The CyberWire Daily Podcast 3.21.18
Ep 560 | 3.21.18

Preparing for grid attacks. Notes on breaches, crime, and punishment. And Facebook's no-good, bad, awful week.


Dave Bittner: [00:00:03:24] The US Department of Energy says the Power Grid is preparing for Russian attacks. A teenager finds a flaw in hardware wallets. Travel service Orbit suffers a data breach. Laurie Love won't be extradited to the US. We've got notes from today's Billington International Cybersecurity Summit. And Facebook's truly awful week continues. The silicon age is looking right now a lot like the end stages of the Gilded Age.

Dave Bittner: [00:00:34:20] Time to share some words from our sponsor, Cylance. Are you headed to RSA? Don't forget to look up Cylance while you're there. Drop by booth 3911 in the North Hall and meet up with their expert professional services staff or attend one of their featured conference sessions. If you're in a festive mood, you can connect with them at the Digital Shadows Security Leaders Party. Wherever you make your connection, they look forward to talking with you. You can ask them about AI and machine learning, or ask about their industry leading research into thread actors who threaten our power grid. You can learn more about their presence at RSA by searching join cylance@RSAconference2018 and we thank Cylance for sponsoring the CyberWire. That's, join cylance@RSAconference2018 and be sure to connect with the company that's making a difference in security. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:32:24] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner with your CyberWire for Wednesday, March 21st, 2018.

Dave Bittner: [00:01:43:20] Congress has told US Energy Secretary Perry they expect prompt action to ensure the power grid's security. Secretary Perry expressed confidence that the grid is capable of resisting Russian cyberattacks, and that the North American power distribution system has indeed adapted to the threat. It's a difficult challenge; we hope the Secretary's measured confidence turns out to be justified.

Dave Bittner: [00:02:08:07] Before we turn to Facebook and Cambridge Analytica, it's almost refreshing to be able to report some conventional hacks and vulnerabilities. A teenaged researcher has found a vulnerability in the popular cryptocurrency hardware wallet Ledger. British teenager, Saleem Rashid is the one who counted coup and disclosed it, so bravo to him, especially for his restraint and responsibility. He forwarded his proof of concept to Ledger some four months ago.

Dave Bittner: [00:02:36:12] Online travel service Orbit has been hacked, with the crooks making off with some 800 thousand customer records.

Dave Bittner: [00:02:42:08] And British hacker Laurie Love, famous for allegedly getting illegal access to a number of US Government sites in his search for evidence that Washington is covering up its dealings with extraterrestrials, will not ever, face extradition to the United States. British courts found that he'd be likely to commit suicide under barbarous Yankee justice, so he's safe at home. Mr. Love has done some unseemly crowing about how he exposed massive human rights violations in the US. His case is instructive in at least two ways. First, a claim of psychological frailty can work to your advantage. Second, cranks pursuing fringe projects can work a great deal of damage.

Dave Bittner: [00:03:26:22] With each passing day, the GDPR compliance deadline grows closer and there's growing consensus that many organizations are not going to be completely ready in time. JR Cunningham is Vice President of Advisory Services Product Management at Optiv and he says, don't panic.

JR Cunningham: [00:03:43:01] If you look at the history of sweeping legislation around CyberSecurity or privacy or data, what we've seen in the past is any time we panic and race towards compliance, we don't get the desired outcome. Examples would be FISMA, back in 2002, HIPAA in 1996, the PCI industry standard. If we, if we take the PCI example for instance, here we have an industry standard around credit card security and of course, we saw in 2012, 13 and 14, that retails breaches were, you know, increasing in severity, frequency, cost. 2015 was the year of the health care breach, that was, you know, decades after the passage of HIPAA. So, what we see is that when organizations panic and race towards compliance with the legislation of the day and they don't pay attention to the rest of the goings on in their information security program, that's the result.

Dave Bittner: [00:04:44:19] I think there's a lot of fear that European Regulators are going to make examples of, of organizations, do you think that's likely to happen?

JR Cunningham: [00:04:54:09] I think the history of European Regulations is precisely that. If you look at antitrust cases in the late 90's and early 00's, it is kind of the European way to, you know, find egregious examples of non-compliance and make an example and levy fines. However, that's not to say that our perspective is the, you know, the, the European regulators are going to be running around with their ticket books looking to, to write citations, especially early on. European enforcement of laws such as this tend to be more focused on the spirit of compliance rather than, you know, the, the exact letter of compliance. And so, it would not be unforeseen for regulators to go after some really big fish, especially if they're American companies, as I've mentioned we've seen this in the past. But we really don't get the sense that, you know, this is gonna turn into a, a feeding frenzy.

Dave Bittner: [00:05:48:03] So, what are your recommendations for companies as we head towards that May deadline?

