The CyberWire Daily Podcast 2.26.16
Ep 44 | 2.26.16

US Govt on Ukraine grid hack. ISIS threatens social media hacks. Ransomware rising. "Government OS."

Transcript

Dave Bittner: [00:00:02:19] The US ICS Cyber Emergency Response Team reports on the Ukraine grid hack and has some advice for U.S. utilities: don't connect your control systems to the Internet. ISIS tells Twitter and Facebook it's going to take them down from the web. Ransomware continues to flourish as both grand and petty larceny. Cyber risks remain imperfectly understood. And Apple tells the Court what creation of “government OS” would actually entail.

Dave Bittner: [00:00:28:08] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute, providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at isi.jhu.edu.

Dave Bittner: [00:00:52:01] I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, February 26th, 2016.

Dave Bittner: [00:00:58:11] The U.S. government officially stated yesterday what everyone has unofficially believed for about a month and a half, the power grid in western Ukraine was indeed taken down by a December cyberattack. The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team’s recommendations to the electrical power industry, however, are more pointed. They offer counsel on what are surely good practices, and they also advise some substantial disconnection. For example, the report says, "Organizations should isolate industrial control system networks from any untrusted networks, especially the Internet." There's little doubt that BlackEnergy figured in pre-attack reconnaissance, but the malware's precise further role in the attack remains unknown, and officially under study. “It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials,” the team writes, “However, this information is still being evaluated.”

Dave Bittner: [00:01:53:12] Washington has asked Silicon Valley to do something about extremism online, and both Twitter and Facebook have taken some small steps in that direction. ISIS has noticed. The caliphate promises retaliation in cyberspace addressing Mark and Jack by first name, that would be Facebook's Mark Zuckerberg, and Twitter's Jack Dorsey. An online message says, "You announce daily that you suspended many of our accounts and to you we say, is that all you can do? You are not in our league. If you close one account, we will take ten in return and soon your names will be erased after we delete your sites, Allah willing, and will know that what we say is true." The missive is signed by the Sons Caliphate Army. There's also a video suggesting the caliphate's more customary direct physical brutality. The "Flames of Ansar" depicting bullet-ridden images of Mark and Jack.

Dave Bittner: [00:02:42:06] A think piece in Technology Review wonders whether Silicon Valley really could, or really would, respond to Uncle Sam's call for mobilization. The answer is a qualified yes: “could,” if they considered ways of introducing dissenting voices from ISIS' core demographic into the narrative; “would,” because to the presumed dismay of techno-libertarians, Silicon Valley's presumed aversion to working with the intelligence community, seems to be eroding as the reality of the ISIS threat sinks in. At least, so thinks Technology Review.

Dave Bittner: [00:03:12:00] Ransomware continues its rise as the currently fashionable form of cyber crime. Students of the problem see several developments contributing to the trend. First, the availability of anonymous networks like Tor make criminals think they can get away with it, but one notes that the apparent success of the Feds in getting researchers under subpoena to de-anonymize Tor users might give the gangs pause, if they're paying attention. Second, crypto currencies like Bitcoin induce hoods to think they'll actually be able to get paid without getting caught. And third, the growing Internet-of-things has expanded the available attack surface, and many newly networked devices are neither designed for, nor installed with, security in mind. Many law enforcement agencies, including the FBI, are working the problem and offering advice. Companies like Kaspersky and Emsisoft have released free decryption tools for specific strands of ransomware, a public service for which they deserve commendation. We'll say it, thanks. But the best defense remains anticipatory: back up your files.

Dave Bittner: [00:04:13:05] Cyber risk management concerns filter up to corporate boards and C-suites. CEOs in particular, are acknowledging that they're a bit at sea with respect to understanding cyber risk. A look at the report Independent Security Evaluators released this week, provides evidence that compliance may be clouding health-care enterprises' view of the threat. Swiss Re's departing leader warns that the insurance industry itself, which would certainly be expert in risk management, still has trouble assessing cyber risk. In fact, the insurance sector should probably view cyber as at least as much risk as underwriting opportunity.

Dave Bittner: [00:04:46:06] Everyone it seems has an opinion about the Apple/FBI dispute. The most interesting development at week's end is Apple explaining to the Court exactly what would be involved in creating for the FBI, what Apple is tendentiously, but probably fairly, calling “government OS.” It's not trivial, and it's not likely to be a one-off either. Studies of public opinion show mixed results over how much people really do value their online privacy. It's worth recalling that both business and governments collect vast amounts of information. We spoke with Johns Hopkins University's Joe Carrigan about public and private data collection, and we'll hear from him after the break.

