The CyberWire Daily Podcast 7.30.18
Ep 651 | 7.30.18

NetSpectre proof-of-concept. Election hacking, in the US and Australia. Cyber industrial espionage. Cyber threats to power grids. Hacking JPay.

Transcript

Dave Bittner: [00:00:03] NetSpectre is a new speculative execution proof of concept. Australia's Electoral Commission says there were no signs of hacking recent by-elections. U.S. states remain concerned about election hacking. Missouri Senator McCaskill confirms that Fancy Bear made an unsuccessful attempt to access her staff's network. Russian threats to power grids. Industrial espionage continues to go after corporate IP. And news you can use about JPay. We know, you're asking for a friend.

Dave Bittner: [00:00:39] Now I'd like to share some words about our sponsor Cylance. AI stands for artificial intelligence, of course. But nowadays, it also means all image or anthropomorphized incredibly. There's is a serious reality under the hype. But it can be difficult to see through to it, as the experts at Cylance will tell you. AI isn't a self-aware Skynet ready to send in the Terminator. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit threatvector.cylance.com. And check out their report "Security: Using AI for Evil." That's threatvector.cylance.com. We're happy to say that their products protect our systems here at The CyberWire. And we thank Cylance for sponsoring our show. Major funding for The CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:39] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 30, 2018. Researchers at Austria's Technische Universitat Wien have described another spectre-class speculative execution hack. They call this one NetSpectre, a CPU speculative execution hack that can read arbitrary memory over a network. Unlike the other Spectre exploits that have been described over the past several months, NetSpectre doesn't require the attacker to get the victims to download and run malicious code on their machine. Instead, it's a remote hack. NetSpectre achieves its effects by probing network ports.

Dave Bittner: [00:02:19] The good news, amid the bad, is twofold. First, NetSpectre's data exfiltration speeds are slow - very slow, only about 15 bits per hour for attacks on data stored in the CPU's cache that are carried out over a network connection. Second, the mitigations that helped stop Spectre version one should also work against NetSpectre. If you're in a mood to worry, Bleeping Computer suggests an analogy with rowhammer attacks. Those saw increasing exfiltration speeds as researchers spent more time on them. And they also saw barriers to entry drop. Still, on this one, the glass looks half full.

Dave Bittner: [00:02:58] Election hacking and influence operations remain in the news. In Australia, where authorities and public opinion have tended to worry about Chinese influence, it appears that the recent by-elections went off without a hitch. The Australian Electoral Commission says the country's voting infrastructure showed no signs of having been subjected to any hacking. Parliament and the government however aren't disposed to rest easy. And protecting elections continues to be a matter of concern, deliberation and debate.

Dave Bittner: [00:03:28] In the U.S., various state election officials are expressing concern over their system's vulnerabilities. Wisconsin and Montana are among the worried, with Montana officials now saying they saw some signs of Russian probing during the 2016 elections. More immediately, Fancy Bear is thought to have debuted in the midterms as Senator McCaskill, a Democrat of Missouri, has confirmed that there was a GRU attempt to gain access to her network. She said that the attempt was unsuccessful and that she's outraged. She added that Russian President Putin is a thug. And she doesn't care if he knows she thinks so.

Dave Bittner: [00:04:04] Exactly what Fancy Bear was up to in Senator McCaskill's system isn't clear because her staff and investigators are being fairly tight-lipped about the whole matter - apart, of course, from noting Vladimir Vladimirovich's thuggishness. But it appears likely that it was the usual phishing expedition. Observers draw a lesson from the McCaskill case. The most vulnerable points in the U.S. political system, at least from the point of influence operations, appear to be its campaigns and the staffs who run them.

Dave Bittner: [00:04:34] It's worth reviewing the different activities people have in mind when they talk about election hacking. What we might call election hacking proper is direct interference with either the data or availability of electronic voting systems. That's the sort of thing the Australian Electoral Commission didn't find. Then there's reconnaissance, snooping into electronic voting systems, accessing voter data and so on. That's the sort of incidents some U.S. State election officials are reporting.

