The CyberWire Daily Podcast 1.5.18
Ep 509 | 1.5.18

Meltdown and Spectre, risks and mitigations. Aadhaar compromised. Blockchain bubbles.

Transcript

Dave Bittner: [00:00:00:19] We've got a bunch of new supporters who've signed up on Patreon in the past few days. Thank you. If you'd like to join them, go to patreon.com/thecyberwire to find out more.

Dave Bittner: [00:00:13:03] Meltdown and Spectre put the fear of hardware flaws into enterprises everywhere. No family of systems can be safely assumed to be immune. Most are positively identified as vulnerable. Proofs-of-concept show that remote attacks exploiting chips' speculative execution features are feasible. Dinah Davis from Codelikeagirl.io checks in. India's Aadhaar national identification database is compromised. And cryptocurrency speculative mania continues.

Dave Bittner: [00:00:47:01] Now I'd like to share some words about our sponsor Cylance. You know you've got to keep your systems patched, right? Patching is vital and Wanna Cry, which hit systems that hadn't been patched against a known vulnerability, well that's exhibit A. But you also know that patching is always easier said than done. Cylance has some thoughts about how you can buy yourself time and breathing room, if you went for modern endpoint protection. Think about protecting the end points from the threats you never see coming. Cylance endpoint security solutions will do exactly that. Fend the bad stuff off, then do your patching quickly, but systematically. It's Artificial Intelligence, and it's a natural for security. Check out the Cylance blog "Another day, Another Patch" at cylance.com. And we thank Cylance for sponsoring the CyberWire. That's cylance.com, for cybersecurity that predicts, prevents and protects.

Dave Bittner: [00:01:47:02] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire daily podcast for Friday, January 5th, 2018.

Dave Bittner: [00:01:57:06] Today's news continues to be dominated by the Meltdown and Spectre bugs. Contrary to early reports, essentially all platforms are affected, not just those running on Intel processors. Most major vendors, including Microsoft, Intel, and Google, have fixes out, and others, including Apple, will release theirs soon. These can be expected to exhibit the usual fraction of unintended and unexpected consequences: Microsoft's Windows 10 update, for example, is reported to interfere with the functioning of some (but not all) anti-virus products. The fixes will also generally have the effect of slowing down many processes. Individual and business Internet users will probably see this manifested in the cloud services they use. Both Microsoft and Amazon say that they've largely mitigated the security risks associated with the bugs. Performance issues are a work in progress.

Dave Bittner: [00:02:49:12] So how real is the risk? Mozilla, for one, has independently confirmed that both Spectre and Meltdown can be used via JavaScript, for example, to extract information from a CPU when the user visits a malicious website. So it turns out that both Spectre and Meltdown can indeed be exploited remotely by malicious code embedded in ordinary JavaScript files. Mozilla has itself issued an interim mitigation that involves a work around. Since the side-channel attacks Spectre and Meltdown enable depend upon precise timing, they've reduced the precision of Firefox's internal timer. A full fix will be out with the next edition of Firefox.

Dave Bittner: [00:03:29:06] Microsoft has been out quickly with patches for both Edge and Internet Explorer. These appeared Wednesday as an out-of-band update for Windows. Google is getting ready to address the bugs in Chrome 64, expected to be out on January 23rd, but in the meantime the company points out that users can protect themselves by enabling a new security feature that was incorporated into Chrome 63. That feature is "Strict Site Isolation." You'll find that it calls itself "highly experimental," but Google encourages you to put Strict Site Isolation in place. Apple systems had early been reported as immune to the bugs, but Apple has been quick to correct this misapprehension, all of their products, whether iOS or MacOS, are also at risk. Cupertino has issued some mitigations already, and others are promised soon.

