The CyberWire Daily Podcast 2.12.16

John Petrik: [00:00:03:19] Ukrainian mines and railroads may have been hit in a dress rehearsal for December's attacks on that country's power grid. What the calendar can tell us about forecasting surges in hacktivism and cyber rioting. Advice on regarding hacktivists' declared motives with cautious skepticism. A quick look at the marketplace. And British police think they've collared a Cracka with Attitude.

Dave Bittner: [00:00:26:06] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at isi.jhu.edu.

John Petrik: [00:00:49:05] This is John Petrik, the CyberWire's editor, in Baltimore filling in for Dave Bittner with your CyberWire daily podcast for Friday, February 12th, 2016.

John Petrik: [00:00:58:02] Trend Micro reports finding indications that the hackers who interrupted electrical power in Western Ukraine back in December made some preliminary attacks on mining and railroad control systems. The trail investigators are following is still KillDisk and BlackEnergy. There's some speculation that the incursions into mining and rail systems were a trial run for the later cycling of power breakers in grid substations. There's also growing recognition that any number of disparate industrial sectors are susceptible to ICS hacking.

John Petrik: [00:01:25:00] The Russian government remains the principal suspect in all of this, and Ukrainian sources haven't been at all shy in making the attribution. US officials have stopped short of moving from suspicion to conclusion, but one senior official, Deputy Energy Secretary Elizabeth Sherwood-Randall, reportedly told an electrical industry conference yesterday that, yes, indeed, it was the Russian government. The Department of Energy, citing the matter's sensitivity, has declined further comment.

John Petrik: [00:01:49:16] Looking at the calendar with an eye informed by causes, regional rivalries, and so forth may help network defenders focus their attention on likely surges of hacktivism. Patriotic hacktivism is, says Recorded Future, foreseeably occasioned by national holidays, anniversaries of violent acts, and even cricket test matches. Recorded Future's study focuses on patterns of cyber rioting between Indian and Pakistani hacktivists, but its lessons have more than regional applicability.

John Petrik: [00:02:16:15] Hacktivists' declared motivations may or may not represent their real motivations. The CyberWire spoke yesterday with Leo Taddeo, formerly Special Agent in Charge of the Special Operations/Cyber Division of the FBI's New York Office and now CSO of Cryptzone, and he made this observation in connection with the recently socially engineered compromise of directory information at the FBI.

John Petrik: [00:02:37:02] The DotGovs who claimed responsibility for the hack said they were acting in solidarity with Palestine, but, as Taddeo said - rather wolfishly, we thought - you don't really know much about hackers' actual motives until they're charged and arrested, at which point you can ask them. He noted, for example, that hackers of the Sony PlayStation network back in 2011 sought to cloak themselves in the Anonymous brand, but were soon convincingly disavowed by the hacktivist collective. The hackers turned out, in the end, to be just crooks. To read the full interview, visit thecyberwire.com.

John Petrik: [00:03:07:10] One alleged hacker who's probably being questioned right now, is said by authorities to be one of the Crackas with Attitude, the group who claimed responsibility for doxing some senior officials in the US Intelligence Community. The Crackas presented themselves as both pro-Palestinian and as teenagers. The latter, at least, seems to be true. Police in the British East Midlands picked up a kid who's said to be either 15 or 16, reports vary and the US FBI is reported to have been working with UK police. The arrested boy, unnamed because of his youth, is said to have asked in his last Tweet, "Anybody know a good lawyer?"

John Petrik: [00:03:40:12] Carbanak and other threats continue to plague the financial sector. A ThreatMetrix report on cyber risks to banks is being glossed in the press as representing the sector as, quote, "on high alert." That banks and other financial institutions take cyber threats seriously is beyond question. ThreatMetrix thinks the most dangerous trend banks will see in 2016 is a rise in bot attacks, with the potential to cost banks millions in lost business.

John Petrik: [00:04:05:08] Mozilla has issued patches for both Firefox and Firefox ESR. Observers look back at Patch Tuesday and conclude that older versions of Microsoft Internet Explorer, specifically versions IE7, 8, 9, and 10, are now, as Computerworld puts it, quote, "officially vulnerable." It seems a near certainty that holes patched in IE11 and Edge exist, unpatched, in the older instances of Explorer.

John Petrik: [00:04:29:14] As the Internet-of-things expands through industrial control systems, consumer products, and self-driving cars, standards bodies continue to evolve security guidelines. Automation World says that it sees signs of an approach to security that's less IT-centric than those approaches vendors have hitherto tended to apply to their IoT systems.

Dave Bittner: [00:04:50:14] This CyberWire podcast is brought to you through the generous support of Betamore, an award-winning coworking space, incubator and campus for technology and entrepreneurship located in the Federal Hill neighborhood of downtown Baltimore. Learn more at betamore.com.