JR Cunningham: [00:05:53:04] There are a whole lot of things that an organization should be doing around Data Protection and privacy that are part of an overall healthy privacy and information security program. Being able to answer questions, what data do I have that's GDPR relevant? Where is the data in my organization? What measures do I have in place to, to protect that information? Not only on premises but as well third-parties, outside providers. And then perhaps, most importantly, can I respond effectively if something bad happens, if I do have, have an incident? These are steps that make a lot of sense even without something like GDPR. You know the other thing that is important is considering the perspective of the data subject. Here in the United States, we tend to have the view that when we provide data to a company, that data's just gone and, you know, the, the company has it and they can do whatever they want with it.

JR Cunningham: [00:06:45:06] GDPR puts upon us a requirement to be more transparent with the consumer on why we're collecting data, what we intend to do with it, how long we're going to keep it. And so, having these practices inside the organization are part of an effective information security and information risk program that will also get us to where we need to be from the GDPR compliance point of view.

Dave Bittner: [00:07:08:24] Now one of the things you mentioned in the notes that you sent over is this notion of being able to demonstrate an intent to comply. Can you just explain that to us?

JR Cunningham: [00:07:17:14] Article 5 of the GDPR dives into the principles of the law. So, all of the other 99 articles in the law really boil down to these principles. These principles are being lawful and fair and transparent about our use of information. Minimizing the information, ensuring that, you know, anything that we do with this information is consistent with our, our stated business purpose and we're not doing other things with the information and of course protecting the data. So, being compliant with that spirit of the GDPR is kind of that critical first step. What we're hearing from the, the market is that most organizations are not going to be fully compliant by May 25th. So, having a plan, and having that plan tied back to those principles found in Article 5 are really essential in order to be able to demonstrate, you know, a spirit of compliance.

Dave Bittner: [00:08:11:17] I, I guess I'm trying to, to unpack the balance here between, you know, taking proper precautions but also not getting carried away.

JR Cunningham: [00:08:18:19] There's an enormous amount of noise around GDPR and if you look at what specifically a lot of security product companies are saying, they're, they're, they're tying their products with a perceived need but within GDPR. And GDPR really does not go into the depth of specifying types of technology. GDPR talks about, you know, considering the state of the art and taking a risk balanced approach. Articles 25 and 32 specifically refer to taking a risk based approach and we have to consider the risk of harm to the data subject and what tools are available in order to reduce risk.

JR Cunningham: [00:09:01:24] So, in, in conjunction with not panicking, it's also, there's so much noise around the information security space that it would, it would be really easy to fall victim to the idea that buying a few pieces of technology will get us where we need to be from a GDPR point of view. And nothing could be further from the truth. GDPR is a combination of, of things that have to be done within the legal department, within cybersecurity and then of course, you know, the IT department, specifically around data subject rights, that chapter three of GDPR.

Dave Bittner: [00:09:34:07] That's JR Cunningham from Optiv.

Dave Bittner: [00:09:39:04] Facebook faces a very strong consumer backlash over the Cambridge Analytica affair. While Cambridge Analytica appears to have used data from Facebook in unanticipated ways, there are now more reports of similar use of customer information by others, including other political campaigns and consultants, sometimes with the tacit acquiescence of Facebook itself. The current case, it's worth emphasizing, is not a data breach but rather analysis and use of information the owners provided Facebook and the correlation of that information with the other digital contrails people leave behind them as they move across cyberspace. The US Congress intends to summon Facebook executives to testify on the company's data use policies and the Federal Trade Commission has opened an investigation. There's international investigative interest as well, both the British and European Parliaments want to hear from Facebook's leaders.

Dave Bittner: [00:10:33:10] Much of the scandal derives from the bragging attributed to Cambridge Analytica leaders, particularly recently suspended CEO, Alexander Nix, who's been disporting himself like a body double from the Kingsman movies. Not only is the boastful chitchat about honey traps discreditable and unsavory, but even more disturbing are what panelists at today's Billington International Cybersecurity Summit characterize as claims to be able to manipulate the thinking of particular individuals. And of course, to influence their voting. It's worth mentioning that this is persuasion, not mind control out of science fiction and so it's perhaps best understood as a marketing scandal.

Dave Bittner: [00:11:14:20] Many observers call this a tipping point for the tech industry as a whole, dependent as it is on its ability to monetize personal information for marketing. A piece in the San Jose Mercury News suggests that Silicon Valley is ripe for anti-trust and other strong regulatory treatment. The Mercury News calls public mistrust and resentment unprecedented. But there is a precedent, just not in the tech sector. Silicon Valley increasingly looks like the oil and steel sectors did when the trust busters turned on them at the end of the 19th Century's Gilded Age.

