The CyberWire Daily Podcast 2.3.16
John Petrik: [00:00:03:14] Updates on BlackEnergy. New standards for critical infrastructure cyber security are on the way. Security companies work to close holes in their products. The Super Bowl is coming to Silicon Valley, and hackers have noticed. Safe Harbor is replaced by privacy Shield. US and Chinese cyber plans are foreshadowed in budgets. And Chem-trail hunters say they're going after NASA networks.
David Bittner: [00:00:29:22] This CyberWire Podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation’s growing demand for highly skilled professions in the field of information security assurance, and privacy. Learn more online at: isi.jhu.edu.
John Petrik: [00:00:51:21] This is John Petrik, the CyberWire's editor, in Baltimore filling in for Dave Bittner with your CyberWire daily podcast for Wednesday, February 3rd, 2016.
John Petrik: [00:01:03:16] The US ICS-CERT releases updates on its investigation of BlackEnergy and the associated attacks on Ukraine's power grid. There's general agreement that the episode exposes an unpleasantly high degree of vulnerability in utilities, and that fear of the hacker is only the beginning of wisdom. Sound industrial control system security practices are commended to all, and new standards for critical infrastructure protection are on the way. As the influential publication, Control Global, notes, utilities and SCADA systems generally depend upon wireless backhaul to manage widely distributed stations. So the coming standards are likely to influence many sectors quite distinct from power generation and distribution.
John Petrik: [00:01:46:01] As far as the actors behind the attack in the Western Ukraine are concerned, most continue to see this as a Russian operation. But what one might actually do with attribution remains a vexed question, especially if one doesn't have a badge or carry a gun, and isn't building a case for an indictment. Recorded Future tells CSO that businesses do have an interest in attribution, but it's a different interest from a government's. "Motivation informs methodology", says Recorded Future's VP of Information Security Strategy, and knowing in general what an attacker is seeking to accomplish can usefully shape an enterprise's security measure.
John Petrik: [00:02:23:15] Two security companies are dealing with flaws in their products this week. Malwarebytes is moving to patch its Anti-Malware product for man-in-the-middle and privilege-escalation vulnerabilities, discovered by Google researchers. A complete fix is expected in about a month, but Malwarebytes has offered some interim instructions for remediation.
John Petrik: [00:02:43:07] Google researchers also call out Comodo as "Chromodo" secure browser. Chromodo disables same-origin policy and hijacks DNS sessions, says Google, all of which could expose users to compromise.
John Petrik: [00:02:56:02] Open Effect and the University of Toronto's Citizen Lab released a study of fitness wearables. They claim to have found Bluetooth security and privacy issues in all of the devices studied, with the exception of the Apple Watch. The most common issue is locational privacy, but at least two of the devices tested: Garmin and Withings, are said to potentially expose fitness information as well.
John Petrik: [00:03:18:08] Landry's and Golden Nugget, corporate parents of several well-known US restaurant chains, including Bubba Gump Shrimp, Saltgrass Steak, and McCormick & Schmick's, disclosed that a data breach may have exposed customer pay cards used at its locations between May and December of last year.
John Petrik: [00:03:34:01] This year's Super Bowl, and we know for international listeners, that this is the annual championship in American football, will be played this Sunday in Santa Clara, California. The stadium is surrounded by small cities whose names may ring a few bells: Mountain View, Cupertino, Palo Alto, San Jose. That's right, the shiny new stadium is in the heart of Silicon Valley, and hackers of all stripes are widely expected to take a close interest in the opportunities this will offer, as techy fans get loosey-goosey and dis-inhibited around game time. Organizers and authorities are working hard on security, and how they do will bear watching, at least as closely as the Broncos' and Panthers' line play.
John Petrik: [00:04:14:06] The US and the EU, after letting Safe Harbor lapse over the weekend, have agreed to a new data transfer agreement, which they're calling, Privacy Shield. It incorporates such steps as creating an ombudsman to handle EU citizens' complaints, an undertaking by the US not to conduct mass surveillance of EU citizens from data shared across the Atlantic, and other measures designed to assuage European worries about privacy.
John Petrik: [00:04:38:03] US listeners inclined, however, to mistake the European Union for a techno-libertarian oasis should think twice. The EU is also moving to severely restrict anonymous Bitcoin transactions.
John Petrik: [00:04:48:03] The proposed 2017 US Defense budget contains some $7 billion in cyber spending, much of it going to counter perceived threats from Russia and China. China's five-year plan is also out, with hints about that country's cyber plans. Here's the short version: If you're a company competing in some specific market against a Chinese firm, you should expect to receive attention from Shanghai.
