Norway reports Chinese cyber espionage. Hospital ransomware. Carding black market. RSA update.

Dave Bittner: [00:00:03:17] Norwegian intelligence services accuses China of cyber industrial espionage. More ransomware in German hospitals is under investigation. Brazilian carding operations grow in technical and marketing sophistication. Snapchat employee data are successfully phished using an email that falsely claimed to communicate instructions from the CEO. The IRS says data loss in the "Get Transcript" breach is much worse than initially thought. Cyber stocks are lifted by positive earnings reports depressed by analyst downgrades. Some Apple users seem to regard their iPhones as their confessionals; our theological consultant shakes his head.

Dave Bittner: [00:00:40:12] This podcast is made possible by the economic alliance of Greater Baltimore, helping Maryland lead the nation in cyber security with a large, highly qualified workforce, 20,000 job openings, investment opportunities and proximity to key buyers. Learn more at greaterbaltimore.org.

Dave Bittner: [00:01:01:00] I'm Dave Bittner in San Francisco with your CyberWire daily podcast for Monday, February 29th, 2016.

Dave Bittner: [00:01:08:03] We're at RSA today, podcasting from the floor of the world's leading cyber security conference and exposition. Before we take a look at the conference's first day events, we'll offer our customary rundown on cyber news from around the world.

Dave Bittner: [00:01:19:22] First, some news from Norway. That country's intelligence service, in a report that highlights assessment of Russian and Chinese intelligence services as major threats to Norway, details Chinese espionage targeting energy and defense sectors. Norway's oil industry makes it an important source of gas and oil production intellectual property. Its NATO membership also promises access to defense technology, and the report claims that technology stolen from Norwegian networks has turned up in some of China's military systems.

Dave Bittner: [00:01:48:11] In the UK, hacktivists claiming allegiance to ISIS (and calling themselves "Caliphate Cyber Army") follow their familiar pattern of defacing lightly secured targets of opportunity, in this case, the website of UK Solar, as small manufacturer of solar panels in Sussex.

Dave Bittner: [00:02:04:13] The ransomware incident that hit the healthcare sector with the most energy this month was, of course, the Locky attack that affected Hollywood Presbyterian Medical Center in Los Angeles. But an earlier infestation was observed in Germany, at Lukaskrankenhaus in Neuss . Two more ransomware incidents have been reported in Germany, both in Nordrhein-Westfalen. Klinikum Arnsberg says it sustained a ransomware attack, but that patient care was unaffected. A second, unnamed hospital was also hit, and has taken steps to isolate its critical networks. Police are investigating all three incidents.

Dave Bittner: [00:02:37:21] Trustwave's researchers find another widely used website, extendoffice.com, distributing the Angler exploit kit and its customary payload of TeslaCrypt ransomware.

Dave Bittner: [00:02:48:08] FighterPOS, a strain of point-of-sale malware active largely in Brazil, has acquired worm-like capabilities that enhance its ability to spread across payment networks. FighterPOS steals payment card details, and a Brazilian site is offering validation services on the black market to assist criminals with monetization of stolen cards. Validated cards fetch a premium price among criminals. Trend Micro is tracking the episode.

Dave Bittner: [00:03:13:09] Snapchat has apparently sustained a successful phishing attack and exposure of employee data. The phishing email claimed to be from the company's CEO, it was, of course, not, and asked for a transmission of payroll information. The incident affords another object lesson in the importance of skepticism in the face of apparent executive communications. “Unfortunately," said Snapchat in a blog post, "the phishing email wasn’t recognized for what it was, a scam, and payroll information about some current and former employees was disclosed externally.” The company is understandably reticent about the information that was exposed, and has referred the matter to law enforcement for investigation.

Dave Bittner: [00:03:50:23] The US Internal Revenue Service has revised upward, by some 390,000, the number of taxpayers whose information was stolen from weakly secured IRS sites. Known as the "Get Transcript" breach, a Treasury investigation into the incident reported late Friday. Information compromised is said, by non-Treasury sources, to include Social Security Account Numbers, dates of birth, and street addresses. These are thought to have been used to bypass multi-factor authentication in other attempts on taxpayer data.

Dave Bittner: [00:04:20:24] Some good industry news at the end of last week, notably a strong earnings report from Palo Alto Networks, has lifted not only Palo Alto, but other stocks as well, notably Check Point and Fortinet. Other story stocks drop, however, on analyst downgrades.