Dave Bittner: [00:11:48:15] The faces of Facebook, Mark Zuckerberg and Sheryl Sandberg, have been little seen. Many suggest it's time for them to lean in. People interested in crisis management will watch the company's handling of the matter closely. This isn't remember a technical issue or a data breach. It's a crisis deriving from company policies and practices, arguably from anticipated or unanticipated aspects of its business model. So, public affairs would be particularly important in containing the damage. One aspect of sound incident response practice Facebook may have got right, is to involve the lawyers early and often. Their General Counsel is said to have been leading the crisis response meetings. Good to be lawyered up but it's no substitute for the very public faces of the brand. In any case, we expect to see class action suits soon. More regulation, too.

Dave Bittner: [00:12:41:05] We're in Washington today at the third annual Billington Cybersecurity Summit. The Federal Government may be closed due to the early spring blizzard we're experiencing here in the Middle Atlantic but the Summit is going on as scheduled. Security experts from four continents are here, making presentations. There's unsurprising unanimity so far, concerning the necessity of collaboration between government and the private sector. Not only does every threat travel through privately owned infrastructure at some point and not only are much, arguably most, critical assets in private hands, but there's also a question of capacity.

Dave Bittner: [00:13:17:19] There's also some clear consensus on the ambivalence of technological advance. As David Koh, Singapore's Commissioner of Cybersecurity, put it, "We have to get a better understanding of the risks and vulnerabilities of new technologies. We can't concentrate only on the upside of technology and disregard the downside. That's a recipe for disaster. We exploit the technology and run the risk of being exploited ourselves."

Dave Bittner: [00:13:48:01] And now a moment to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operation and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day, organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence. Validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows.

Dave Bittner: [00:14:26:06] The pioneer in threat intelligence platforms, ThreatConnect provides organizations of powerful cyber threat defense and the confidence to make strategic business decisions. With ThreatConnect, your team works as a single cohesive unit, reinforced by a global community of peers. To register for a free ThreatConnect account or learn more, visit That's to learn more. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:15:02:20] And I'm pleased to be joined once again by Jonathan Katz, he's a Professor of Computer Science at the University of Maryland and also Director of the Maryland Cyber Security Center. Jonathan, welcome back. We had a story come via Naked Security about EPassports and I remember there was a lot of, a lot of attention when US passports started having electronic chips built in to have information stored on them. But it turns out that people have not been able to use this, this feature of passports. What's going on here?

Jonathan Katz: [00:15:35:05] Yeah, so these new electronic passports, well not, not even so new anymore, they've been around for more than 10 years. But the idea was to make them more difficult to forge. So, the information about a person, you know, their name and address and age and whatever information, would be stored on a computer chip rather than, you know, just being stored in print like in the old days. And the idea would be that that information would be cryptographically protected, it would be signed and then that information would be verified when that person came to cross the US border. And the problem was even those cryptographic techniques were implemented on the passport, the software at the border crossing seems not have been implemented properly and it seems like they were never actually verifying the integrity of the data that they were reading. So, that basically means that even though you have all this nice cryptography on the passport itself, it's often not because they just weren't checking it at the border.

Dave Bittner: [00:16:31:19] And does that make it useless? I mean is it a point where you can't extract the data from the passport because you don't have the proper software?

Jonathan Katz: [00:16:38:11] Well I think the issue is, you know, so I don't know whether anybody was ever actually able to exploit it, it's certainly a risk if you didn't know whether or not they were verifying or not. Then, you know, you would take a risk at going to the border with invalid information. And, you know, it would only be after the fact that you would realize they never actually verified anything. So, I don't know to what extent this was ever actually exploited but it certainly looks bad right because we go through all the, the difficulty and all the expense obviously of changing these passports. And then to not even have the appropriate software at the other end to read them properly, kind of, kind of an embarrassment frankly.

Dave Bittner: [00:17:13:16] And from a big picture point of view, I mean if we're talking about encryption, that is ten years old, the techniques are ten years old. Does that mean by modern standards they would be obsolete or, or ancient or would they still hold up?

Jonathan Katz: [00:17:25:03] No, not at all. So, the cryptographic techniques themselves should be fine. There was nothing wrong with the techniques themselves, it's just that you've got to be implement them properly on both ends.

Dave Bittner: [00:17:37:15] All right. Interesting stuff. You can bring a horse to water but you can't make him drink.

Jonathan Katz: [00:17:41:03] You can't, you can't make this stuff up. You can't make this stuff up. [LAUGHS]

Dave Bittner: [00:17:44:15] Yeah, that's right. That's right. Alright, Jonathan Katz as always thanks for joining us.

Jonathan Katz: [00:17:49:01] Thank you.

Dave Bittner: [00:17:51:11] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence visit And thanks to our supporting sponsor, E8 Security, follow the behavior, find the threat. Visit to learn more.

Dave Bittner: [00:18:14:09] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media. With editor John Petrik. Social media editor, Jennifer Eiben. Technical editor, Chris Russell. Executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.