Dave Bittner: [00:05:02] A somewhat different kind of cyberattack is accessing campaign data - usually emails and usually through social engineering in the service of influence operations. In this case, the attacker is interested in finding and releasing material that's either discreditable or can be framed as such. This is what Fancy Bear is alleged to have done to the Clinton presidential campaign. A fourth kind of election hack involves trolling often with a fake persona and automated bots, as the St. Petersburg-based information research agency has done. The aim here is to influence public opinion.

Dave Bittner: [00:05:37] And finally, of course, there's fake news and disinformation planted and disseminated in more or less traditional ways. In general, U.S. officials think there's a lower degree of Russian activity directed toward election hacking and influence operations during the current mid-term election season than was observed in 2016. Instead, it's believed that Russian intelligence services are devoting more attention to the power grid. Observers find this disturbing. Temporary outages, which might not have much more effect than an ice storm or perhaps not even as much, are worrisome. A number of security experts have advised a keep calm and carry on view of this level of disruption.

Dave Bittner: [00:06:18] But simply causing a power outage that affects part of the grid for a few hours is much less serious than an attack that damaged or destroyed difficult to replace power generation systems. The U.S. Department of Homeland Security demonstrated the potential effects of such an attack in its 2017 Aurora Tests at the Idaho National Laboratory. In that demonstration, the rapid out-of-phase cycling of protective relays was shown to cause physical damage to generators and induction motors. That sort of attack would be of greater concern than a temporary outage.

Dave Bittner: [00:06:52] Last week's report from the U.S. National Counterintelligence and Security Center remains the topic of much chatter. That report described extensive foreign, especially Russia, collection against intellectual property. Politico describes increased espionage against California tech industry targets, where the new gilded age marriage of progressive hipster sensibility and buccaneer capitalism have not exactly produced a culture of security.

Dave Bittner: [00:07:18] Facebook and Twitter have recently fallen out of favor with investors and speculators. Analysts connect their issues, especially Facebook's record-setting market cap free-fall last week, to concern that their user communities have either begun to plateau or entered a period of decline. A Washington Post op-ed sees the downside of the network effects that build the social media platform and put it this way - the ghost of MySpace is haunting social media. Facebook and Twitter also continue to struggle with content moderation. And that too seems a difficult problem without solutions that will satisfy a majority of users.

Dave Bittner: [00:07:57] Finally, we are shocked - shocked to report that convicts are stealing. You won't believe it. But guests of the governor of Idaho are abusing their access to JPay to accumulate lots of credits they can spend for games, email services, tunes and the like - also educational services and positive entertainment, although how much of these are actually consumed is unclear. JPay is a tablet-based system designed to give inmates limited and healthy connectivity to the outside world, where their friends and family can not only communicate with them but also post money to their accounts that they can use for JPay credits.

Dave Bittner: [00:08:36] More than 300 inmates in Idaho correctional facilities have succeeded in hacking JPay to jack credits up to almost a quarter million dollars, which is a lot in a prison economy where wages, according to WIRED, run from 10 to 90 cents an hour. It costs 47 cents to send an email on J and as much as three and a half bucks to download a tune. So the Freakonomics incentives are aligned so that signs point to hacking.

Dave Bittner: [00:09:11] And now a word from our sponsor ObserveIT. What in the world could old '80s technology have in common with insider threat management? Well, visit the ObserveIT booth at Black Hat in Vegas to find out. They're going back to the '80s to reminisce about throwback technology and show you how to take a 21st-century approach to your insider threat management strategy. Your Nintendo, floppy disks and OG Macintosh computer will all be there next to your dusty DLP solution to remind you why #ThrowbackThursday technology should stay in the past. It's time to go "Back to the Future" with ObserveIT for a more complete and modern approach to data loss prevention. Gain visibility and insights into user and file activity instead of simply locking data down with cumbersome tags, limitations and rules. And before you head out take, take ObserveIT's quiz on which '80s pop culture icon best represents your insider threat management strategy. Whether you're Han Solo, Tron or Egon from “Ghostbusters,” you're a pretty righteous dude. Visit observeit.com/cyberwire and take that quiz today. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:10:32] And joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland. He's also director of the Maryland Cybersecurity Center. Jonathan, welcome back. We had an article come by from Scientific American. And it was called "How Close Are We - Really - to Building a Quantum Computer?" You and I revisit this topic from time to time. And I've joked with you that quantum computing seems to me sometimes kind of like fusion energy - where, no matter when you ask, it's always 20 years away. But does it seem like we're getting closer? When might we see some real practical applications for this?