Dave Bittner: [00:05:21:00] Finally, Jacksonville State University is investigating, and has also referred to law enforcement, a case in which a student may have stolen credentials to hack into university records, think of it as registering for a class, although in this case that would be a Class B felony.

Dave Bittner: [00:05:36:03] A note to our listeners, we'll be at RSA next week covering the conference and special issues in podcasts. If you're going to be there, drop by booth 11-45 in the South Hall, and say, “Hello,” but act quickly. While supplies last, we'll give you a swell pen.

Dave Bittner: [00:05:52:15] This CyberWire podcast is brought to you through the generous support of Betamore, an award-winning co-working space, incubator and campus for technology and entrepreneurship located in the federal hill neighborhood of downtown Baltimore. Learn more at betamore.com.

Dave Bittner: [00:06:11:00] Joining me once again is Joe Carrigan from the Johns Hopkins Information Security Institute. They're one of our academic and research partners. Joe, it seems like these days, there are lots of different organizations who are collecting our data. The government collects our data. Private companies collect our data, but those are very different things, and in your opinion they're not the same.

Joe Carrigan: [00:06:30:14] Let me be clear, this is my opinion. There's a lot of talk around corporations collecting your information. That doesn't concern me as much as government entities collecting your information and your activity, cell phone logs, and things of that nature. When a company's collecting my behavior online, I know what their goal is. Their goal is to sell me something. The goal is to tell me about a product that's available, that they think I might be interested in. Sometimes that becomes a nuisance. My favorite example is that at some point in time, I was looking at my mail - I have a Yahoo mail account - and there were ads on the side of that for Depends undergarments, and I'm thinking--

Dave Bittner: [00:07:13:05] You walked into some demographic unknowingly.

Joe Carrigan: [00:07:15:12] Yes. Why is it that you think I need Depends?

Dave Bittner: [00:07:18:20] Well, there was that, but then remember there was case with Target, where Target had figured out that a young, I believe it was a teenage girl who was pregnant started sending her coupons for baby stuff, and her parents didn't know that she was expecting.

Joe Carrigan: [00:07:32:05] Correct. While my story's humorous, that one's not so much. Those kind of events, where you have adverse effects like this are kind of few and far between. Some people would argue they're unacceptable, and I would say their arguments are not invalid. I would also say that perhaps, I don't really agree with them. My concern, however, is much more with governments collecting the data. Something that companies never do is they never kick open doors and go into a house and round people up and take them away, never to be seen again. Governments have a history of doing that kind of thing, and that's what makes me nervous. I'm trying not to sound like a guy with a tinfoil hat on, but I trust a government a lot less than I would trust a corporation, simply because of the amount of power that they wield.

Dave Bittner: [00:08:23:10] So, how does someone go about limiting the amount of data that's available for the government to gather from them?

Joe Carrigan: [00:08:28:08] There's a couple of things they can do. First, you could get a web proxy service that anonymizes your Internet traffic, without costing a lot of speed, and you can shop around online for them, and there's lots of articles that tell you which ones are the best and which ones keep the records, and which ones don't. As far as cell phone records go, you have to go to a more extreme measure, where you're using what they call burner phones. These are phones that you buy at a store for cash, and then you buy time on these phones for cash, or you just repeatedly throw the phones away. However, that makes it hard for people to get in touch with you. I mean, that's something we're kind of captive with. We have these phones now, that we carry around that track a lot of information about us.

Dave Bittner: [00:09:11:04] On the individual level, we're limited to what we can do, but it really is one of those things I think, as a society, we have to keep our eye on.

Joe Carrigan: [00:09:19:07] Yeah. I would agree with that. There's really not a lot you can do, particularly with the phone records, without going to extreme measures, they become very inconvenient actually.

Dave Bittner: [00:09:28:05] All right, well, sleep well tonight, Joe.

Dave Bittner: [00:09:32:13] Joe Carrigan from Johns Hopkins Information Security Institute, thanks again for joining us.

Joe Carrigan: [00:09:37:02] It's my pleasure.

Dave Bittner: [00:09:39:23] That's the CyberWire. For links to all of today's stories along with interviews, our glossary, and more visit the cyberwire.com. The CyberWire podcast is produced by CyberPoint International, and our Editor is John Petrik. I'm Dave Bittner. Thanks for listening.