CyberWire Daily - The CyberWire 2.3.16
Episode Date: February 3, 2016SCADA security developments. Security company's fixing product flaws. Retail breaches. Safe Harbor's now Privacy Shield. Learn more about your ad choices. Visit megaphone.fm/adchoices...
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Updates on black energy.
New standards for critical infrastructure cybersecurity are on the way.
Security companies work to close holes in their products.
The Super Bowl is coming to Silicon Valley,
and hackers have noticed.
Safe harbor is replaced by privacy shield.
U.S. and Chinese cyber plans are foreshadowed in budgets.
And chemtrail hunters say they're going after NASA Network.
This is John Petrick, the CyberWire's editor, in Baltimore, filling in for Dave Bittner with your CyberWire Daily Podcast for Wednesday, February 3rd, 2016. The USICS CERT releases
updates on its investigation of black energy and the associated attacks on Ukraine's power grid.
This general agreement that the episode exposes an unpleasantly high degree of vulnerability
in utilities, and that fear of the hacker is only the beginning of wisdom.
Sound industrial control system security practices are commended to all, and new standards for
critical infrastructure protection are on the way.
As the influential publication controlled global nodes,
utilities, and SCADA systems generally,
depend upon wireless backhaul to manage widely distributed stations.
So the coming standards are likely to influence many sectors
quite distinct from power generation and distribution.
As far as the actors behind the attack in the western Ukraine are concerned,
most continue to see this as a Russian operation. But what one might actually do with attribution remains a vexed
question, especially if one doesn't have a badge or carry a gun and isn't building a case for an
indictment. Recorded Future tells CSO that businesses do have an interest in attribution,
but it's a different interest from a government's. Motivation informs methodology, says Recorded Futures VP of Information Security Strategy,
and knowing in general what an attacker is seeking to accomplish can usefully shape
an enterprise's security measures. Two security companies are dealing with
flaws in their products this week. Malwarebytes is moving to patch its anti-malware product for
man-in-the-middle and privilege escalation vulnerabilities discovered by Google researchers.
A complete fix is expected in about a month, but Malwarebytes has offered some interim instructions for remediation.
And Google researchers also call out Komodo's Chromodo secure browser.
Chromodo disables same-origin policy and hijacks DNS sessions, says Google, all of which could
expose users to compromise.
Open Effect and the University of Toronto Citizen Lab release a study of fitness wearables.
They claim to have found Bluetooth security and privacy issues in all of the devices studied,
with the exception of the Apple Watch.
The most common issue is locational privacy, but at least two of the devices tested,
Garmin and Withings, are said to potentially expose fitness information as well.
Landry's and Golden Nugget, corporate parents of several well-known U.S. restaurant chains,
including Bubba Gump Shrimp, Saltgrass Steak, and McCormick & Schmicks, disclosed that a data
breach may have exposed customer pay cards used at its locations between May and December of last year.
This year's Super Bowl, and we note for international listeners that this is the annual championship in American football,
will be played this Sunday in Santa Clara, California.
The stadium is surrounded by small cities whose names may ring a few bells.
Mountain View, Cupertino, Palo Alto, San Jose.
Yeah, that's right.
The shiny new stadium is in the heart of Silicon Valley,
and hackers of all stripes are widely expected to take a close interest in the opportunities this will offer,
as techie fans get loosey-goosey and disinhibited around game time.
Organizers and authorities are working hard on security,
and how they do will bear watching, at least as closely as the Broncos and Panthers line play. The U.S. and the EU, after letting safe harbor lapse over the weekend,
have agreed to a new data transfer agreement, which they're calling Privacy Shield.
It incorporates such steps as creating an ombudsman to handle EU citizens' complaints,
and undertaking by the U.S. not to conduct mass surveillance of EU citizens from data shared across the Atlantic
and other measures designed to assuage European worries about privacy.
U.S. listeners inclined, however, to mistake the European Union for a techno-libertarian oasis should think twice.
