CyberWire Daily - The CyberWire Daily Podcast 2.12.16
Episode Date: February 12, 2016In today's podcast, we hear about the possibility that Russian hackers prepared for attacks on Ukraine's power grid with earlier incursions into mining and railroad networks. We consider hacktivists' ...motives, and relay some news on the arrest of an alleged Cracka with Attitude. More countries look to develop an offensive cyber capability. And we hear from the University of Maryland's Jonathan Katz on provable security. http://thecyberwire.com Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ukrainian mines and railroads may have been hit in a dress rehearsal
for December's attacks on that country's power grid.
What the calendar can tell us about forecasting surges in hacktivism and cyber rioting,
advice on regarding hacktivist-declared motives with cautious skepticism,
a quick look at the marketplace,
and British police think they've collared a cracker with attitude.
This is John Petrick, the CyberWire's editor in Baltimore, filling in for Dave Bittner with your CyberWire Daily Podcast for Friday, February 12, 2016.
Trend Micro reports finding indications that the hackers who interrupted electrical power in western Ukraine back in December
made some preliminary attacks on mining and railroad control systems.
The trail investigators are following is still kill disk and black energy.
There's some speculation that the incursions into mining and rail systems were a trial run
for the later cycling of power breakers and grid substations. There's also growing recognition that
any number of disparate industrial sectors are susceptible to ICS hacking. The Russian government
remains the principal suspect in all of this,
and Ukrainian sources haven't been at all shy in making the attribution.
U.S. officials have stopped short of moving from suspicion to conclusion,
but one senior official, Deputy Energy Secretary Elizabeth Sherwood-Randall,
reportedly told an electrical industry conference yesterday
that yes, indeed, it was the Russian government.
The Department of Energy, citing the matter's sensitivity,
has declined further comment.
Looking at the calendar with an eye informed by causes,
regional rivalries, and so forth,
may help network defenders focus their attention
on likely surges of activism.
Patriotic activism is, says Recorded Future,
foreseeably occasioned by national holidays,
anniversaries of violent acts, and even cricket test matches.
Recorded Futures' study focuses on patterns of cyber-rioting between Indian and Pakistani
hacktivists, but its lessons have more than regional applicability. Hacktivist-declared
motivations may or may not represent their real motivations. The cyber-wire spoke yesterday with
Leo Tadeo, formerly special agent in charge of the Special Operations Cyber Division of the FBI's New York office, and now CSO of Crypt Zone.
And he made this observation in connection with the recently socially engineered compromise of directory information at the FBI.
The dot-govs who claimed responsibility for the hack said they were acting in solidarity with Palestine.
But as Tadeo said rather wolfishly, we thought, you don't really know much about hackers' actual motives until they're charged and arrested, at which point you can ask them.
He noted, for example, that hackers of the Sony PlayStation Network back in 2011 sought to cloak themselves in the anonymous brand, but were soon convincingly disavowed by the hacktivist collective.
The hackers turned out in the end to be just crooks.
To read the full interview, visit thecyberwire.com.
One alleged hacker who's probably being questioned right now is said by authorities to interview, visit thecyberwire.com. One alleged hacker who's
probably being questioned right now is said by authorities to be one of the crackers with
attitude, the group who claimed responsibility for doxing some senior officials in the U.S.
intelligence community. The crackers presented themselves as both pro-Palestinian and as
teenagers. The latter at least seems to be true. Police in the British East Midlands picked up a
kid who's said to be either 15 or 16.
Reports vary.
And the US FBI has reported to have been working with UK police.
The arrested boy, unnamed because of his youth, is said to have asked in his last tweet,
anybody know a good lawyer?
Carbonac and other threats continue to plague the financial sector.
A threat metrics report on cyber risks to banks is being glossed in the press as representing the sector as, quote, on high alert. That banks and other financial
institutions take cyber threats seriously is beyond question. ThreatMetrics thinks the most
dangerous trend banks will see in 2016 is a rise in bot attacks, with the potential to cost banks
millions in lost business. Mozilla has issued patches for both Firefox and
Firefox ESR. Observers look back at patch Tuesday and conclude that older versions of Microsoft
Internet Explorer, specifically versions IE 7, 8, 9, and 10, are now, as Computer World puts it,
quote, officially vulnerable. It seems a near certainty that holes patched in IE 11 and Edge
exist, unpatched, in the older instances of Explorer.