Dave Bittner: [00:04:18:22] The attention being paid to exploitation through the browser is no accident. If the bugs are to be remotely exploited, it's likely that attackers will do so in the ways Mozilla has outlined. It remains to be seen whether any exploitation that develops will be broadly executed or highly targeted, scattergun or rifleshot. US-CERT has decided that Spectre is too tough to deal with and recommends replacement of affected CPUs. But industry has decided that's impractical, and seems determined to continue patches and mitigations. Google's Project Zero researchers are widely credited with having discovered the bugs and quietly disclosed them to Intel at least late last summer. Indeed Google deserves credit for the discovery, but there were other, roughly contemporaneous discoveries that should also be acknowledged. Cyberus Technology and the Graz University of Technology also found Meltdown. Spectre is said to have other independent discoverers, too: the University of Pennsylvania, the University of Maryland, tech firm Rambus, the University of Adelaide, Graz University of Technology (again), and the independent security researcher Paul Kocher.

Dave Bittner: [00:05:28:17] The bugs came to full public attention this week. Google had quietly disclosed them some months ago, but working on fixes inevitably involved bringing in a large number of developers in a number of companies, and that inevitably meant that the news was leaking out. A growing conviction that the leaks couldn't be contained apparently prompted the public disclosure. It also explains the partial preparation of the vendor fixes we're seeing this week. Some in the industry news, notably Ars Technica and TechCrunch, are noting that In November Intel's CEO, Brian Krzanich, sold the maximum number of shares permitted under company bylaws. This sale took place after Intel was notified of Meltdown and Spectre, but before the vulnerabilities were publicly disclosed. Intel says this was a mere coincidence, and that the bugs were not a factor in Mr. Krzanich's decision to sell. His sales were properly reported at the time to the Securities and Exchange Commission.

Dave Bittner: [00:06:24:21] There are a few other things going on in cyberspace this week. India's Aadhaar national biometric identification database is said to have been breached, with access to its data for sale on the Dark Web for under $10. Aadhaar has had its security issues before, but this latest appears close to a complete compromise, affecting more than a billion people. Several experts have noted that losing biometric data can be a serious matter indeed, and the Indian government clearly has its security work cut out for it over the next several months at least. And cryptocurrency is again in the news. Observers at Barron's and elsewhere goggle in disbelief at the more bullish projections of alt-coin values. Criminals are also affected by the speculative market in Bitcoin, rapid appreciation and volatility are driving them to alternative alt currencies.

Dave Bittner: [00:07:16:23] But that hasn't taken the shine off the many chips in the old blockchain we're seeing these days. Facebook is expressing an interest in seeing what the technology can do for it, and there's another entrant into the field as well. Hooters, the American restaurant chain known for its buffalo wings, has introduced a cryptocurrency rewards program. They were perhaps inspired by our own favorite application of blockchain technology, the Voppercoin used in Russian Burger King franchises, where diners have for nearly a year been able to eat their way to flame-broiled riches.

Dave Bittner: [00:07:54:21] And now a moment to tell you about our sponsor, Control Risks. Control Risks knows that whether you've faced malicious insiders stealing intellectual property or competitors targeting M&A data, or criminals extorting your executives, one thing is clear: a technical approach to incident response is not enough to address the entirety of your problem. Control Risks has conducted more than 5500 complex investigations in nearly 150 countries. Their 360 degree readiness, response and recovery framework pulls together their expertise in cybersecurity, crisis management, hostile negotiations, forensics, data analytics and legal discovery. Truly effective response often requires more than one approach, and how you react can mean the difference between an isolated incident and an enduring crisis. Let Control Risks navigate you through it. Find out more at Control Risks dot com. Once again, that's Control Risks dot com, and we thank Control Risks for sponsoring our show.

Dave Bittner: [00:09:02:09] And I'm pleased to be joined once again by Justin Harvey. He's the Global Incident Response Leader at Accenture. Justin, welcome back. You know, as we head into this new year, into 2018, what are you seeing that you expect to be different from what we saw last year?

