Tech Brew Ride Home - Security Checkin with Dave Bittner of Cyberwire
Episode Date: April 28, 2019I wanted to talk to Dave Bittner of CyberWire because the CyberWire podcasts are my go to source for keeping up with the security space in a broad way. And I’m glad I did, Dave is a super knowledgea...ble pro, and we do get into things like those huge credential dumps, password best practices and that Triton virus that has me so worried. But we started off by going on a weird tangent about Facebook where I found myself arguing for Facebook for some reason, and we ended by really going off the rails and talking about the Fermi Paradox and aliens. It ended up being a really fun chat. :) Sponsors: Capterra.com/ride remars.Amazon.com Passwords article we discuss Subscribe to the ad-free premium feed! Right here! Inside your podcast app! It's easy! Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
On April 4th, 2023, around 2 in the morning, a man was found stabbed multiple times on a sidewalk in downtown San Francisco.
Hey, who did this to you?
What happened next turned the story into a political firestorm.
Reports have identified the victim as Bob Lee, the founder of Cash App.
From Bloomberg Podcasts, this is Foundering, the Killing of Bob Lee, beginning April 16.
Welcome to a weekend bonus episode of the Tech Meme Ride Home.
I'm Brian McCullough.
Hope you all are having a lovely Sunday.
I wanted to talk to Dave Bittner this week of CyberWire
because the CyberWire family of podcasts are my go-to source
for keeping up with the security space in general.
And I'm glad I did get to speak to Dave because he's a super knowledgeable pro.
And we get into things like those huge credential dumps recently,
password best practices and that Triton virus that has me so worried.
But we started off by going on a weird tangent about Facebook,
where I somehow found myself arguing for Facebook for some reason.
And we ended by going really off the rails and talking about the Fermi paradox and aliens.
It ended up being a really fun chat, I think.
Please check out the Cyberwire Podcasts wherever you get your pods.
Enjoy.
I guess what everybody is talking about today vis-a-vis Facebook is that they say they've got to set aside X number of billion dollars to pay an expected FTC fine, and yet the stock goes up and investors are cheering.
I'm not surprised by that. Are you?
I'm not surprised by it, but I would say I'm disheartened by it. That is the cold calculation.
that is made by investors these days that I guess removing consideration of whether
something or not is the right thing to do it's really how is this going to affect
our bottom line and I suppose you could make arguments that that is what they
are supposed to do but just you know for me personally I find that a little bit
distressing well I mean you it's kind of you have to understand the psychology
of the investor class and and it's all about okay you know remove
moving risks, unknown unknowns and things like that.
So essentially what Facebook telegraphed is the size of the fine so that in an investor's mind,
okay, this is a quantifiable thing that I know about, and so it's not an unknown out there.
So that's the thing.
Yeah.
It's instructive to know these things about investor psychology so that even if a company announces
horrible losses or something, if investors didn't know the size of that loss, just knowing,
you know, can send a stock up, even if it doesn't.
announces something horrible. Right. Now, that's an excellent point. Removing some of that uncertainty,
it puts them at ease. Yeah, and then, you know, also, given that, you know, on the, on the day that
they announced record Q1 revenue, it, if the fine does come down in the neighborhood that they're
telegraphing, well, it's a drop in the bucket. It's easy to handle. Right. And again, I think that's
one of the the frustrating parts for folks who would hope that these sorts of fines
could could cause change uh... does this hurt enough for facebook
uh... we saw uh... uh... story in the washington post this week that uh...
senator widen uh... he's a democrat from oregon he's uh...
he's a ranking member of the senate finance committee he's been talking about
going after mark zuckerberg himself making him individually liable for
some of these privacy violations
That's interesting in itself.
Yeah, and there has been talked to about it was either the FTC or the Justice Department
that was looking at past statements and things like that.
I don't know.
I don't know why all of a sudden I'm finding myself like playing devil's advocate here.
But, you know, the argument can be made that we are already seeing change.
It's just not the change that would give you catharsis where, you know, oh, I come to you,
palms turned upwards and I'm sorry for what we've done in the past and we're going to shut down
these lines of business that you think are creepy. No, they're changing to, in theory, a different
business model of just messaging, encryption, and privacy and all that stuff. Again, it might not
give you the catharsis you want, but it is change, right? Do you, well, it's change if you believe
that they're actually going to do that. And I'm not convinced that they are. At this point,
I have trouble believing anything that comes out of Facebook, because just living in a evidence-based
world that, you know, that time and time again, every time they say they're sorry, you just wait
and the clock starts ticking and news breaks about some other privacy violation.
