CyberWire Daily - Preparing for grid attacks. Notes on breaches, crime, and punishment. And Facebook's no-good, bad, awful week.
Episode Date: March 21, 2018In today's podcast we hear that the US Department of Energy says the power grid is preparing for Russian attacks. Teenager finds flaw in hardware wallet. Travel service Orbit suffers a data breach.... Laurie Love won't be extradited to the US. Notes from today's Billington International CyberSecurity Summit. And Facebook's truly awful week continues: the Silicon Age is looking right now a lot like the end stages of the Gilded Age. Jonathan Katz from UMD on the security of e-passports. Guest is J.R. Cunningham from Optiv, with advice to not get carried away with GDPR. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The U.S. Department of Energy says the power grid is preparing for Russian attacks.
A teenager finds a flaw in hardware wallets.
Travel service Orbit suffers a data breach.
Lori Love won't be extradited to the U.S.
We've got notes from today's Billington International Cybersecurity Summit.
And Facebook's truly awful week continues.
The Silicon Age is looking right now a lot like the end stages of the Gilded Age.
stages of the Gilded Age.
I'm Dave Bittner with your CyberWire summary for Wednesday, March 21, 2018.
Congress has told U.S. Energy Secretary Perry may expect prompt action to ensure the power grid security.
Secretary Perry expressed confidence that the grid is capable of resisting Russian cyberattacks and that the North American power distribution system has indeed adapted to the
threat. It's a difficult challenge. We hope the Secretary's measured confidence turns out to be
justified. Before we turn to Facebook and Cambridge Analytica, it's almost refreshing to be able to
report some conventional hacks and vulnerabilities.
A teenaged researcher has found a vulnerability in the popular cryptocurrency hardware wallet Ledger. British teenager Salim Rashid is the one who counted coup and disclosed it,
so bravo to him, especially for his restraint and responsibility.
He forwarded his proof of concept to Ledger some four months ago.
responsibility. He forwarded his proof of concept to Ledger some four months ago.
Online travel service Orbit has been hacked, with the crooks making off with some 800,000 customer records. And British hacker Lori Love, famous for allegedly getting illegal access to a
number of U.S. government sites in his search for evidence that Washington is covering up its
dealings with extraterrestrials, will not
ever face extradition to the United States. British courts found that he'd be likely to
commit suicide under barbarous Yankee justice, so he's safe at home. Mr. Love has done some
unseemly crowing about how he exposed massive human rights violations in the U.S.
His case is instructive in at least two ways.
First, a claim of psychological frailty can work to your advantage.
Second, cranks pursuing fringe projects can work a great deal of damage.
With each passing day, the GDPR compliance deadline grows closer,
and there's growing consensus that many organizations are not going to be completely ready in time.
J.R. Cunningham is Vice President of Advisory Services Product Management at Optiv,
and he says, don't panic.
If you look at the history of sweeping legislation around cybersecurity or privacy or data,
what we've seen in the past is anytime we panic and race towards compliance,
we don't get the desired outcome. Examples would be FISMA back in 2002, HIPAA in 1996,
the PCI industry standard. If we take the PCI example, for instance, here we have an industry
standard around credit card security. And of course, we saw in 2012, 13, 14, that retail breaches were increasing in severity, frequency, cost.
2015 was the year of the health care breach. That was decades after the passage of HIPAA. So what we see is that when organizations panic and race towards compliance with the
legislation of the day, and they don't pay attention to the rest of the goings-on in
their information security program, that's the result. I think there's a lot of fear that
European regulators are going to make examples of organizations. Do you think that's likely to happen? I think the history of European regulations
is precisely that. If you look at antitrust cases in the late 90s and early 1000s, it is kind of
the European way to find egregious examples of noncompliance and make an example and levy fines.
However, that's not to say that our perspective is that the European regulators
are going to be running around with their ticket books looking to write citations,
especially early on.
European enforcement of laws such as this tend to be more focused on the spirit of compliance
rather than the exact letter of compliance.
And so it would not be unforeseen for regulators to go after some really big fish,
especially if they're American companies.
As I mentioned, we've seen this in the past.