Jonathan Katz: [00:11:06] So, first of all, you know that people are very concerned about the possibility of a quantum computers because if a real quantum computer were ever built - a large enough quantum computer were ever built, it would be able to break all the public-key cryptography currently being used on the internet. So obviously we don't want to be caught unprepared. It would be really a terrible thing if - from the point of view of security, if a quantum computer came out a year from now. And we were just caught completely, you know, flat-footed and didn't have replacements in line to replace our public-key crypto-systems.

Jonathan Katz: [00:11:37] And so people really do want to know how feasible it might be to construct a large-scale quantum computer over the next five, 10, 15 years. And a lot of people are seriously looking at this. What I think seems to have happened more recently is that there has been a lot of interest from industry. Several companies now, including Google and Microsoft, now have significant efforts in quantum computing. And I think this is making people a little bit more worried that a quantum computer might be closer than we previously thought.

Dave Bittner: [00:12:07] Now is this - is it fair comparing this to something like the Manhattan Project, where if one nation state had significant advances in quantum computing, that would give them, you know, a global advantage over other nations?

Jonathan Katz: [00:12:20] Absolutely. I mean, I would say that if an intelligence agency in a particular country had access to a quantum computer, and other intelligence agencies were not aware or didn't have access to their own quantum computer, then the results could be really devastating, right. Like I said, that would allow one country to be able to essentially decrypt transmissions that the other country was sending over the internet even without the other country knowing it. And that could be really, very significant.

Jonathan Katz: [00:12:50] Of course, the situation will be a little bit different if you had a quantum computer being built publicly. If it were built by a company, for example. And then everybody - they would publish it, and then everybody would know about it. The situation would be a little bit different. But it could definitely give a big advantage to whoever is able to solve this problem first.

Dave Bittner: [00:13:06] How much is this going to change how we approach computer science? Are there fundamental differences in the way that these computers function that you - for example, your students are going to have to come at this from a different direction?

Jonathan Katz: [00:13:19]: That's a really good question. And it's funny. I haven't really heard people talk about that a lot before. I think - you know, my guess is that if and when quantum computers first come out, they're going to still remain very niche. I don't think we're going to see desktop quantum computers, personal quantum computers anytime soon, in part, because they're likely to be very expensive and very large at first but also because I think most people wouldn't have a need for quantum computers. I think quantum computers are especially good at particular types of problems that cryptographers are interested in and also some other problems that physicists are interested in, for example. But the average user might not be really interested in having a quantum computer available to them.

Jonathan Katz: [00:14:00] But thinking ahead longer term, when quantum computing - if quantum computing becomes the norm, then, absolutely, it would require people to learn basic quantum mechanics in order to understand what's going on. It would require people to think a little bit differently when they program because programming for a quantum computer is different and maybe more challenging than programming on a regular computer. And so, yeah, there's definitely going to have to be a shift in the way computer science is taught if quantum computers ever become a reality like that.

Dave Bittner: [00:14:29] Hopefully by then, both you and I will be retired.

(LAUGHTER)

Jonathan Katz: [00:14:35] I guess it depends on when they come out.

Dave Bittner: [00:14:37] Right, right. Exactly. All right, as always...

Jonathan Katz: [00:14:40] But it certainly makes for interesting times.

Dave Bittner: [00:14:42] Yeah, absolutely. Absolutely. All right, Jonathan Katz, as always thanks for joining us.

Jonathan Katz: [00:14:46] Thank you.

Dave Bittner: [00:14:52] And that's The CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com Thanks to all of our sponsors for making The CyberWire possible, especially to our sustaining sponsors Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at The CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE intelligence. Learn more at vmware.com.

Dave Bittner: [00:15:27] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Huh. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.

Dave Bittner: [00:15:55] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.