The CyberWire Daily Podcast 3.19.18
Ep 558 | 3.19.18

Power grid hacking fears running high. Social media problems. Election DDoS reported in Russia. FTC and SEC cyber enforcement actions. NSA hoarder case update.


Dave Bittner: [00:00:00:22] Hey everybody, Dave here with some exciting news to share. If you are attending the RSA Conference in San Francisco this year, be sure to stop by the Akamai booth in the North Hall, where I will making daily appearances throughout the show. We'd love to get your thoughts on our podcasts, so come on by booth N3625 and say hello and while you're there be sure to check out our sponsor Akamai as well. And of course we thank Akamai for making these RSA Conference meet and greets possible, and I'll see you there.

Dave Bittner: [00:00:32:06] Tensions between Britain and Russia remain high as the UK fears a cyber attack. USA power utilities are also on alert to an ongoing Russian cyber campaign. Despite a claim DDoS attack, President Putin is re-elected in Russia. Facebook's under fire for Cambridge Analytica data incidents. More political bots on Twitter. YouTube tries content moderation, the FTC takes on an alt-coin Ponzi scheme. The SEC has dozens of ICO investigations in progress. And some notes on the Hal Martin alleged NSA hoarder case.

Dave Bittner: [00:01:12:01] Time for a few words from our sponsor Cylance. You've probably heard of next generation anti-malware protection. And we hope you know that Cylance provides it. But what exactly is this next generation and why should you care? If you're perplexed, be perplexed no longer, because Cylance has published a guide for the perplexed, they call it next generation anti-malware testing for dummies. But it's the same principle, clear, useful and adapted to the curious understanding. It covers the limitations of legacy anti-malware techniques, and the advantages of artificial intelligence. And why you should test for yourself how to do the testing and what to do with whatever you find. That's right up my alley and it should be right up yours too. So check it out at Take a look at next generation anti-malware testing for dummies. Again that's Cylance, and we thank them for sponsoring our show.

Dave Bittner: [00:02:13:08] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Monday, March 19th 2018.

Dave Bittner: [00:02:22:17] As tensions between Britain and Russia mount, the UK braces for cyber attacks on critical infrastructure. Especially its power grid and water supplies. Police in Wiltshire where the attempted assassination of Sergei Skripal took place, deny that their networks came under Russian attack. Expect more false alarms during this period of heightened tension. The US power industry is similarly preparing itself for attack, the Department of Homeland Security has warned that Russian operators successfully intruded into electrical grid industrial control systems, albeit without working damage in this first stage of their campaign.

Dave Bittner: [00:03:01:16] Direct and official attribution of a cyber operation to a specific named nation state is unusual in American practice.

Dave Bittner: [00:03:09:17] Cyber attack on power grids are particularly worrisome, especially if they affect industrial control systems in ways that enable attackers to drive to destruction, difficult to replace critical components, like turbines. Such destruction was shown to be possible, ICS security experts say, by demonstrations like the US Energy Department's Project Aurora. Such attacks could bring down grids for months, with great attendant suffering.

Dave Bittner: [00:03:37:01] Commenting on the UK's situation, security experts have offered the sobering, if rather breathless warning, that in the event of complete grid failure, Britain would be quote, "Four meals away from anarchy", end quote. A few weeks ago UK Defense Secretary Gavin Williamson warned that such an attack would result in quote, "Thousands and thousands and thousands of deaths."

Dave Bittner: [00:04:01:12] Attacks on power grids are also worrisome because they've actually occurred in the wild. Russia succeeded in producing at least two regional outages in Ukraine, over the past three years. Those attacks are widely regarded as trial runs and proof of concept for larger scale attacks against great power rivals. It's unlikely Russian operators would be able to execute them in exactly that form, since utilities elsewhere have learned from Ukraine's experience, but the prospect is worrisome. This is not to say that other risks to power distribution, like the ice storm that's likely to hit the north eastern US this week, aren't much more common and far more likely. It is to say that a nation state could, if it wished, do widespread and enduring damage far exceeding a society's ability to recover.

Dave Bittner: [00:04:49:14] The US Intelligence Community is thought to have been aware of Russian cyber activity against electrical utilities, for some months. Unofficial warnings go back to last autumn at least, when Symantec produced research on the activities of Energetic Bear. Some of the operations are thought to go back to 2015.

Dave Bittner: [00:05:08:12] The current campaign against US power utilities is said to be a multi-staged one. No damage to systems or interruption of operations has occurred so far to anyone's knowledge. But control system data is said to have been exfiltrated. And an important part of the campaign has been spearphishing of electrical utility personnel.

Dave Bittner: [00:05:28:23] Social media continued to struggle through their rough patch as political research firm Cambridge Analytica is found to have obtained Facebook personal information on some fifty million individuals during the last US election cycle. Cambridge Analytica counted the Trump campaign among its clients, bot-driven fake Twitter accounts may have been used against the Sanders presidential campaign by democratic operators aligned with candidate Clinton.