Yeah, but, okay, so you're definitely in the camp then you're saying of people who are like,
well, this is all just a bunch of PR-friendly smoke and mirrors to buy time to keep doing what
they've always done.
I suspect that's the case, yeah.
So again, this is funny.
I can't believe that I'm on the other side of this right now.
Well, what makes you think, what makes you take that side? Why do you think it could happen?
The one thing that I have 100% faith in, it's that Mark Zuckerberg has always based running this company 100% on metrics.
Like in my book, there's that famous anecdote that like early on, like in the first couple months of running the company, they could tell with like 90% accuracy if two users were going to be in a relationship or not just based on like the interactions that they saw on Facebook.
So I believe 100% that they're seeing overall usage declining.
And again, that's not borne out in the actual daily or monthly active user numbers or anything like that.
But they will know sooner than any of us.
They will have known for maybe two years now that the average people in North America are sharing less, using less, time spent on less.
They can see the data that, and he's been very public about this,
about that things are moving towards stories and things like that.
So I do believe that he will always skate to where the puck is going
because he has that information sooner than anybody else.
Hmm.
Yeah.
It just so happens that if I don't know for sure that we'll end up in the business model
that they're describing, moving to more of a messaging-based company,
more of everything behind encryption company.
That just so happens to dovetail with things that buy
them a little bit of PR. And it just so happens if that was the business model, it would be harder for
people to blame them for stuff. But also, I do think this is the thing that put me over the
edge with this. I believe that their experiments in crypto are real. And they can see, again,
Zuck always looks at all the competitors. Sometimes he buys companies so he can spy on other
competitors and see what's popular. They're looking at all these super apps in China and Asia
where everybody is living their entire lives inside the apps and it's how you get around,
it's how you do your banking, it's how you do all your buying. And so when they talk about like
on the earnings call that like in the future, the majority of our revenue could come from
commerce, I think that that's skating to where the puck is going. Hmm. I think that's interesting.
And I'll share just another personal anecdote, you know, earlier this week, in fact, I saw,
a friend of mine on Facebook, someone who I went to college with, you know, she was raising money for a non-profit,
something that she supported. And she said, you know, please help me with this. And I thought,
well, that's something I'm interested in. And I'd like to, I'd like to help my friend. And I clicked through in it.
And it was Facebook asking me for my credit card information. And I stopped short. And I said,
the last thing in the world I'm going to do is share my credit card information with Facebook.
Now, that's just me. And, you know, you can tell based on our conversation,
that, you know, my hackles are a bit up when it comes to Facebook.
But I wonder, I guess what I'm trying to get to is that you can't underestimate that trust is a component in how much people are going to allow Facebook to have their access to so many different parts of people's lives.
I think people are on the defensive and leaning back a little bit right now, and it'll be interesting to see how that plays out and continues.
Yeah, and listen, I mean, none of my listeners have to be convinced.
that I am as exasperated by Facebook as anyone.
So, again, I don't know how I ended up playing devil's advocate there.
One thing that I wonder if you could, shifting gears a bit here,
if you could give me some more information on because this is really outside my realm of knowledge.
And sometimes to me, things like, you know, this new exploit seems like every other exploit I've heard of.
This new, you know, virus seems like every other exploit I've heard of.
this new, you know, virus seems like every, but this Triton thing.
Yeah.
I'm wondering if you have any more, if you could do a knowledge dump of any degree to me about Triton?
Because this one seems like the scariest thing I've heard in the realm of cybersecurity in a long time.
It has the potential to be very bad.
The folks that I've spoken to about it, particularly Robert M. Lee over at Dragos, they're an industrial.
control system security company and and I think his message is yes this is
serious but let's not panic this is certainly new this is something to be
concerned about but you know it's not the end of the world what's happening
with with Triton and some people also refer to it as trices so if you're
tracking this you could see both of those names there was a petrochemical
plant in Saudi Arabia according to reports that
In summer of 2017, they were having a situation with some of their safety control systems were switching into fail-safe mode.
And what that means is, in these complex industrial systems where you have physical things happening,
you have valves opening and closing, and you have chemicals and liquids and things, and steam and so on and so forth,
running through the plant, they are designed in such a way that if something goes wrong or if a system can't,
figure out what's going on, it goes into a safe mode. It shuts the system down. The whole point
is to not have anything get worse or to cause loss of life or the release of dangerous chemicals,
all that kind of stuff. It's literally a failsafe. That's right. That is, I mean, it's funny.