John Petrik: [00:05:09:03] In the IoT and elsewhere, designing security into systems remains an important goal. The CyberWire spoke recently with the University of Maryland's Jonathan Katz on one aspect of this challenge, provable security. Here's what he had to say.

Dave Bittner: [00:05:22:03] Once again I'm joined by Jonathan Katz. He's a professor of computer science at the University of Maryland. He's also the director of the Maryland Cybersecurity Center. Jonathan, let's talk about provable security. Tell me what that is.

Jonathan Katz: [00:05:32:15] Historically speaking, crypto systems and in particular encryption schemes were developed in a pretty much ad hoc fashion. People would develop a scheme, they would throw it out there, and then they would hope for the best, essentially. And starting in the early to mid 1980s, people began really sitting down and thinking through what they actually wanted from an encryption scheme, and they came up with the idea that after defining precisely what security properties you wanted, you could also potentially improve security of a particular scheme based on some mathematical assumption.

Dave Bittner: [00:06:02:24] So give us an idea how exactly do they work?

Jonathan Katz: [00:06:05:11] The basic idea is that first of all you have to isolate a mathematical assumption that you believe to be true, and if it's in the area of cryptography, going to involve some mathematical problem that you believe to be computationally hard. A lot of people listening are probably familiar with the idea that factoring is a problem of that nature where we don't currently know any efficient algorithms for factoring, and so you could try to then build the schemes based on the hardness of factoring large numbers.

Jonathan Katz: [00:06:29:20] So you first have your mathematical assumption. Then you come up with a definition of what it is you're trying to achieve using some particular scheme. So for the case of encryption you would define exactly what it means to hide the contents of a message to an adversary who observes the cybertext going back and forth between two people communicating. Given those two things, the assumption and the definition, you can then construct a scheme and prove that the scheme satisfies the definition you came up with based on your underlying mathematical assumptions.

Dave Bittner: [00:06:58:12] Alright, so you keep using the word assumption. Once you have your, your proof, do they, do they end up being secure? Has there ever been examples of them-- of later on it being discovered that, that a system is in fact insecure?

Jonathan Katz: [00:07:11:22] That's a great question and this is part of what makes cryptography so interesting. Now if you have a provably secure scheme, the guarantee you have is that as long as your assumption is true, the scheme that you've analyzed is indeed secure. But that can fail in the real world in several different ways.

Jonathan Katz: [00:07:25:05] First of all it can turn out that the assumption is simply wrong. People are probably familiar with this happening with the example of MD5. You might have a protocol which was secure when based on a good hash function and people might have developed those protocols based on MD5, but then a few years back MD5 was actually discovered to not be such a good hash function, and in that case no matter how good the protocol was that you built on top of it, the protocol might be insecure. So that's one area where things can go wrong where the assumption is actually simply incorrect.

Jonathan Katz: [00:07:54:11] A second area where things can go wrong is that you've given a proof of some scheme meeting some definition, but the definition might not correspond to what you actually want in the real world. For example your definition might protect against a certain class of attacks, but in the real world the attacker might be more clever, or have more resources available that would allow them to mount other attacks that you haven't considered in your definition.

Jonathan Katz: [00:08:16:14] Finally, there's a very important example of implementation failures, so the proof of security are idealized mathematical proofs of a particular specified scheme but when you actually go and implement these schemes in the real world, very often we find that programmers make errors when they're implementing them and once you have an implementation which is not done precisely according to the specification, all bets are off and the proof may no longer apply.

Dave Bittner: [00:08:41:06] Alright, fascinating stuff. Jonathan, thanks again for joining us.

John Petrik: [00:08:46:22] The markets continue to yield a very mixed picture of the cyber sector, with some analysts crying caution and disappointment, others seeing sound direction and good buying opportunities. FireEye and CyberArk reported "mixed" results this week, and the disappointing parts of that mix appear today to be hitting Palo Alto's share price as well. Symantec's better than expected results have attracted analysts' attention too.

John Petrik: [00:09:08:12] Internationally, Finland appears ready to up its cyber offensive game, and policy types in India, Taiwan, and elsewhere mull the value of creating a culture of security, that is, effectively, of creating cyber militias. The challenge will be, of course, to keep those militias well-regulated.

John Petrik: [00:09:23:03] And that's the CyberWire for Friday, February 12th, 2016.

John Petrik: [00:09:27:13] For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Listen for our week in review podcast, up later this afternoon. And a note to our listeners, we'll be observing Washington's birthday Monday, and will take the day off. But we'll be back as usual on Tuesday with both our daily podcast and news brief. The CyberWire podcast is produced by CyberPoint International, and this is the editor, John Petrik. We'll welcome our regular host, Dave Bittner, back from his vacation next week. Thanks for listening.