Dave Bittner: [00:04:35:10] The Baltimore Sun ran a story this morning sharing the news that Federal Hill cyber security startup, Terbium Labs, raised $6.4 million in venture capital funding. In the story, Terbium CEO, Danny Rogers, said, "The funds were aimed at improving Matchlight," their system designed to detect when a company's stolen information is posted online.

Dave Bittner: [00:04:55:01] And the Apple-FBI face off will resume this week. Some observers have now begun arguing that some sort of privilege analogous to attorney-client privilege, or even the seal of the confessional, ought to apply to Apple. Whether Cupertino actually entertains such ambitions remains to be seen. Stay tuned.

Dave Bittner: [00:05:14:16] This podcast is made possible by the economic alliance of Greater Baltimore, helping Maryland lead the nation in cyber security with a large, highly qualified workforce, 20,000 job openings, investment opportunities and proximity to key buyers. Learn more at greaterbaltimore.org.

Dave Bittner: [00:05:34:11] And joining me once again is Jonathan Katz, he's a professor of computer science and the Director of the Maryland Cyber Security Center, one of our academic and research partners. Jonathan, when we're talking about encryption we hear a lot about bit depth. For example, in the recent Apple case, Apple talks about it. They claim that they're using 256-bit key encryption. Give me an idea, when they say that, what does 256-bit key length mean?

Jonathan Katz: [00:05:59:14] Well the strength of the key or the strength of the encryption that's being used is directly related to the length of the key. That's at least the case for symmetric key algorithms like we're talking about here and, essentially, if your encryption algorithm is good enough, then the only way to break it is to do a brute force search or an enumeration of all possible keys that can be used. So if you have, let's say, a four bit key, that means you have 2 to the 4, or 16 different possibilities, which isn't very much. If you have a 256-bit key, then the number of possibilities for the key is two to the 256 which is an astronomically large number. Essentially, what that means is that every bit you add onto the key is going to double the difficulty of doing a brute force search for the key.

Dave Bittner: [00:06:41:15] So as computing power increases, is it inevitable that today's uncrackable encryption will be crackable in the future?

Jonathan Katz: [00:06:48:10] Well that's a great question and it turns out actually that you can do the calculation and you can see exactly how long it might take to do a brute force search over keys of a particular length. For example, if you imagine that you have a computer that's capable of checking a key once every computer cycle and it's been running, say, since the beginning of the universe then it turns out if you do the calculation you get that you can search through a 96 bit key space, so it looks pretty safe to say that we're not going to be cracking keys that long any time soon. In fact, you can even use the laws of physics to get an upper bound on how many keys you could potentially search through. There's a calculation online somewhere where if you even extract all the energy coming out of the sun and do this brute force searching over the timescale of the universe, you can search through about key of length 187-bits so 256-bit keys look pretty safe until we start computing with things other than matter and energy.

Dave Bittner: [00:07:43:11] Alright, so we're safe for the time being, but why use a key that complex? Is there a computational penalty for using a key that's that complex?

Jonathan Katz: [00:07:54:00] Everything I was talking about so far assumes that the best way to attack the system is a brute force search over the entire space of possible keys. So from that point of view, a 256-bit key would protect you forever. The concern that people have, of course, is that the encryption algorithm may not be perfect. Somebody five or ten years from now may come up with a method to break the encryption scheme that's slightly faster than a brute force search, and so you want protection even in the event that people are able to kind of shave a few bits off the effective strength of the key. People are also concerned about the possibility of quantum computers that might be able to speed up the attack. The jury's still out over whether that's actually possible in practice. But the theory says that, on a quantum computer, you can cut the effective key strength in half. So from that point of view, a 256-bit key would have only the strength of a 128-bit key against a quantum computer.

Dave Bittner: [00:08:43:12] Jonathan Katz, thanks for joining us.

Dave Bittner: [00:08:48:24] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more visit thecyberwire.com. The CyberWire podcast is produced by CyberPoint International. Our editor is John Petrik. I'm Dave Bittner. We'll be at RSA this week, covering the conference with special issues and podcasts. If you're in San Francisco, drop by our booth, 1145, in the Moscone Center's South Hall and say "hello." And, while supplies last, we'll even give you a swell pen. For free and for keeps. We hope to see you there, and thanks for listening!