When this stuff started coming out about this story, I sort of connected the dots. I'd use the term
failsafe, as I think we all have, but I'd never really connected it to the actual physical
world that yeah, these are systems that are designed when they fail to be safe. And that's what's
going on here. So what they discovered was in this petrochemical plant, they were using a controller
for some of their safety systems. It's a system called trichonics, and it's made by a company
called Schneider Electric. They're a company out of France. And bad guys had gotten into this safety
controller and had managed to modify its firmware, which is really the low-level controls of this
actual piece of hardware, and they were able to gain control of it. They were able to load
software onto it. They were able to monitor what was going on with it. They were able to make it
do the things they wanted to have it do and report the things they wanted to have it report.
The danger of this is that this is a safety controller. So if something goes wrong in the plan,
and the plant signals to the safety controller,
hey, there's something wrong, please shut down these systems.
Well, if bad guys have control of that safety controller,
they can report back to the people who are monitoring this,
hey, everything's fine, nothing's going wrong, everything's good,
and meanwhile, things down on the plant floor might be going horrifically wrong.
Well, is it just that, or is the idea here also that it could trigger something to go bad?
Like, could these systems,
also be used to, I don't know, cycle up something like in the nuclear reactor sort of analogy
or something like that to cause some sort of a catastrophe?
I think, yeah, I think theoretically that's within the realm of possibility.
Anytime you have a piece of hardware like this that has access to the physical controllers
in a plant, if someone has that type of control remotely, which is what Triton did, then you
have the potential for sending rogue command.
to those, but then also reporting to the monitoring systems, hiding those commands from the monitoring systems, which can sort of be a double whammy.
And then, if I remember correctly, the most recent story I did on this where they saw it in action again, it seemed like whoever was behind it wasn't actively trying to take control.
It was more like they were burrowing in.
They were trying hard not to be observed, but they were almost like trying to embed themselves.
So it's almost like sleeper cell-like.
Once we know we're in here, then we'll just save this for when we need to use it.
Yeah, yeah.
The term we use is battle space preparation.
There you go.
They were, and they were trying to not get caught.
They got caught because some of the software they put in there triggered.
And these trichonics safety controllers have, I guess, a self-auditing mode where they go in and they analyze themselves
to make sure that nothing's changed.
And the people who made this malware made a mistake.
It got triggered, and that set the safety controller into a fail-safe mode,
which is what caused the folks to take a closer look at it.
And evidently, this happened more than once before they realized that there was somebody in the system.
I want to say the evidence was that the bad guys were in this network since around 2014.
and folks are saying that it was
some people are reporting that this was the Russians
Right, that was going to be my next question
Like who do we think is like is it a state actor
It doesn't it doesn't feel like these are just random
Jerks from the dark web playing yeah
No, because there's there's no money to be made here
We're not stealing credit cards
I suppose you could say there's there could be a ransom
Yeah, yeah, it could be a ransom you know
give us all your money or we'll blow up the plant. But that doesn't seem to be what's going on here.
So with the sophistication that they've seen, I believe they discovered some Cyrillic characters
within the code. It's hard to know for sure because anybody can put surrealic characters in code,
right? That's what you would do to cover your tracks, right? Right. It's exactly what they'd be
expecting us to do, right? So, but that's the most recent reporting that I've seen is that people
seem to have a fair amount of confidence that this was the Russians.
And they're just trying to get in there.
So they have these capabilities if somewhere along the lines they feel as though they might need them.
All right, shifting gears radically again.
One of the other stories that I've done a couple times in the last few months from the security realm
has been these mega dumps from the previous, I don't know, I guess it was the Yahoo one.
But essentially, there's a couple of huge caches out there now that there are literally hundreds of millions of people's credentials out there.
So essentially, basically, all of us have some account or credentials somewhere that were compromised, even if it was your MySpace from 2006 or something.
Yeah, yeah. Odds are you're in one of those. And of course, the Have I Been Pohn database is a great place to check that out, Troy Hunt's database.
So you turned me on to this great article that I hope I remember to.
to put in the show notes.
But this is actually, again, this is a wild shift of what we're actually considering here.
But this has actually been a boon for analyzing the psychology of how people pick passwords and things like that.
So again, there's this article that will be on the show notes about looking at this and using this corpus of data to analyze.
And we're just going to, I'm actually just going to go down some of the things I found interesting.
So we all know that obviously there's like 30 passwords that account for like a fourth of all the dumb passwords people use, you know, going from 1, 2, 3, 4 to 1, 1, 1, 1, 1, 1, to all that stuff.
Yeah.
And then, you know, I guess I would have known this, but I'd never seen this written out before.