Justin Harvey: [00:09:16:07] Well actually, I think I'm going to take a lay up on this one, Dave. I am going to go with my last couple of years of predictions that have been turning out to be true every year. Number one, I think we're going to see a lot more leaked data. And years past, or in the last decade, up until two years ago, we were seeing the flavor or cyberattacks being really intellectual property based, or nation state secret based, compromising defense industrial base, compromising technology companies and sucking out intellectual property. We're seeing a fundamental shift in the world today, where it's now about the nature of the data. It is being leaked. It is being held hostage. It is being threatened. It's being ransomed. It seems like no one is safe behind this, so we're seeing this in the political spectrum. We're seeing it in economic spectrum and also for personal individuals, celebrities, and just regular people, their data is being either sold or it's being leaked out into the open. With 2018 being a pivotal election year for the House and the Senate, I think that we're going to see more and more politically motivated cyber attacks against both parties. We saw how it went down in 2016, so I do believe, heck, even without any nation state interference, I think election hacking is here to stay, and it will become more and more prevalent.

Justin Harvey: [00:10:47:18] My second prediction is going to be around more and more OT, operational technology, attacks, and, which would also include more IoTs. So anywhere where the digital, or Internet connected devises can affect the real world, whether it be your car, your fridge, your toaster, a children's play toy. I think more and more adversaries will utilize these either through harnessing them through vulnerabilities and using them in massive DDoS style attacks. I think that you're going to see more and more of these being exploited to perhaps do spying on people or to get information out of the physical world, and I think that that trend is here to stay for quite some time. I do believe that one of the key attributes to fixing this problem is through legislation and enforcement. So, I think that from a legislation point of view, it's key that not only do we create regulations around IoT and OT, but also we're prepared to enforce those regulations, which could have an adverse effect on markets and the economy, since a lot of these IoT devices are coming in from overseas, from the Asia Pacific region, they're actually helping to fuel some of our economy. And then pursuant to that, I do believe in standards bodies and being able to create some IoT standards, but standards are just that. They're standards. They're not binding in any way, so I do believe that Congress and the government should look at regulating and enforcing the security around these IoT devices.

Dave Bittner: [00:12:32:22] Alright. Justin Harvey, thanks for joining us.

Dave Bittner: [00:12:40:04] Now, I'd like to share an opportunity from our sponsor Cybric. On February eighth, Cybersecurity thought leader Dr. Chenxi Wang joins continuous applications security platform provider, Cybric, to discuss DevSecOps from cradle to scale, real world lessons and success cases. Many businesses are moving to DevOpsand agile development methodologies, but most security tools and processes aren't designed for this new world, and that hinders innovation. In this Webinar, Dr Chenxi Wang, founder of the Jane Bond Project Cybersecurity consultancy, and Vice Chair of OWASP's board of directors, joins Cybric's CTE, Mike D Kyle, to discuss integrating security into your DevOps process at scale, using real world examples. Mike and Chenxiwill also cover getting started with DevSecOps, what metrics to use and what security at scale can mean for you. Join them February eighth at one p.m. US Eastern time for this insightful and information packed Webinar. To register, or to learn more, go to the CyberWire dot com slash Cybric. That's the CyberWire dot com slash Cybric. And we thank Cybric for sponsoring our show.

Dave Bittner: [00:14:03:08] My guest today is Dinah Davis. She's the founder of Codelikeagirl.io and director of RND at Arctic Wolf Networks. We check in from time to time to get the latest from Codelikeagirl.io. Dinah Davis joins us from Ontario, Canada. So Codelikeagirl decided to sponsor InfoSec World, which is a conference coming up in March, down in Florida at Disney's contemporary resort, but there's sort of an interesting story here. Take us through how did this come to be?

Dinah Davis: [00:14:32:11] Yes, so we've never sponsored a conference before. It's not even really something we were looking to do, but I found this article in September this year and it like screamed where are all my ladies in cybersecurity? And I'm like hey wait, I'm a lady in cybersecurity. I'm right here. What are you talking about? It's written by this woman, Catherine, who is building the programming for the InfoSec world conference itself. She works really hard to try and get, you know, even amounts of speakers, male, female. She did great with their key notes. They even have a dog speaking. That's, you know, weird, but very foreseeing. It's like a cybersecurity sniffing dog, so I'm assuming the owner's actually talking, but it's kind of a nice play. Their sessions also have a lot of women, however, for their presenters, they only received six percent of submissions from women. So, for her to then try and make the sessions 50/50 is pretty much impossible, right. They go through a normal vetting process. They would be favoring all the women who entered, which is not really what you want to do either. What you want to do is really have, you know, more gender diversity on the submissions. And so this whole article was just her expressing how frustrated she was that more women didn't apply and trying to figure out why didn't they apply. And really it came down to, you know, a lot of women don't consider themselves good enough to do the talks, or ready enough. There isn't very many of us in cybersecurity, so we also have to have the time to do it. And she was just so disappointed by this, and I saw this article, I was like oh, man, we have to have this article. And then out of that, she reached out to me and said hey, maybe there's something we could do together, like I can't change the lineup of presenters for this year, but maybe I can change the lineup of presenters for the following year. What if we could get as many women as possible to come to the conference to see what we're about, to make sure that they see that we're an inclusive conference? And maybe then more will apply the following year.

