Elections and information operations, but not necessarily the elections you expect. Apple purges dodgy security apps. Who are the Silence criminals? BA's breach. Cyber moonshots.
Dave Bittner: [00:00:03] Foreign information operations surround elections in Israel and Sweden. Domestic information operations surround local elections in Russia. Apple purges questionable security apps from its store. Are the silent cybercriminals security industry veterans? British Airways continues to recover from its data breach, what a cyber moonshot might actually mean; and ProtonMail says the coppers have collared an Apophis Squad member.
Dave Bittner: [00:00:37] Time to take a moment to tell you about our sponsor ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day, organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. Want to learn more? Check out their newest research paper entitled "Building a Threat Intelligence Platform." ThreatConnect surveyed more than 350 cybersecurity decision-makers nationwide. Research findings include best practices and the impact of businesses due to threat intelligence programs and how organizations who have fully mature programs have prevented phishing attacks, ransomware attacks and business email compromise. To check out the research paper, visit threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:01:58] Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:02:02] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, Sept. 10, 2018. Information operations directed toward influencing or disrupting elections have surfaced in several countries. ClearSky reports finding an Iranian disinformation campaign aimed at planting bogus stories in and around Israel. One Hebrew language site, Tel Aviv Times, published plagiarized stories altered to support Iranian interests. Fourteen bogus Facebook profiles and 11 inauthentic Twitter accounts were coordinated with the campaign. Several of the sites involved in the operation targeting Israel closed after the exposure. The operation's playbook seems to have resembled the one uncovered late last month in the U.S.
Dave Bittner: [00:02:52] Swedish authorities have warned of foreign disinformation designed to affect recently concluded elections, which were indeed contentious. Swedish authorities framed the issue of foreign information operations as a matter of national defense as preparation for a foreign attack. There is little doubt as to who would be doing the attacking, of course. It's Russia. And in Russia itself, a domestic campaign is running with the apparent intent of suppressing dissenting voters. A lot of people are upset about a pension reform the government is instituting. It's a broadly unpopular piece of austerity that would raise the retirement age for men from 60 to 65 by 2028 and for women from 55 to 63 by 2034.
Dave Bittner: [00:03:39] Apple continues to eject questionable security apps from its store. Over the weekend, it developed that researchers are apparently associating some of those apps with Trend Micro. The story is still developing, and early reports may well be confused. Apple took the questionable apps down after Cupertino was notified of their behavior. Some called the ejection fast. Others say it was still too slow. But all of them say good riddance. Nothing yet on Trend Micro's blog. We stress that this story is still developing.
Dave Bittner: [00:04:13] Group-IB thinks it likely that at least one of the two members of the Silence cybercriminal crew have worked, or - may even still work - in the security industry. Where in the industry, they haven't yet said. Their evidence looks mostly circumstantial. Silence has been most active against Russian financial institutions.
Dave Bittner: [00:04:34] British Airways continues to struggle with its large data breach. Observers say that the airline's payment site was loading scripts from at least seven domains other than its own and that it was out of PCI compliance. Some think the incident involves third-party compromise similar to the one that hit Ticketmaster in the U.K. The airline itself may be facing a heavy 500 million pound fine and a customer boycott. British Airways is in the process of notifying affected customers.
Dave Bittner: [00:05:06] We've been tracking ongoing revelations of potential vulnerabilities baked into the hardware of the CPUs we use, the result of speculative processing routines, issues that researchers have named Spectre, Meltdown and, recently, Foreshadow. Yehuda Lindell is co-founder and chief scientist at Unbound Tech, and he's also a professor at Bar-Ilan University in Israel. And he joins us with these insights.
Yehuda Lindell: [00:05:32] Moore's law stopped working for us a number of years ago. We had some - we had many, many years of growth where, every year and a half or so, the speed of processors doubled. At some point, due to physical limitations, that stopped. And chip manufacturers had to look for alternative, novel ways to get speed improvements. Intel, one of the most innovative, excelled very much at this type of work. What we ended up getting is a very, very complex chip that no one truly understands. And it uses as many sophisticated techniques to get performance speedups but also at the expense of exposing vulnerabilities that, to be fair to Intel, no one was aware of until recently. But that's the current situation that we have.
Dave Bittner: [00:06:21] Now, when you say we have these complex chips that no one really understands, can you dig into that a little bit? What do you mean there?
Yehuda Lindell: [00:06:27] So there are a lot of different techniques that are used to - out-of-order execution and speculative execution - in a way that caches work in a way these different things interact. So you'll have experts on a microcode level, and they'll understand very much what the chip is offering. But that doesn't necessarily mean that people running the operating systems have a full understanding of exactly what's going on. And even when they do, there are the different interactions between these different parts of the chip, cause a problem or - I call it a lack of isolation.