Like, like, if you're a hacker, if you just guess using the top 10 passwords, you're going to be successful something like 16 out of 1,000 times.
Right.
So it's super easy to have decent results.
just by relying on people's stupidity.
Right.
And there are tools available that take advantage of these things.
So you can hammer away at someone's password.
And the first place that this tool starts is with all of the established well-known, easy-to-crack passwords.
Right.
And then like you can within, I don't know, nine seconds, if you just run through everything, you can see, oh, I had 100,000 people and I got 6,000 out of that 100,000 or whatever, you know.
Yeah.
So the thing, though, is that I found fascinating was even when people try to get a little more sophisticated, there's always patterns that are easily exploitable as well.
So starting with, okay, I can't use, you know, whatever, I'll use whatever, but then I'll add a number to it.
But then most people only add one digit.
So that's really easy.
Right.
Right, well, because a lot of times you'll go to create a password and the organization will say there must be a digit.
And what this study found is that 23% of people simply add a one to the end of their password.
And then patterns in a different way.
So, you know, one of the most common passwords is QW-E-R-T-Y.
Right.
But then there's a ton of passwords where if you look at them on paper, they look like, well, that's a random string of whatever.
But then if you look at a keyboard or whatever, it's really not.
So you're not really being a genius if you do G-Y-H-U-J-I-K-O-L because all you've done has gone up and down on a query keyboard and probably a bunch of other people have done that same pattern.
Right, right.
And that pattern's going to be in the hit list for the cracking software.
Right.
And then it's going to evolve because now people are having to create passwords on touch devices.
but then again, so the patterns will just change, but then, you know, if you're thinking, like, imagine
holding up a phone and having, you know, the number pad or whatever. And so then people will start
doing an X, and then that'll look like a random string, but it's really just doing an X on, you know,
the number pad and things like that. Yeah. Yeah. Go ahead. Well, I think that the take home for me
out of this article, and I think this is really interesting research, so I recommend
people check it out, is that no matter how clever you think you are with your password routine,
and we've all established password routines for ourselves over the years, no matter how clever
you think you are, you're not. You are not clever. Someone else is they figured it out. You're not
the first person to do it. You're not the last. The best way to handle this is to use a password
manager and have it generate random strings for you.
Right.
And there was that one, they also got into like the passwords, you know, famous people use.
And so like there was some Huffington Post editor or something that, you know, clearly an
X-Files fan did trust no one.
Well, of course, how many other people that were of, you know, the era of X-Files did trust
no one.
But then they were clever because the, I think the O was a zero and the one was the number one.
But again, right?
It's the same sort of easy pattern.
Okay, real quick, I loved these two little bits of these little nuggets here.
People who use first names or their names and their year of birth in their addresses
tend to skew toward men, but also people born in the 80s.
I don't think the article had any reason for that.
Well, yeah, I don't know.
Being a child of the 80s and seeing that,
David was one of the top ones in there.
I noticed Brian is not in there, so I guess you're out of the woods there.
I don't know.
We're kids of the 80s, that's self-absorbed, and I suppose I can't deny it, but it's an interesting little side note they made there.
Well, I was even wondering if it's, because then, again, it's skewed more towards men.
Is that like some sort of a weird male ego thing?
It's like, you know, this is my ear, this is my ear.
I mean, like something like that.
But then, because then the other interesting thing that I made note of was like the gender differences are probably Legion.
Like in one of the sets of data, like women are twice as likely to have the word love contained in their passwords than men.
Mm-hmm.
Which is, which is funny.
But then that, again, that comes back to patterns because like they said in the research, you could.
Looking at the data, you could create these pools and then just based on passwords, you could be like, well, this set of passwords is likely female users, likely of this age range, maybe even likely of this geographic region, that sort of thing.
Right, right.
So even simply based on your password, they can infer a bunch of things about you.
It's ironic that the thing that is supposed to be masking your identity and providing you privacy is like anything else in this crazy data world.
it's just another data point that can unmask you really.
Yeah, yeah.
It's an amazing time to be alive, Brian, isn't it?
Well, so two quick questions.
You said, of course, password manager is the only viable option,
but then it's only really useful if you do use the random password generator.
Yes.
And then...
Well, the other thing that a password manager does is it keeps tabs on you
as to whether you're reusing passwords.
Right. And they'll say, uh-uh-uh.
Well, and the point is, is that if you're going to use a password manager, at the very least use the random password generator.
And at the very least, make each one different because that's the whole point of this.
It's like how ships have those holes and ships are created so that if something gets compromised, the whole ship doesn't go down.
And that's the whole point, yeah. Yeah, yeah.
