RSA updates. DROWN SSL vulnerability. Apple vs. DoJ.

Dave Bittner: [00:00:03:05] RSA updates, including the general support being voiced for strong encryption, technology trends, and a keynote by the Director of NSA. Elsewhere, the US continues efforts to enlist industry against ISIS in cyberspace. The DROWN vulnerability, patched yesterday by OpenSSL, is thought to affect about a third of all https sites. A new version of the Bifrose Trojan is out, and designed for Linux systems. And Europe watches closely as Apple and the FBI face off in court and Congress.

Dave Bittner: [00:00:34:00] This podcast is made possible by the Economic Alliance of Greater Baltimore. Helping Maryland lead the nation in cybersecurity with a large highly-qualified workforce, 20,000 job openings, investment opportunities and proximity to key buyers. Learn more at greaterbaltimore.org

Dave Bittner: [00:00:55:00] I'm Dave Bittner in San Francisco with your CyberWire summary for Wednesday March 2nd 2016. We're at RSA again, podcasting from the floor of the world's leading cybersecurity conference and exposition. The first order of business must be congratulations of the 2016 Turing Award winners. Whitfield Diffie and Martin E. Hellman were honored for the pioneering work that gave us public-key encryption. The two also expressed themselves concerning the crypto wars, warning of the potential for abuse ("tyranny," as Diffie put it) and the signing (by Hellman) of an amicus brief in sympathy with Apple. 

Dave Bittner: [00:01:30:00] Industry leaders were in full-throated, full cry in pursuit of guarantees of strong encryption. Microsoft president, Brad Smith, was particularly direct, warning that "The path to hell starts at the backdoor." His views found general agreement, although another crypto pioneer, Adi Shamir, did express a degree of understanding for the FBI's position. While he found the possible precedents of a ruling in the Bureau's favor troubling, he also thought that their request of Apple was more narrowly circumscribed than it's been generally represented. And, standing at hell's backdoor or not, for what it's worth it seemed to our stringers that the Bureau's representatives at their booth have received basically cordial visits. 

Dave Bittner: [00:02:10:00] NSA's position in the crypto wars has been publicly much quieter and more nuanced than those taken by the Justice Department, and far more accepting, on the face of it, of the general availability of strong encryption, which is, as NSA Director Rogers has said, "here to stay." 

Dave Bittner: [00:02:25:00] Admiral Rogers delivered a keynote yesterday that's being widely reported as a plea for more cooperation between industry and the Intelligence Community. It was indeed that, but it also expressed an understanding that problems in cybersecurity are complex and variegated—problems for foxes, not hedgehogs. It's refreshing to see complexity acknowledged where one often hears glib calls for moonshots or Manhattan Projects (two hedgehog programs if there ever were any). Remember, the fox knows many things, but the hedgehog knows one big thing. Admiral Rogers has also been warning that an attack on US infrastructure is a practical inevitability. He expects utilities in the US to sustain disruptions at least as severe as those the western Ukraine saw at the end of last year, and he continues to urge that the grid in particular be prepared to parry and recover from industrial control system attacks. 

Dave Bittner: [00:03:17:00] TechCrunch has declared this the year of "Security + Machine Learning + Artificial Intelligence" at RSA. That's a fair characterization of the technologies and approaches on offer, but we would add some additional specificity to this characterization. It's also the year of systems integration, OSINT, and, above all, anomaly detection. There's a general interest in threat intelligence, but that interest is more concerned this year with risk reduction than it is with attribution. 

Dave Bittner: [00:03:42:00] Turning from RSA to the wider world, the widely expected and hitherto mysterious OpenSSL patch arrived yesterday, and we now know what was being plugged. It's a TLS/SSL vulnerability being called "DROWN"; a forced acronym derived from Decrypting RSA using Obsolete and Weakened eNcryption. It's generally regarded as a serious bug. About a third of all HTTPS servers are thought to be susceptible to DROWN attacks, which depend upon the old export-grade backdoor formerly mandated for US-made security products. Strong encryption partisans cite DROWN as further evidence of their central contention that weakened encryption does far more damage than it does good.

Dave Bittner: [00:04:21:00] TrendLabs finds a new variant of the Bifrose Trojan designed for deployment against Unix (and "Unix-like") systems. They attribute the development to the threat actors behind the "Shrouded Crossbow" campaign. 