Yehuda Lindell: [00:07:01] What we typically think of when we run a piece of software is that it's running in isolation from other pieces of software, from other code running on the chip. And that's what operating systems are aimed to do. The problem is that it's not the operating system that is breaking the isolation - which was the case until, you know, a few years ago - it's the actual hardware itself. That complexity - the complexity of the way the chip gets its additional performance and the interaction between the different pieces of code and the hardware and the microcode all together causes this result in this very, very complex infrastructure and ecosystem that we don't really understand.
Dave Bittner: [00:07:38] And these are - as you say, they're sort of unintended consequences. Do you suppose that we'll find future chips are going to give up some of their performance in exchange for better security?
Yehuda Lindell: [00:07:50] That's what I would hope. But that's, you know, my perspective as a security expert and as a cryptographer. There are plenty of other people who - the most important thing to them is performance. But the way I view it is that we should have two modes of operation on a chip. We should have something which gives us very, very high performance. And we should have an isolated unit, an isolated processor that we can use for code that needs to be very secure. And then that way, we could sort of balance these two with different demands.
Yehuda Lindell: [00:08:20] If I'm, you know, playing a game - if I'm a gamer, I don't really care so much about security on my chip. I really want just the best performance. But in many other cases - for enterprise use, we very much need security. And without isolation, I don't think it's going to happen. What we're seeing now is sort of like, you know, putting a Band-Aid on every single little vulnerability. But we have enough of those vulnerabilities to understand that those Band-Aids are not the solution.
Yehuda Lindell: [00:08:44] My recommendation is, of course, always patch and patch immediately because as soon as a vulnerability is released, the attackers learn it and exploit it. So - but that, again, is just the Band-Aid. But you have to put the Band-Aid on. You have to stop immediate bleeding. The longer-term recommendation for end users who don't have a control over the way Intel built - and other chip manufacturers build their chips is to not rely on these trusted execution environments. I don't think we can rely on them for high-security applications.
Dave Bittner: [00:09:17] That's Yehuda Lindell. He's co-founder and chief scientist at Unbound Tech. He's also a professor at Bar-Ilan University in Israel.
Dave Bittner: [00:09:28] There's a fair bit of coverage that emerged over the weekend of the notion of a cybersecurity moonshot, it's thought, the U.S. administration is preparing to announce. Much of that coverage is sourced in part to remarks delivered at last Thursday's Billington CyberSecurity Summit during a fireside chat on the topic. We heard that chat, but we heard it a bit differently from the way in which some others understood it.
Dave Bittner: [00:09:53] A moonshot is a bold project that sets a challenging goal and a challenging timeline for achieving it. A moonshot is an effort to solve a big, difficult and well-defined engineering problem. Remember, the original moonshot was the U.S. space program of the 1960s that moved from Project Mercury through Project Gemini and into final success with Project Apollo. A number of people seemed to think that we're about to see something like this for cyber, a race in cyberspace similar to the race we saw in outer space half a century ago. That's not likely, and the administration officials who last week talked about and answered questions about a coming moonshot understood this very clearly.
Dave Bittner: [00:10:37] To call for a moonshot is, fundamentally, to issue a call to action. And it may be useful as an inspiration, but programmatically, it's not like President Kennedy's space program at all. As DHS Assistant Secretary Jeanette Manfra and U.S. federal CISO Grant Schneider pointed out, there's no single destination, and there's no clear endpoint. What they hope to accomplish, should people be energized by a call of action, is a set of cultural shifts.
Dave Bittner: [00:11:06] These include, but wouldn't be limited to, reinforcing the current awareness of security as important - that's emerging now outside the security industry itself, inculcating in customers an attention to and a demand for better security in the products they buy, educating young people in good digital citizenship and pushing the internet as a whole to better defaults in a freeconomic kind of way. As Manfra put it, it would be a gain if security became something you had to opt out of as opposed to it ever being the other way around. So a cyber moonshot, should we hear a call for one, is much more likely to resemble a public health campaign than it is something out of NASA.
Dave Bittner: [00:11:48] Finally, remember the Apophis Squad, the skids who hacked ProtonMail and boasted that they'd be forever anonymous and that the feds can't touch us? They've apparently been touched - although, in fairness to Apophis, it wasn't the feds but rather the feds' cousins in Her Majesty's service. George Duke-Cohan, who last week pled guilty to distributing empty and idle but nonetheless frightening bomb threats to schools, is also, according to ProtonMail, a prominent member of the Apophis Squad, where he used a number of noms du hack, including DoubleParallax. He'll be sentenced on September 21. Mr. Duke-Cohan is expected to be detained at Her Majesty's pleasure for at least a year. Touche, George.