Dave Bittner: [00:05:55:17] YouTube is accused of stoking conspiracy theories, most recently with respect to school shootings. The video sharing platform has sought to address this problem, by linking content to relevant Wikipedia pages. Wikipedia itself was surprised by the move on which it wasn't consulted. And observers are skeptical that such linking is likely to have much effect.

Dave Bittner: [00:06:18:18] And Facebook suffered a brief period last week where its search-auto-complete function inexplicably defaulted to adult video queries. Apparently tailored to some highly specific tastes. Which as a family show we won't further describe.

Dave Bittner: [00:06:33:02] Congress is therefore barking about new regulation of social media. It's especially riled up over the Cambridge Analytical affair, so Facebook seems destined to receive a good deal of unwanted attention from Capitol Hill.

Dave Bittner: [00:06:48:05] Researchers at Georgetown University's Security and Software Engineering Research Center, that's the S2ERC, recently compared the security of desktop and virtual browsers. Paul Brigner is managing director of the S2ERC and he shares what they found.

Paul Brigner: [00:07:05:09] Our research was really focused on trying to understand the security implications for running a virtual browser or a cloud-based browser. And in particular, a browser as a service, type of an option. And that is even different from virtual desktop infrastructures and of course clearly different than running a browser on your local machine. We really wanted to identify do you see a big difference when you, you have that isolated cloud-based environment? That is particularly focused on helping users overcome security risks.

Dave Bittner: [00:07:42:18] And so take us through how did you do your research and what did you find?

Paul Brigner: [00:07:47:06] We had these, a different variety of operating environments, we had some laptops that we were running the Chrome browser on and we compared that to a particular cloud-based browser, it's the Authentic8 silo browser that we used in this example. And we identified a number of different sources of malware, that we proceeded to download, I attempted to download. And determined if the, if the download was blocked and in many cases it was. It was blocked by Chrome in many situations. It was blocked by our, our cloud-based browser in more situations for sure, so that was, that was an immediate difference in that we did find that the, the cloud-based virtual browser blocked more of the malware from the beginning.

Paul Brigner: [00:08:36:11] But what was probably even more significant, is that after you were able to download some of the malware, in both cases that was possible. In the cloud based and in the isolated environment, that was completely isolated and limited to that environment. Whereas otherwise you would be bringing it down to your desktop and potentially infecting your entire organization.

Dave Bittner: [00:09:00:13] So with the cloud-based version, even when you download a file that download stays remotely on the cloud and so it doesn't have the opportunity to infect you locally?

Paul Brigner: [00:09:09:13] Right. And, and of course, you know, when you take a look at these different types of cloud-based options, there could be an exposure there if there is not a specific focus on limiting this type of threat. So if you have a regular desktop virtual infrastructure it could potentially expose the files in that virtual environment, to the malware. So I think if, if you focus specifically on trying to create a virtual cloud-based on desktop environment, you still might have some risks.

Dave Bittner: [00:09:40:20] Now did you take a look at all that just general usability? Were, were there any downsides to running your browser remotely?

Paul Brigner: [00:09:48:13] Any delays when you're running a browser does have an effect on usability of course, there's network latency that can be initially a problem. What we've found is that and this wasn't part of our study, so we didn't turn this into more of an academic research result. But just in usability we found that after you use a virtual environment like that, it actually becomes very easy after a short time. I mean there is some kind of a transition that you have to go through, but it's something that once you're used to, I think you find that the browser in the cloud can even be a better experience for you.

Dave Bittner: [00:10:26:20] Well having completed your research here, do you have any recommendations for, for security folks?

Paul Brigner: [00:10:32:14] It almost requires to create a secure environment on the web, and it requires an entirely different mindset. And that's where this type of virtual browser, really comes into play. You honestly, unless you use this type of approach it's, it's hard to imagine an environment where you are truly safe from threats online. However, when you do move to an isolated approach like this where you are essentially entirely protected and that malware is limited to that virtual environment, you can allow your users to surf the web safely and you really don't have those same threats that you're having to deal with. So I think it, it requires a change in mindset, and that is something that I would recommend for companies and organizations to consider.

Dave Bittner: [00:11:19:24] That's Paul Brigner. He's the managing director of the Security and Software Engineering Research Center, the S2ERC, at Georgetown University.

Dave Bittner: [00:11:30:18] Several developing stories involve regulatory enforcement or criminal proceedings, the US Federal Trade Commission is taking action against three defendants who allegedly were running a crypto-currency Ponzi scheme. The defendants operated as the Bitcoin Funding Team and My7Network.

Dave Bittner: [00:11:49:22] The US Securities and Exchange Commission has said its investigating dozens of initial coin offerings, and the value of Ether has dropped accordingly. Falling below five hundred dollars.