Dinah Davis: [00:16:45:01] And so what we came up with was a bit of a partnership. So they have given us a discount code, which you can go get at our website, Codelikeagirl.io, for 15% off the conference. I will be writing my review of the conference after I'm done. They are also going to be writing two articles or either the key note women or potentially some of the panel speakers to try and highlight, you know, the really amazing women now are at that conference. Us sponsoring it and having a discount code is really about trying to reach more women to try and get them to come to this conference, 'cause it's really good. The topics are really interesting. It's at Disney, so you know, if you want to spend an extra weekend there, that's pretty fun too.

Dave Bittner: [00:17:33:06] Yeah, plenty to do.

Dinah Davis: [00:17:34:00] And for me, there's a big plus. It's in Florida in March and I live in Canada, so that's like, maybe that's all they really needed to do.

Dave Bittner: [00:17:42:07] Right. It's interesting to me, in the past year in 2017, in early 2017, I was at the Women in CyberSecurity Conference and in interviewing a lot of the women there, there was something that came up time and time again, and that women told me was that they felt like things were getting better in the workplace in terms of how they were being treated and respected and paid, and those sorts of things. They felt like there was really good momentum there, but they felt like the conferences were a place where this was lagging. And so I'm curious on your take on that. I mean a lot has happened in 2017, you know, we had things like the Harvey Weinstein revelations, and then the Me Too movement, so I think there's certainly been a light that's been shown on this issue. What is your sense as we come into this new year as to where we are, where people's sensibilities are?

Dinah Davis: [00:18:33:23] Yeah. I totally agree that we're doing way better with in the workplace. There is so much more awareness than last year at this time, like just so much more, and that's really exciting for me, because I think the more we talk about it, the more the change will happen. But I still think there's like so far to go to really create that change and have lasting change, like it's really awesome that it's a forefront of discussion right now. There's a lot of work we need to do in many, many areas. Pipeline is one, so getting more women to even consider careers in cybersecurity. We're really not going to fix the conference issue until we have more women to speak at it, and we have to encourage the women that are there to speak, that they are good enough to speak, that they should be out there speaking at conferences and it's good for their career. So, I mean it's really multifaceted, but I think, you know, I'm just seeing lots of positive momentum in the past year, so I'm really excited to see what's going to happen in 2018. And if you are a guy on an all-guy panel, you should maybe consider not doing the panel at a conference. So, and that's only going to get you positive votes from other women. Tweet about it, share about it, say you'll take, leave your spot or ask them to make room for another spot that we bring on, you know, a woman or a person of color. You know, if it's all white men, that's kind of a problem, you really only getting in one type of perspective. And panels are most interesting when people have a lot of different perspectives, and that comes from different educational backgrounds, different genders and different ways of growing up. Those are things you could do, like don't accept the status quo if you're on one of those panels.

Dave Bittner: [00:20:29:24] Alright, well the conference is coming up in March. It is March 19th through to 21st in Florida. It is InfoSec World. Dinah Davis, thanks again for checking in with all your efforts at Codelikeagirl.

Dinah Davis: [00:20:42:21] Thank you.

Dave Bittner: [00:20:46:04] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you, through the use of Artificial Intelligence, visit cylance.com. And thanks to our supporting sponsor E8 Security. Follow the behavior, find the threat. Visit e8security.com to learn more. The CyberWire podcast is proudly produced in Maryland out of the start up studios of Data Tribe, where they're co building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.