As the Internet of Things expands through industrial control systems, consumer products, and self-driving cars,
standards bodies continue to evolve security guidelines.
Automation World says that it sees signs of an approach to security that's less IT-centric
than those approaches vendors have hitherto tended to apply to their IoT systems. work in stack tv the west side river is back if you're not killing these people then who is that's
what i want to know starring kaylee cuoco and chris messina the only investigating i'm doing
these days is who shit their pants killer messaged you yesterday this is so dangerous i gotta get out
of this based on a true story new season premieres monday at 9 eastern and pacific only on w stream Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. to stay home with her young son. But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a
default-deny approach can keep your company safe and compliant.
In the IoT and elsewhere, designing security into systems remains an important goal.
The Cyber Warrior spoke recently with the University of Maryland's Jonathan Katz on one aspect of this challenge,
provable security.
Here's what he had to say.
Once again, I'm joined by Jonathan Katz.
He's a professor of computer science at the University of Maryland.
He's also the director of the Maryland Cyber Security Center. Jonathan, let's talk about provable security. Tell me what that is. Historically speaking, crypto systems,
and in particular encryption schemes, were developed in a pretty much ad hoc fashion.
People would develop a scheme, they would throw it out there, and then they would hope for the
best, essentially. And starting in the early to mid-1980s, people began really sitting down and thinking through
what they actually wanted from an encryption scheme,
and they came up with the idea that after defining precisely
what security properties you wanted,
you could also potentially prove security of a particular scheme
based on some mathematical assumption.
So give us an idea, how exactly do they work?
The basic idea is that, first of all,
you have to isolate a mathematical assumption that you believe to be true,
and this is, in the area of cryptography, going to involve some mathematical problem that you believe to be computationally hard.
A lot of people listening are probably familiar with the idea that factoring is a problem of that nature,
where we don't currently know any efficient algorithms for factoring,
and so you can try to then build the schemes
based on the hardness of factoring large numbers.
So you first have your mathematical assumption,
then you come up with a definition
of what it is you're trying to achieve
using some particular scheme.
So for the case of encryption,
you would define exactly what it means
to hide the contents of a message
to an adversary who observes the ciphertext
going back and forth between two people communicating. Given those two things, the assumption and the definition, you can then
construct a scheme and prove that the scheme satisfies the definition you came up with based
on your underlying mathematical assumption. All right, so you keep using the word assumption.
Once you have your proof, do they end up being secure? Has there ever been examples of them, of later on it being
discovered that a system is in fact insecure? That's a great question. And this is part of
what makes cryptography so interesting. Now, if you have a provably secure scheme, the guarantee
you have is that as long as your assumption is true, the scheme that you've analyzed is indeed
secure. But that can fail in the real world in several different ways. First of all, it can turn
out that the assumption is simply wrong.
People are probably familiar with this happening with the example of MD5.
You might have a protocol which was secure when based on a good hash function,
and people might have developed those protocols based on MD5.
But then a few years back, MD5 was actually discovered to not be such a good hash function.
And in that case, no matter how good the protocol was that you built on top of it,
the protocol might be insecure.
So that's one area where things can go wrong,
where the assumption is actually simply incorrect.
A second area where things can go wrong
is that you've given a proof of some scheme meeting some definition,
but the definition might not correspond to what you actually want in the real world.
For example, your definition might protect against a certain class of attacks, but in the real world, the attacker might be more clever
or have more resources available that would allow them to mount other attacks that you haven't
considered in your definition. Finally, there's a very important example of implementation values.
So the proof of security are idealized mathematical proofs of a particular specified scheme. But when you actually go and implement these schemes in the real world,
very often we find that programmers make errors when they're implementing them.
And once you have an implementation which is not done precisely according to the specification,
all bets are off and the proof may no longer apply.
All right, fascinating stuff.
Jonathan, thanks again for joining us.
The markets continue to yield a very mixed picture of the cyber sector,
with some analysts crying caution and disappointment,
others seeing sound direction and good buying opportunities.
FireEye and CyberArk reported mixed results this week,
and the disappointing parts of that mix appear today to be hitting Palo Alto's share price as well.
Symantec's better-than-expected results have attracted analysts' attention attention too. Internationally, Finland appears ready to up its cyber offensive game,
and policy types in India, Taiwan, and elsewhere maul the value of creating a culture of security
that is effectively of creating cyber militias. The challenge will be, of course,
to keep those militias well regulated.
regulated. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland
by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.