless
warning, that in the event of complete grid failure, Britain would
be, quote, four meals away from anarchy, end quote. A few weeks ago, UK Defense Secretary Gavin
Williamson warned that such an attack would result in, quote, thousands and thousands and thousands
of deaths, end quote. Attacks on power grids are also worrisome because they've actually occurred
in the wild.
Russia succeeded in producing at least two regional outages in Ukraine over the past three years.
Those attacks are widely regarded as trial runs and proof of concept for larger-scale attacks against great power rivals.
It's unlikely Russian operators would be able to execute them in exactly that form,
since utilities elsewhere have learned from Ukraine's experience,
but the prospect is worrisome.
This is not to say that other risks to power distribution,
like the ice storm that's likely to hit the northeastern U.S. this week,
aren't much more common and far more likely.
It is to say that a nation-state could, if it wished,
do widespread and enduring damage far exceeding a society's ability to recover.
The U.S. intelligence community is thought to have been aware of Russian cyber activity
against electrical utilities for some months.
Unofficial warnings go back to last autumn, at least, when Symantec produced research
on the activities of Energetic Bear.
Some of the operations are thought to go back to 2015.
The current campaign against U.S. power utilities is sent to be a multi-staged one.
No damage to systems or interruption of operations has occurred so far, to anyone's knowledge,
but control system data is said to have been exfiltrated,
and an important part of the campaign has been spearfishing of electrical utility personnel.
Social media continue to struggle through their rough patch as political research firm Cambridge Analytica
is found to have obtained Facebook personal information on some 50 million individuals during the last U.S. election cycle.
Cambridge Analytica counted the Trump campaign among its clients.
Bot-driven fake Twitter accounts may have been used against the Sanders presidential campaign
by Democratic operators aligned with candidate Clinton.
YouTube is accused of stoking conspiracy theories, most recently with respect to school shootings.
The video-sharing platform has sought to address this problem by linking content to relevant Wikipedia pages.
Wikipedia itself was surprised by the move, on which it wasn't consulted,
and observers are skeptical that such linking is likely to have much effect.
And Facebook suffered a brief period last week where its search autocomplete function
inexplicably defaulted to adult video queries,
apparently tailored to some highly specific tastes,
which as a family show he won't further describe.
Congress is therefore barking about new regulation of social media.
It's especially riled up over the Cambridge Analytical Affair,
so Facebook seems destined to receive a good deal of unwanted attention from Capitol Hill.
Researchers at Georgetown University's Security and Software Engineering Research Center,
that's the S2ERC, recently compared the security of desktop and virtual browsers.
Paul Brigner is managing director of the S2ERC, and he shares what they found.
Our research was really focused on trying
to understand the security implications for running a virtual browser or a cloud-based browser,
and in particular, a browser-as-a-service type of an option. And that is even different from
virtual desktop infrastructures,, of course, clearly different
than running a browser on your local machine. And we really wanted to identify, do you see a big
difference when you have that isolated cloud-based environment that is particularly focused on
helping users overcome security risks? And so take us through, how did you do your research and what did you find? We had a different variety of operating environments. We had some laptops
that we were running the Chrome browser on, and we compared that to a particular cloud-based
browser. It's the Authenticate Silo browser that we used in this example. And we identified a number of different
sources of malware that we proceeded to download, attempted to download, and determined if the
download was blocked. And in many cases, it was. It was blocked by Chrome in many situations. It
was blocked by our cloud-based browser in more situations for sure.
So there was an immediate difference in that we did find that the cloud-based virtual browser blocked more of the malware from the beginning.
But what was probably even more significant is that after you were able to download some of the malware,
and in both cases that was possible
in the cloud-based and in the isolated environment, that was completely isolated and limited to that
environment, whereas otherwise you would be bringing it down to your desktop and potentially
infecting your entire organization. So with the cloud-based version, even when you download a
file, that download stays remotely on the cloud,
so it doesn't have the opportunity to infect you locally.
Right. And of course, when you take a look at these different types of cloud-based options,
there could be an exposure there if there's not a specific focus on limiting this type of threat.
So if you have a regular desktop virtual infrastructure, it could potentially expose
the files in that virtual environment to the malware. So I think if you focus specifically
on trying to create a virtual cloud-based desktop environment, you still might have some risks.
Now, did you take a look at all at just general usability? Were there any downsides to running your browser remotely?
Any delays when you're running a browser does have an effect on usability.
Of course, there's network latency that can be initially a problem.
What we found is that, and this wasn't part of our study,
so we didn't turn this into more of an academic research result,
turn this into more of an academic research result. But just in usability, we found that after you use a virtual environment like that, it actually becomes very easy after a short time. I
mean, there is some kind of a transition that you have to go through, but it is something that once
you're used to, I think you find that the browser in the cloud can even be a better experience for you.