John Petrik: [00:05:11:05] Finally, the hacktivists of AnonSec, remember them? Are back in the news, with claims they've hacked NASA, and specifically that they've got access to a NASA Global Hawk Drone. NASA says the claimed hack of the drone is a bunch of malarkey, but the space agency is looking closely for evidence of intrusion into its networks.
John Petrik: [00:05:29:03] One might think that AnonSec had chosen its target through a typographical error, mistaking NASA for NSA. It's happened before with other groups. But no, the hacktivists knew what they were after. They were after evidence of NASA complicity in the chem-trail conspiracy, a deep-state, above-top-secret effort that's curiously enough well-known to listeners of late-night AM talk radio. And this, perhaps, is timely evidence in support of Recorded Future's conclusion that method follows motivation. And the truth we hear is out there.
David Bittner: [00:06:01:16] This CyberWire podcast is brought to you by the Digital Harbor Foundation, a non-profit that works with youth and educators to foster learning, creativity, productivity, and community through technology education. Learn more at digitalharbor.org.
David Bittner: [00:06:20:14] Joining me is Jonathan Katz, he's a profession of computer science at the University of Maryland, and Director of the Maryland Cybersecurity Center. Jonathan, I want to take our audience through some of the key concepts surrounding encryption, things like plain text, ciphertext, and key encryption. What can you tell us you tell us about that?
Jonathan Katz: [00:06:36:15] Well there are two sorts of encryption schemes. There's private key encryption, and public key encryption. In a private key encryption scheme the mechanism that allows two users, who have shared some secret information, called a key, in advance, to then use that key to communicate securely. One user, who wants to send the information, will take their message, called a plain text, encrypt it using the key, to get some ciphertext, transmit that ciphertext, over a public channel, to the other party at the other end, and they can then decrypt that ciphertext, using the key that they've shared with the other party, and recovered the original message.
David Bittner: [00:07:15:04] And how does that differ from public key encryption?
Jonathan Katz: [00:07:18:02] Public key encryption is really amazing. Public key encryption is something that was not even possible until the late 1970s, early 1980s. What that allows is for two parties to have a secure communication channel, without sharing any information in advance - without sharing the secret key. The way it works is that you have one party generating a matched pair of keys - one being a public key, and one being a so-called private key. The private key is kept secret by that individual, and the public key can be broadcast to the world, sent over a public communication channel to anybody else who wants to communicate with that first individual.
Jonathan Katz: [00:07:52:05] Anybody with the public key can then encrypt, take the plain text, as before, encrypt it to get a ciphertext, that they transmit to the first party. They can then decrypt, that using their private key, to recover the original message. This is really amazing, it kind of blows my mind that it's even possible, because it means that you can have two people, standing at opposite ends of a room, communicating back and forth, with everybody else in the room listening to everything they're saying, and still not being able to figure out what message is being transmitted.
David Bittner: [00:08:18:10] It's my understanding that there's been developments related to this with Quantum computing, what can you tell us about that?
Jonathan Katz: [00:08:23:18] People are very concerned about the advent of Quantum computers. The reason for that is that all the current public encryptions algorithms, that are currently used, are vulnerable in case a quantum computer is ever developed. What that means is that, if we have quantum computers becoming a reality, within the next 20 years of so, all of the encrypted communications currently on the Internet will be vulnerable. Thankfully, however, our quantum computers are not believed to impact private key encryption as severely. They may allow an attacker to speed up the time required to brute force a key, but they don't fundamentally weaken the algorithms the way they do in the public key case.
David Bittner: [00:08:59:22] So in case quantum computers are built, what kind of things are on the horizon to protect us when that happens?
Jonathan Katz: [00:09:06:04] This is really an open recent area, and something that we're actively working on at the University of Maryland. We received a grant recently to do some work along with NIST, exploring so-called next generation cryptography, that's going to be based on mathematic assumptions that are not currently known or believed to be vulnerable to quantum computers. But it's really entirely open as we speak.
David Bittner: [00:09:23:21] Jonathan Katz, thanks for joining us. And that's the CyberWire. For links to all of today's stories along with interviews, our glossary, and more, visit the Cyberwire.com. If you enjoy the CyberWire podcast please go on iTunes and review the show. It really does make a difference, and helps us spread the word. Thanks. The CyberWire podcast is produced by CyberPoint International, and our editor is John Petrik. Thanks for listening.