But we really don't get the sense that this is going to turn into a feeding frenzy.
So what are your recommendations for companies as we head towards that May deadline?
There are a whole lot of things that an organization should be doing
around data protection and privacy
that are part of an overall healthy privacy and information security program.
Being able to answer questions,
what data do I have that's GDPR relevant?
Where is the data in my organization?
What measures do I have in place to protect that information,
not only on-premises, but as well,
third parties, outside providers? And then perhaps most importantly, can I respond effectively if
something bad happens if I do have an incident? These are steps that make a lot of sense,
even without something like GDPR. You know, the other thing that is important is considering the
perspective of the data subject.
Here in the United States, we tend to have the view that when we provide data to a company, that data is just gone.
And, you know, the company has it and can do whatever they want with it.
GDPR puts upon us a requirement to be more transparent with the consumer on why we're collecting data, what we intend to do with it, how long we're going to keep it.
And so having these practices inside the organization are part of an effective information security
and information risk program that will also get us to where we need to be from a GDPR compliance point of view.
Now, one of the things you mentioned in the notes that you sent over is this notion of being able to demonstrate an intent to comply can you explain that to us article 5 of the GDPR dives into the
principles of the law so all of the other 99 articles in the law really boil
down to these principles and these principles are being lawful and fair and
transparent about our use of information, minimizing the information, ensuring that
anything that we do with this information is consistent with our stated business purpose,
and we're not doing other things with the information, and then, of course, protecting
the data. So being compliant with that spirit of the GDPR is kind of that critical first step.
What we're hearing from the market is that most
organizations are not going to be fully compliant by May 25th. So having a plan and having that plan
tied back to those principles found in Article 5 are really essential in order to be able to
demonstrate a spirit of compliance. I guess I'm trying to unpack the balance here between taking proper precautions,
but also not getting carried away. There's an enormous amount of noise around GDPR. And if you
look at what specifically a lot of security product companies are saying, they're tying
their products with a perceived need within GDPR.
And GDPR really does not go into the depth of specifying types of technology.
GDPR talks about, you know, considering the state of the art and taking a risk-balanced approach.
Articles 25 and 32 specifically refer to taking a risk-based approach,
25 and 32 specifically refer to taking a risk-based approach, and we have to consider the risk of harm to the data subject and what tools are available in order to reduce risk.
So in conjunction with not panicking, there's so much noise around the information security space
that it would be really easy to fall victim to the idea that buying a few pieces of technology
will get us where we need to be from a GDPR point of view.
And nothing could be further from the truth.
GDPR is a combination of things that have to be done within the legal department,
within cybersecurity, and then, of course, the IT department,
specifically around data subject rights, that Chapter 3 of GDPR.
That's J.R. Cunningham from Optiv.
Facebook faces a very strong consumer backlash over the Cambridge Analytica affair.
While Cambridge Analytica appears to have used data from Facebook in unanticipated ways,
there are now more reports of similar use of customer information by others, including other political campaigns and consultants,
sometimes with the tacit acquiescence of Facebook itself.
The current case, it's worth emphasizing, is not a data breach,
but rather analysis and use of information the owners provided Facebook
and the correlation of that information with the other digital contrails
people leave behind them as they move across cyberspace. The U.S. Congress intends to summon Facebook executives to testify
on the company's data use policies, and the Federal Trade Commission has opened an investigation.
There's international investigative interest as well. Both the British and European parliaments
want to hear from Facebook's leaders. Much of the scandal derives from the bragging attributed to Cambridge Analytica leaders,
particularly recently suspended CEO Alexander Nix,
who's been disporting himself like a body double from the Kingsman movies.
Not only is the boastful chit-chat about honey traps discreditable and unsavory,
but even more disturbing are what
panelists at today's Billington International Cybersecurity Summit characterize as claims to
be able to manipulate the thinking of particular individuals, and of course, to influence their
voting. It's worth mentioning that this is persuasion, not mind control out of science
fiction, and so it's perhaps best understood as a marketing scandal.
Many observers call this a tipping point for the tech industry as a whole,
dependent, as it is, on its ability to monetize personal information for marketing.