Okay, then, yeah, go ahead.
Well, I was going to say, and also, if something's important to you, use multifactor authentication.
Right.
How do you feel about the actual physical keys?
I like them.
I like them.
It's something we use them here at Cyberwire for some of our important things.
With a password manager, with the keys like that, the initial resistance is, how much is this going to slow me down?
How much of a pain is this going to be?
And I'll say having gone through the transitions to both a password manager and a physical key, it's really not that bad.
and the amount of security you gain from them worth it.
So I recommend them.
And then using the actual authenticator apps like Othi and Gmail or Google have is superior to SMS.
Correct.
Even though it's like a layered, this is better than nothing.
This is better than that.
This is better.
So SMS is good, better than nothing.
Much better than nothing.
But it's still not perfect.
Correct.
and the little authentication apps are even better.
And the reason for them being better is because, in theory, my SMS can be intercepted.
Correct.
If someone wanted to bad enough, they could spoof your SMS and they could get the organization to send them that code and off they go.
Very last question then.
I have been told recently that you don't necessarily have to do uppercase, lowercase, numbers, letters.
random character that actually you can do like three random letters separated by dashes.
And that's better, I was told, because it encourages you to have greater entropy so that you'll
have a password that's actually 20 characters long. Is that correct? Or have I been misinformed?
No, I think that's right on. Entropy is the thing. And this article talks about entropy and how they
track it. I would say with passwords, longer is better. So stringing together a random series of words
that you could remember is better than a short, a single word and a series of numbers. The longer
that password is, the more time it's going to take for someone to try to crack it and the more likely
they are to move on to the person who has the easier password than you. Is it still true that if it's
truly random and it's long enough, has enough entropy that all of the computers and all of the
world would still take a thousand years and still in theory not be able to crack it. Is that still
true? Does the math still win out in the end right now? As far as I know it does, when we get
to some of these cryptographic routines, some of the experts I've talked to have said that
you start bumping up against the laws of physics where, you know, the amount of energy available in the
universe starts to become a factor. If things are going to change, there's a lot of fear or fear
is probably not the right word for it. Well, some people are afraid about quantum computers coming
online because they're going to be able to crack a lot of the encryption that we rely on these days
that makes the web work. But we joke that quantum computers, it might be a lot like fusion energy
where it's always 20 years away no matter when you ask. So.
We'll see.
Or AI in theory.
Or, yeah, yeah.
Well, let's, let me, this will be a really weird way to end, but one of my obsessions is with the family paradox.
I don't know if you're familiar with that.
Yes.
It's basically the question of how come we haven't met aliens yet, if the universe is so large and so old.
Yeah.
And one of the theories has to do with computing, where once the civilization gets big enough and once a computing resource, like you have an overheating problem like you're talking about,
like there's just, it's too much.
And that's why you would build Dyson spheres and things like that.
But one of the theories is, is that once you get that advanced,
you have to go out into the very edges of space where it's super, super cold.
Otherwise, your computers stop functioning.
Huh.
And so that's interesting.
And so that's one of the theories for why we've never met aliens.
Yes, aliens got super sophisticated two billion years ago,
but to keep their computers running,
they had to all migrate out to the coldest recesses of space.
basically that's why we don't see them because we're still here where it's hot.
Oh, that's interesting.
I would say, well, until you told me that, my favorite answer to the Fermi paradox is just that
the distances are so great that unless someone comes up with faster than light travel,
it's just impractical to have any sort of communication.
Now, see, we could do an entire another episode about this because if you do one of those,
what is it, what do you call the probes where if you just send a probe out and it takes a thousand
years to get to the next star system and then you take a hundred years just to gather the resources
to send out another probe, the laws of exponential growth say that it would only take you
approximately 200,000 years to basically colonize the entire Milky Way. So again, even though the
distances are part of the problem with the Fermi paradox, the immense lengths of time that the
universe has existed is also the problem because given that,
that the entire, we shouldn't be alone.
We should be like, you know, in the middle of like a huge metropolis at this point.
Mm-hmm.
Mm-hmm.
Anyway.
Brian, who says we're not?
That's true.
Get your heads out of the sand, sheeple.
Yes.
Well, that's because we're in, the favorite, favorite one is we are in a, um, what am I,
why can't I think of it?
We're in a simulation.
And that's one.
Yes.
Yes.
I'll tell you, Ben, some days.
Ooh.
It certainly feels like it.
All right.
We got off the rails there, but in a fun way in the end. Thank you, Dave.
Yeah, my pleasure. My pleasure. Great talking to you.