Dave Bittner: [00:12:02:02] And the government will not have such a difficult burden of proof to bear in the trial of accused NSA hoarder Hal Martin. The prosecution will not after all have to show that Mr Martin knew the contents of 20 specific documents investigators found in his Glen Burnie, Maryland shed. And knew that they were classified. It will be enough to show that he knew he had a bunch of classified stuff. As Judge Garbis put it, "Proof that the defendant knew he was wrongfully retaining the mass of stolen documents is sufficient to satisfy the government's willfulness mens rea obligation under the Espionage Act, if the government can prove that the specified charged documents were in the mass of documents taken, and wrongfully retained."

Dave Bittner: [00:12:46:15] Russia's central election commission says it's sustained DDoS attacks over the weekend, from 15 countries. The attacks didn't affect the outcome of the presidential election, neither perhaps did the votes people cast. Which makes one wonder how even a successful distributed denial-of-service attack would have made much difference? Exit polls Sunday showed President Putin returned to office with a commanding 74 per cent, and who saw that coming? Mr Putin also announced his 2030 candidacy, perhaps in jest but perhaps not. In 2030 he'll be a spry 77, so why not?

Dave Bittner: [00:13:24:20] And finally, reporting a problem we confess we don't have, the Rosen Group reports that late model yachts are coming off the slipways with easily compromised routers. Thurston and Lovie Howell take note, especially before you embark on any three hour tours.

Dave Bittner: [00:13:45:08] And now a moment to tell you about our sponsor ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operation and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day, organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence. Validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels, built on the ThreatConnect platform the products provide adaptability as your organization changes and grows. A pioneer in threat intelligence platforms, ThreatConnect provides organizations a powerful cyber threat defense, and the confidence to make strategic business decisions. With ThreatConnect your team works as a single cohesive unit. Reinforced by a global community of peers. To register for a free ThreatConnect account or learn more, visit That's, to learn more. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:15:00:13] And joining me once again is Malek Ben Salem, she is the R&D manager for security at Accenture Labs. She's also a New America Cyber Security Fellow. Malek welcome back, you know, you and I have talked previously about getting ready for deployment of cryptography and some of the challenges there. And today you wanted to share some tips for, sort of the short term preparation for that sort of thing. What, what can you share with us today?

Malek Ben Salem: [00:15:22:22] Yeah sure. So last time we talked about the threat that Quantum computers pose to the way we encrypt our data to the classical cryptography. Right. We know that Shor's algorithm for example can be used for Quantum for a factorization and can be applied to solve discrete algorithm problems. What that means is that it can break a symmetric standard algorithms. That means also that it can break RSA elliptic-curve, et cetera.

Malek Ben Salem: [00:15:52:09] So one of the questions that I got from one of my clients, was about does it make sense to invest in fixing a poorly implemented public key infrastructure, if it can be hacked with Quantum computers anyway? And the answer is yes absolutely. It's always worthwhile in investing in your PKI because that's what's going to prepare you to be able to upgrade to Quantum safe algorithms in the future. And in particular what you need to focus on is understanding or identifying, whether all of your critical applications are working with certificates. Identifying what certification authorities, whether internal or external, are responsible for issuing those certificates. Having a process for updating cryptographic principles. Making sure that your key up cycle is up to date. Making sure that your certificate validation is up to date.

Malek Ben Salem: [00:16:52:08] And also assessing how the renewal of a certification authority, would influence your organization. So in summary what you need to do, is basically review your entire key management, to build a clean, detailed and verified key management for your PKI. Obviously you need to protect your keys, ideally in hardware security modules. In that process you may need to increase the length of your keys, for symmetrical keys we recommend 256 bits in order to be Quantum safe, for RSA at least 3072 bits. And then you need to document that entire process, and you should be well prepared for the future.

Dave Bittner: [00:17:36:09] Now is this the type of thing where when you are talking to your clients, do you find most people are up to date on this or are people tend to be lagging behind?

Malek Ben Salem: [00:17:44:01] Many people are lagging. At least in terms of having an entire inventory of what those applications are, what are the communication channels are, and what's the certification update cycle, or validation cycle?

Dave Bittner: [00:17:59:04] So it's really a case of doing the work now, so you can be proactive about it rather than being reactive if and when the Quantum computers become practical?

Malek Ben Salem: [00:18:08:02] Exactly.

Dave Bittner: [00:18:09:03] Alright, well Malek Ben Salem as always, thanks for joining us.

Malek Ben Salem: [00:18:12:02] Thank you David.

Dave Bittner: [00:18:15:19] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit And thanks to our supporting sponsor E8Security. Follow the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:18:37:14] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe. Where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media. With editor John Petrik. Social media editor Jennifer Eiben. Technical editor Chris Russell. Executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.