RSA update - SecDef sounds libertarian? Ashley Madison extortion. DROWN update. More on Ukraine grid hack.

Dave Bittner: [00:00:03:13] RSA updates, where the Secretary of Defense is sounding a bit like a techno-libertarian. The Attorney General? Not so much. The democratization of technology moves the Defense Department to seek help from the commercial sector. We talk with Phantom, winner of this year's RSA Innovation Sandbox. More evidence on the Ukrainian grid hack is out. The ACLU files an amicus brief in the Apple versus FBI case. We hear from the University of Maryland's Jonathan Katz on quantum computing. And the Ashley Madison hackers are now sending extortion notes through the mail.

Dave Bittner: [00:00:36:19] This podcast is made possible by the economic alliance of Greater Baltimore, helping Maryland lead the nation in cyber security with a large, highly qualified workforce, 20,000 job openings, investment opportunities and proximity to key buyers. Learn more at greaterbaltimore.org.

Dave Bittner: [00:00:57:09] I'm Dave Bittner in San Francisco with your CyberWire daily podcast for Thursday, March 4th, 2016.

Dave Bittner: [00:01:03:11] We're wrapping up our time at RSA this afternoon, podcasting from the floor of the world's leading cyber security conference and exposition. US Defense Secretary Ashton Carter took a fairly unambiguous position in the crypto wars. He's in favor of strong encryption, and he's opposed to backdooring systems. So it seems that NSA Director Rogers neighborhood really does encompass the larger Defense establishment, lest anyone think that the Director has been freelancing on the issue these last few months. Secretary Carter was also in San Francisco to solicit industry support for US efforts against ISIS and other threats. He's been talking not only to the expected big companies, but to small businesses as well, even participating in a "shark tank" event to hear pitches from entrepreneurs on promising technologies. One area of need the Secretary highlighted was data security. "We know," he said, "that we're behind the commercial sector in this area."

Dave Bittner: [00:01:56:00] That the US Department of Defense could use some help isn't surprising. It's been known for some time that collaboration across the Internet has significantly democratized technology, especially information technology, at a time when technology - again, especially information technology - has solidified the central position it holds in conflict. It's unclear how traditional powers can continue to enjoy a decisive advantage in the area, but it's clear that the Department of Defense is intent on trying. Its "Hack the Pentagon" program is one manifestation of that determination.

Dave Bittner: [00:02:27:02] The US continues to pursue ISIS in cyberspace, intent on disrupting the Caliphate's communications infrastructure. Effective cyber capabilities are beginning to make their appearance at the tactical level. Special operations forces, specifically including the US Navy's elite SEALs, are taking an increasing interest in social media. So there should be no surprise should SEAL Teams show up on Twitter. We'll see how successful they prove to be at delivering a counter-narrative against ISIS.

Dave Bittner: [00:02:54:23] Attorney General Lynch was also at the RSA conference. She defended Department of Justice efforts to compel Apple's assistance in unlocking an iPhone used by one of the San Bernardino jihadist shooters, making a plea to, quote, "not let one company decide this issue for all of us," end quote. But it must be said that her presentation and position were not generally received favorably. Sentiment at the expo is largely against the Department of Justice on this one. There's a general sense that the assistance the FBI is requesting would set a dangerous precedent. But one executive, in a side conversation, did note a curious fact: we're willing to trust the police to protect us, physically, but it seems no one is eager to trust the government with protecting our data.

Dave Bittner: [00:03:34:23] The ACLU, in an amicus brief filed in the case, thinks it sees another problem in the Department of Justice position. If the DoJ wins, the ACLU says, then you can bid farewell to trustworthy software updates. What assurance, they ask in effect, will users have that they're not being pushed another Government OS?

Dave Bittner: [00:03:53:00] We've had interesting talks with many companies here at RSA. One we were particularly pleased to speak with is the winner of this year's Innovation Sandbox, Phantom. We asked Phantom's CEO, Oliver Friedrichs, what it was like to win the competition.

Oliver Friedrichs: [00:04:06:00] It was interesting. I think all of, all of the vendors up there, you know, they're the 10 most innovative vendors at RSA, you know, were high quality companies. So when you look at that list, you know that you've got your work cut out for you. I think it was a real privilege and honor to win that and great to recognize the hard work that we've done, but also validates this problem. You know, I think that we've had so many products and so many unique individual solutions now, that it's great to see it recognized that we now, you know, we believe we do need a layer, something that's going to tie all of those existing products together.

Dave Bittner: [00:04:39:00] We'll hear more from Phantom in an upcoming RSA special edition of our Podcast.