A piece in the San Jose Mercury News suggests that Silicon Valley is ripe for antitrust
and other strong regulatory treatment.
The Mercury News calls public mistrust and resentment unprecedented,
but there is a precedent, just not in the tech sector. Silicon Valley increasingly looks like the oil and steel sectors did when the trust busters turned on them at the end of the 19th
century's Gilded Age. The faces of Facebook, Mark Zuckerberg and Sheryl Sandberg, have been little
seen. Many suggest it's time for them to lean in.
People interested in crisis management will watch the company's handling of the matter closely.
This isn't, remember, a technical issue or a data breach.
It's a crisis deriving from company policies and practices,
arguably from anticipated or unanticipated aspects of its business model.
So public affairs would be particularly important in containing the damage.
One aspect of sound incident response practice Facebook may have got right
is to involve the lawyers early and often.
Their general counsel is said to have been leading the crisis response meetings.
Good to be lawyered up, but it's no substitute for the very public faces of the brand.
In any case, we expect to see class action suits soon.
More regulation, too.
We're in Washington today at the third annual Billington Cybersecurity Summit.
The federal government may be closed due to the early spring blizzard we're experiencing here in the Middle Atlantic,
but the summit is going on as scheduled.
Security experts from four continents are here making presentations.
There's unsurprising unanimity so far concerning the necessity of collaboration
between government and the private sector.
Not only does every threat travel through privately owned infrastructure at some point,
and not only are much, arguably most, critical assets in private hands,
but there's also a question of capacity.
There's also some clear consensus on the ambivalence of technological advance.
As David Koh, Singapore's Commissioner of Cybersecurity, put it,
We have to get a better understanding of the risks and vulnerabilities of new technologies.
We can't concentrate only on the upside of technology and disregard the downside.
That's a recipe for disaster. We exploit the technology and run the risk of being exploited
ourselves.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation
isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Visit salesforce.com slash careers to learn more. on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Jonathan Katz.
He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center.
Jonathan, welcome back.
We had a story come by via Naked Security about e-passports.
And I remember there was a lot of attention when U.S. passports started having electronic chips built in to have information stored on them.
But it turns out that people have not been able to use this feature of passports.
What's going on here?
Yeah, so these new electronic passports, well, not even so new anymore.
They've been around for more than 10 years.
But the idea was to make them more difficult to forge.
So the information about a person, you know, their name and address and age
and whatever other information would be stored on a computer chip rather than, you know, just
being stored in print like in the old days. And the idea would be that that information would be
cryptographically protected. It would be signed. And then that information would then be verified
when that person came to cross the U.S. border. And the problem was that even though those cryptographic techniques
were implemented on the passport,
the software at the border crossing seems not to have been implemented properly,
and it seems like they were never actually verifying
the integrity of the data that they were reading.
So that basically means that even though you have all this nice cryptography
on the passport itself, it's all for naught because they just weren't checking it at the border.
And does that make it useless? I mean, is it a point where you can't extract the data from the passport because you don't have the proper software?
Well, I think the issue is, you know, so I don't know whether anybody was ever actually able to exploit it.
was ever actually able to exploit it.
You know, it's certainly a risk. If you didn't know whether or not they were verifying or not, then, you know, you would
take a risk going to the border with invalid information.
And, you know, it would only be after the fact that you would realize that they never
actually verified anything.
So I don't know to what extent this was ever actually exploited, but it certainly looks
bad, right?
Because we go through all the difficulty and all the expense, obviously, of changing these passports, and then to not even have the appropriate software at the other end to
read them properly, kind of an embarrassment, frankly. And from a big picture point of view,
I mean, if we're talking about an encryption that is 10 years old, the techniques are 10 years old,
does that mean by modern standards they would be obsolete or ancient, or would they still hold up?
No, not at all. So the cryptographic
techniques themselves should be
fine. There's nothing
wrong with the techniques themselves. It's just that
you've got to obviously be implementing them
properly on both ends.
Alright. Interesting stuff. You can bring a horse
to water, but you can't make him drink.
You can't make this stuff up.
That's right.
Alright. Jonathan Katz, as always right. That's right. All right.
Jonathan Katz, as always, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our
daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.