The EU is also moving to severely restrict anonymous Bitcoin transactions.
The proposed 2017 U.S. defense budget contains some $7 billion in cyber spending,
much of it going to counter perceived threats from Russia and China. China's five-year plan
is also out with hints about that country's cyber plans. Here's the short version. If you're a
company competing in some specific market against a Chinese firm, you'd expect to receive attention
from Shanghai. Finally, the hacktivists of Anandsec,
remember them, are back in the news with claims they've hacked NASA, and specifically that they
got access to a NASA Global Hawk drone. NASA says the claimed hack of the drone is a bunch of
malarkey, but the space agency is looking closely for evidence of intrusion into its networks.
One might think that Anandsec had chosen its target through a typographical error, mistaking NASA for NSA. It's happened before with other groups. But no,
the hacktivists knew what they were after. They were after evidence of NASA complicity in the
chemtrail conspiracy, a deep state, above-top-secret effort that's curiously enough well-known to
listeners of late-night AM talk radio. And this perhaps is timely evidence
in support of Recorded Future's conclusion that method follows motivation. And the truth we hear
is out there.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Thank you. I approach can keep your company safe and compliant.
Joining me is Jonathan Katz. He's a professor of computer science at the University of Maryland and director of the Maryland Cybersecurity Center. Jonathan, I want to take our audience
through some of the key concepts surrounding encryption, things like plain text, ciphertext, and key encryption. What can you tell us about that?
Well, there are two sorts of encryption schemes. There's private key encryption and public key
encryption. In a private key encryption scheme, it's a mechanism that allows two users who have
shared some secret information, called a key, in advance to then use that key to communicate
securely. And the way that works is that these two users have shared their key in advance to then use that key to communicate securely.
And the way that works is that these two users have shared their key in advance.
One user who wants to send the information will take their message called a plain text,
encrypt it using the key to get some ciphertext,
transmit that ciphertext over a public channel to the other party at the other end,
and they can then decrypt that ciphertext using the key that they've shared with the other party and recover the original message. And how does that differ from public key encryption? Public key encryption is really amazing. Public key encryption is something
that was not even possible until the late 1970s, early 1980s. And what that allows is for two
parties to have a secure communication channel without sharing any information in advance,
without sharing the secret key.
And the way it works is that you have one party generating a matched pair of keys,
one being a public key and one being a so-called private key.
The private key is kept secret by that individual,
and the public key can be broadcast to the world,
sent over a public communication channel to anybody else
who wants to communicate with that first individual.
Anybody with the public key can then encrypt, take the plain text as before,
encrypt it to get a ciphertext that they transmit to the first party, and they can then decrypt that
using their private key to recover the original message. And this is really amazing. It kind of
blows my mind that it's even possible, because it means that you can have two people standing at
opposite ends of a room, communicating back and forth with everybody else in the room listening to everything they're saying, and still not being
able to figure out what message is being transmitted. Now, it's my understanding that there's been
developments related to this with quantum computing. What can you tell us about that?
People are very concerned about the advent of quantum computers. And the reason for that is that
all the current public key encryption algorithms that are currently used are vulnerable in case a quantum computer is ever developed. So what that means is that if we have
quantum computers becoming a reality within the next 20 years or so, all of the encrypted
communications currently on the internet will be vulnerable. Thankfully, however, quantum computers
are not believed to impact private key encryption as severely. They may allow an attacker to speed up the time required to brute force a key,
but they don't fundamentally weaken the algorithms the way they do in the public key case.
So in case quantum computers are built,
what kinds of things are on the horizon to protect us when that happens?
This is really an open research area,
and it's something that we're actively working on at the University of Maryland.
We received a grant recently to do some work along with NIST
exploring so-called next-generation cryptography
that's going to be based on mathematical assumptions
that are not currently known or believed to be vulnerable to quantum computers.
But it's really entirely open as we speak.
Jonathan Katsch, thanks for joining us. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.