Having completed your research here, do you have any recommendations for security folks?
It almost requires to create a secure environment on the web, and it requires an entirely different
mindset. And that's where this type of virtual browser really comes into play. You honestly,
unless you use this type of approach,
it's hard to imagine an environment where you're truly safe from threats online. However, when you
do move to an isolated approach like this, where you're essentially entirely protected and that
malware is limited to that virtual environment, you can allow your users to surf the web safely,
and you really don't have those same threats that you're having to deal with.
So I think it requires a change in mindset,
and that is something that I would recommend for companies and organizations to consider.
That's Paul Brigner.
He's the Managing Director of the Security and Software Engineering Research Center,
the S2ERC, at Georgetown University.
Several developing stories involve regulatory enforcement or criminal proceedings.
The U.S. Federal Trade Commission is taking action against three defendants who allegedly were running a cryptocurrency Ponzi scheme.
The defendants operated as the Bitcoin Funding Team and My7 Network.
The U.S. Securities and Exchange Commission has said it's investigating dozens of initial
coin offerings, and the value of Ether has dropped accordingly, falling below $500.
And the government will not have such a difficult burden of proof to bear in the trial of accused NSA hoarder Hal Martin.
The prosecution will not, after all, have to show that Mr. Martin knew the contents of 20 specific documents investigators found in his Glen Burnie, Maryland, shed,
and knew that they were classified.
It will be enough to show that he knew he had a bunch of classified stuff.
As Judge Garbus put it, quote,
show that he knew he had a bunch of classified stuff.
As Judge Garbus put it,
"...proof that the defendant knew he was wrongfully retaining the mass of stolen documents is sufficient to satisfy the government's willfulness mens rea obligation under the Espionage Act
if the government can prove that the specified charged documents
were in the mass of documents taken and wrongfully retained."
Russia's Central Election Commission says it sustained DDoS attacks over the weekend of documents taken and wrongfully retained, end quote.
Russia's Central Election Commission says it sustained DDoS attacks over the weekend from 15 countries.
The attacks didn't affect the outcome of the presidential election,
neither perhaps did the votes people cast,
which makes one wonder how even a successful distributed denial-of-service attack
would have made much difference.
Exit polls Sunday show President Putin returned to office with a commanding 74%.
Who saw that coming?
Mr. Putin also announced his 2030 candidacy, perhaps in jest, but perhaps not.
In 2030, he'll be a spry 77, so why not?
And finally, reporting a problem we confess we don't have, the Rosen Group reports
that late model yachts are coming off the slipways with easily compromised routers.
Thurston and Lovey Howell take note, especially before you embark on any three-hour tours.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
and joining me once again is malek ben salem she is the r&d manager for security at accenture labs she's also a new america cyber security fellow malek welcome back you know you and i have talked
previously about getting ready for deployment of cryptography and some of the challenges there
and today you wanted to share some tips for the sort of the short-term preparation for that sort of thing. What can you share with us today?
Yeah, sure. So last time we talked about the threat that quantum computers pose to
the way we encrypt our data to the classical cryptography, right? We know that Shor's
algorithm, for example, can be used for quantum factorization and can be applied to solve discrete logarithm problems.
What that means is that it can break asymmetric standard algorithms.
That means also that it can break RSA, elliptic curve, etc.
So one of the questions that I got from one of my clients was about, does it make sense to invest in fixing
a poorly implemented public key infrastructure if it can be hacked with quantum computers anyway?
And the answer is yes, absolutely. It's always worthwhile in investing in your PKI because
that's what's going to prepare you to be able to upgrade to quantum safe
algorithms in the future. And in particular, what you need to focus on is understanding or
identifying whether all of your critical applications are working with certificates,
identifying which certification authorities, whether internal or external, are responsible for issuing those
certificates. Having a process for updating cryptographic principles, making sure that your
key upcycle is up to date, making sure that your certificate validation is up to date,
and also assessing how the renewal of a certification authority would influence your organization.
So in summary, what you need to do is basically review your entire key management to build
a clean, detailed, and verified key management for your PKI.
Obviously, you need to protect your keys, ideally in hardware security modules.
In that process, you may need to increase the length
of your keys. For symmetrical keys, we recommend 256 bits in order to be quantum safe. For RSA,
at least 3,072 bits. And then you need to document that entire process, and you should be well
prepared for the future. Now, is this the type of thing where when
you're talking to your clients, do you find most people are up to date on this or people tend to
be lagging behind? Many people are lagging, at least in terms of having an entire inventory of
what those applications are, what are the communication channels are, and what's the
certification update cycle or validation cycle?
So it's really a case of doing the work now so you can be proactive about it rather than being reactive if and when the quantum computers become practical.
Exactly.
All right. Well, Malek Ben-Salem, as always, thanks for joining us.
Thank you. is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and
compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.