Dave Bittner: [00:04:44:13] Turning from San Francisco to the larger world, the Western Ukraine grid hack remains a matter of intense interest as a warning and a cautionary tale. The attackers, whom investigators describe with grudging admiration as sophisticated, conducted a long-running and patient campaign to establish persistence in the Ukrainian utility's network and then to harvest control system credentials. These credentials were used to disrupt power in late December. The attack is widely regarded as a harbinger of things to come, and some experts think it was intended to send a message to the United States at least as much as it was intended to affect Ukraine.

Dave Bittner: [00:05:19:16] The consensus on the DROWN vulnerability is in. The SSL hole is thought to be not as bad as Heartbleed, but still, bad enough.

Dave Bittner: [00:05:27:07] Schneider Electric’s StruxureWare Building Operation software is found to be exploitable by remote hackers in ways that could enable them to affect building security. And the attackers need not, say researchers, be particularly skilled. The problem is said to lie in weak default credentials and a command execution bug.

Dave Bittner: [00:05:44:23] KrebsOnSecurity reports that the pay card breach at Wendy's chain restaurants is producing significant debit card losses. Credit unions are said to be especially affected.

Dave Bittner: [00:05:54:11] Google has issued a Chrome update. Users and admins, take note.

Dave Bittner: [00:05:58:12] And, finally, Ashley Madison is back in the news. This time there's no moralizing, just frank extortion. The "Ashley Madison wives" as Cluley calls the spouses of men whose patronage of the online hanky-panky emporium was exposed in last year's breach, are now receiving physical letters through the physical post demanding payment, in Bitcoin, lest their husbands' shame be exposed. And, the extortionists note, in an aside to any husband who might want to try to intercept a letter to the wife, tampering with someone else's mail is a crime. The brass of some people. But physical mail usually bears physical clues, and we're sure the Postal Inspectors will be on the case.

Dave Bittner: [00:06:41:06] This Podcast is made possible by the economic alliance of Greater Baltimore, helping Maryland lead the nation in cyber security with a large, highly qualified workforce, 20,000 job openings, investment opportunities and proximity to key buyers. Learn more at greaterbaltimore.org.

Dave Bittner: [00:07:01:03] I'm joined by Jonathan Katz. He's a Professor of Computer Science and the Director of the Maryland Cyber Security Center, who are one of our academic and research partners. Jonathan, quantum computing comes up, particularly when we're talking about encryption. Just start off by giving us an overview. How does quantum computing differ from run of the mill binary computing?

Jonathan Katz: [00:07:18:02] Well, it's a bit hard to describe in detail, but at a very high level, quantum computers take advantage of course of quantum mechanics and what quantum mechanics allows you to do is to manipulate systems that are in a fixed position of very many states at the same time. So you can think about this very informally, as if you have a computer that's running several different complication paths in parallel, as it were, even exponentially many and that's what gives quantum computers ultimately their power.

Dave Bittner: [00:07:45:18] So help me understand. It's my understanding that quantum computers, as opposed to dealing with absolute answers, they deal with probabilities. Is that accurate?

Jonathan Katz: [00:07:55:00] Yes, that's right and that's why the analogy I've given before isn't quite, exactly right. You have, you have these parallel complications that are running, but then in order to extract anything useful from them you need to manipulate things in such a way that you get the answer you're looking for with high probability. But that's right, that quantum mechanics and quantum computers don't give you an answer with certainty, they only give it to you with high probability.

Dave Bittner: [00:08:17:15] And so looking ahead, how does quantum computing potentially impact computer security?

Jonathan Katz: [00:08:23:06] Well, we've known since 1994 that quantum computers are able to break all the public key algorithms that are currently deployed on the Internet. That's because of Shor's algorithm, which shows that quantum computers can efficiently solve either factoring and discrete logarithm problems. So if quantum computers were to become a reality tomorrow, we have a huge problem on our hands because all the public key cryptosystems that are currently used on the Internet would be insecure. So for that reason, people have begun starting to think about what kind of systems they could transition to in the, in the next five, 10, 20 years that would be secure even against quantum computers.

Dave Bittner: [00:08:58:10] And what's your sense for, for where we are? Are we getting close to where quantum computing may be a reality?

Jonathan Katz: [00:09:03:17] Well, I wouldn't say close, and I'm not an expert in the field, but the latest estimate I saw at a recent workshop was that there's about a fifty-fifty chance of getting quantum computers capable of breaking current public key encryption schemes by-- within the next 15 years. So that gives us reason for concern, especially because we know that it can take quite a long time to begin transitioning to new systems.

Dave Bittner: [00:09:25:18] Jonathan Katz, thanks for joining us.

Dave Bittner: [00:09:31:03] And that's the Cyberwire. For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. The CyberWire is produced by CyberPoint International. The editor is John Petrik. I'm Dave Bittner. We've been at RSA this week, covering the conference with special issues and podcasts. Thanks to all of you who dropped by to interview, chat, or just say "hi." And now we're headed home to Baltimore. As always, thanks for listening.