Dave Bittner: [00:04:33:00] Verizon releases a breach report with a difference: it doesn't replace the company's existing well-known annual report, but it supplements statistical treatment with instructive case studies. 

Dave Bittner: [00:04:44:00] In the UK, the Government prepares a new version of its surveillance bill. The Apple-FBI case is being closely watched in Europe, where observers fear it will have implications for the implementation of Privacy Shield. Partisans of both sides are squaring off this week in Congress and in court. 

Dave Bittner: [00:04:58:00] The US Secretary of Defense has been in San Francisco this week jawboning industry about what it can do to help anti-ISIS operations. We heard from Dave Amsler, President and founder of Raytheon Foreground Security. He likes what the SecDef has to say: “The ‘Hack the Pentagon’ program is another example of Defense Secretary Ash Carter’s efforts to strengthen our national security by tapping the high-end talent capable of hunting cyber threats. As cyber attacks become more sophisticated and persistent, our defenses, critical infrastructure and business organizations cannot sit and wait, instead we must hunt. The Hack the Pentagon program is a step in the right direction to be more proactive in detecting and eradicating cyber threats.” 

Dave Bittner: [00:05:40:00] Finally, a group of Turkish hackers has claimed responsibility for the ransomware attack on Hollywood Presbyterian Medical Center. While the motive behind the attack seems clear enough—criminal extortion—those claiming responsibility cloak themselves in a nationalist mantle: they were also protesting American friendliness toward Kurds, because they're, well, you know, patriots. (Says they.)

Dave Bittner: [00:06:04:00] This podcast is made possible by the Economic Alliance of Greater Baltimore, helping Maryland lead the nation in cybersecurity with a large highly qualified workforce, 20,000 job openings, investment opportunities and proximity to key buyers. Learn more at greaterbaltimore.org.

Dave Bittner: [00:06:23:22] Malek Ben Salem is the R&D Manager for Security at Accenture Technology Labs, one of our academic and research partners. We talk a lot on the CyberWire about big data and I'm curious what are some of the particular challenges that big data presents when it comes to security and privacy?

Malik Ben Salem: [00:06:38:11] So as you know big data presents three challenges. One is its sheer volume. One is related to the variety of the data. And one is related to the velocity of that data as we collect it. With respect to volume, businesses are collecting vast amounts of data, and in order to be able to process that data they often rely on parallel processing frameworks, MapReduce-like frameworks where mappers independently process data locally. Those MapReduce like frameworks such as Hadoop, has not been built with security in mind. Google originally created Hadoop, which is the open source implementation of the MapReduce programming model. At the time when they created it they used it to store and to process public website links, because the website links are public they didn't think about security and privacy. The security was an afterthought for Hadoop and for the frameworks that are built on Hadoop. So that's one issue with all these big data platforms, the fact that security is an afterthought and now we have to deal with retro-fitting those platforms with security functions. 

Malik Ben Salem: [00:08:08:00] Another challenge is the variety of data elements that are being collected. So think of an insurance company, for example, that collect medical records but also has financial information about its customers. They need to build different data storage for each type of data because the medical records and the financial information are subject to different compliance requirements. Many companies are struggling with separating the data and assigning the wide access controls or fine-grained access controls on that data.

Dave Bittner: [00:08:50:03] What are some of the solutions that you all are seeing and that you're coming up with there?

Malik Ben Salem: [00:08:54:21] We are trying to identify the gaps in existing frameworks. Are there opportunities to enable privacy preserving computational models on these big data platforms so that no private information is leaked? How can we deal again with the velocity challenge where data is coming at a high speed and we're not able to label it correctly? To label what's sensitive and what's not sensitive.

Dave Bittner: [00:09:25:21] And that's the CyberWire. For links to all of today's stories along with the interviews, our glossary and more visit thecyberwire.com. The CyberWire podcast is produced by CyberPoint International. Our Editor is John Petrik, I'm Dave Bittner. We'll be at RSA all week covering the conference with special issues and podcasts. If you're in San Francisco drop by booth 1145 in the Moscone Center South Hall and say “hello.” We'll see you there and thanks for listening.