Dave Bittner: [00:12:54] And now a bit about our sponsors at VMWare. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMWare's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security, thecyberwire.com/vmware. And we thank VMWare for sponsoring our show.
Dave Bittner: [00:13:40] And joining me once again is Zulfikar Ramzan. He is the chief technology officer at RSA. They are a Dell Technologies business. Zully, welcome back. You know, we - how do I say this? The blockchain, it's become almost a bit of a punchline lately with so many businesses trying to cash in on, you know, sort of the flavor of the month. I really wanted to check in with you and see, where do you think we stand with this? Where are we?
Zulfikar Ramzan: [00:14:04] So I think you're absolutely spot on. There's this element of blockchain that has now gotten this pixie dust-like quality, where it seems to be an elixir for any kind of problem you can imagine, from saving the whales to establishing world peace...
Dave Bittner: [00:14:14] (Laughter).
Zulfikar Ramzan: [00:14:15] ...To achieving immortality. But the reality is, obviously, not quite there where the hype is. I think what people are fundamentally missing is that the important question - not whether you can use blockchain to solve a particular problem but should you use blockchain to solve a particular problem? Look. The reality is I can buy a sledgehammer to push in a thumbtack. I can also just use my thumb. And I think the thumb is a much better solution to that same problem.
Dave Bittner: [00:14:37] So how do we get past the hype to know if an application actually makes sense?
Zulfikar Ramzan: [00:14:43] Well, I think you have to start asking yourself some more fundamental questions before you even think about using a blockchain. The first question is, should you use a blockchain? And really, there are five questions that I have in mind that I think can quickly help you make that determination.
Zulfikar Ramzan: [00:14:55] The first question is, are you trying to store any kind of state consistently? The second question is, do you have multiple peers who may be contributing to that system? A third question is, are you trying to eliminate trust in terms of a trusted third party or an intermediary? And the fourth question is, are you working with digital assets versus, let's say, physical assets in terms of what you're trying to track? And then finally, are you willing to sacrifice performance, in other words, transaction times?
Zulfikar Ramzan: [00:15:21] And if the answer to any of those above questions is no, you should absolutely not use a blockchain. There are better approaches for solving some of those same problems - like, for example, databases, which have been around for a long time and are really well-understood. But oftentimes, I find that many problems people are using blockchain to tackle end up being much more easily and much more readily solvable using database-type technologies or more basic prior art that's existed for a long time in the space.
Dave Bittner: [00:15:45] Now, on the flip side of that, I mean, what do you see as some of the ideal uses for the blockchain?
Zulfikar Ramzan: [00:15:50] So I think the main use case for blockchain is in cryptocurrencies and cryptocurrency-type applications. If you think about it for a moment, those are the areas where a blockchain really acquired its first level of prominence. And the reason for that is that blockchain, fundamentally, is about trying to achieve a handful of properties. You know, blockchains are exciting because they provide a degree of decentralization. They provide a quality called immutability where, once you put something in, you can't change what's happening easily. They enable you to have public access, where anybody can potentially verify or validate what's happening with respect to a certain set of items.
Zulfikar Ramzan: [00:16:24] And if you translate that back into the original problem space for which blockchain was invented, namely bitcoin and other types of cryptocurrencies, there are key properties you want in cryptocurrencies that blockchain help you to address. Like, for example, in a cryptocurrency, you might want to eliminate a single route of trust. You may not want to trust any one bank or one entity. So decentralization is very helpful.
Zulfikar Ramzan: [00:16:44] For cryptographic currencies, you want to avoid what's called double spending. So any type of digital currency, there's a real risk that if you were to spend that digital currency, somebody could take those same bits and bytes, copy them and try to re-spend that same currency. And so you need some mechanism for public access or verifiability. You need some mechanism for ensuring that once a transaction is in, you can always check that a transaction occurred as part of validating other transactions as well.
Zulfikar Ramzan: [00:17:09] And so I think, when we take a step back, all the types of properties around cryptocurrencies and applications that are very closely aligned to cryptographic currencies tend to make better use cases for blockchain. But many of these other applications that people talk about are probably not the right ones or, at least, there may be better ways to solve those problems if you take a step back and think about your requirements more fundamentally.
Dave Bittner: [00:17:31] All right. Zulfikar Ramzan, thanks for joining us.
Zulfikar Ramzan: [00:17:33] A pleasure as always.
Dave Bittner: [00:17:37] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:17:46] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.
Dave Bittner: [00:18:04] And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:18:12] We hope you'll check out the CyberWire's "Hacking Humans" podcast where, each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I co-host that show with Joe Carrigan from the Johns Hopkins University Information Security Institute.
Dave Bittner: [00:18:31] Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:19:00] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.