The CyberWire Daily Podcast 10.26.18
Ep 713 | 10.26.18

Airline breach bigger than thought. Securing Mexican financial institutions. Demonbot vs. Hadoop. New decryptor out for GandCrab ransomware. Civilian Cybersecurity Corps?

Transcript

Peter Kilpe: [00:00:04] British Airways' breach got bigger. Mexico's financial institutions say they've contained anomalies in interbank transfer systems. Demonbot is infesting poorly secured Hadoop servers. Google receives criticism for slow action against ad fraud. Bitdefender and Romanian police produce a decryptor for GandCrab ransomware. Discussions of a Civilian Cybersecurity Corps - are white hats the radio hams of the 21st century?

Dave Bittner: [00:00:39] Now I'd like to share some words about our sponsor, Cylance. AI stands for artificial intelligence, of course. But nowadays it also means all image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit threatvector.cylance.com and check out their report "Security: Using AI for Evil." That's threatvector.cylance.com. We're happy to say that their products protect our systems here at the CyberWire. And we thank Cylance for sponsoring our show.

Peter Kilpe: [00:01:37] Major funding for the CyberWire is provided by Cylance. From the CyberWire studios at DataTribe with your CyberWire summary for Friday, October 26, 2018, I'm Peter Kilpe, executive editor, sitting in for Dave Bittner, who's probably wishing about now his vacation was just a little longer. He'll be back in your earbuds on Monday.

Peter Kilpe: [00:01:56] The British Airways breach seems to have gotten a little bigger. The airlines disclosed that 185,000 additional customers were also affected and that credit card information was among the data exposed.

Peter Kilpe: [00:02:07] Insurer AXA said yesterday that its customers' information and resources were unaffected by the cyberattack it discovered on October 22. AXA noticed anomalies in its transactions carried by the Interbank Payment System, SPEI, and notified Mexico's central bank, which placed the country's financial sector on heightened alert.

Peter Kilpe: [00:02:25] NewSky Security and Radware are warning of a botnet that's been quietly establishing itself in poorly secured Apache Hadoop servers. The intention appears to be to use the compromised servers for distributed denial of service attacks. Radware calls the infestation Demonbot. It was first noticed in NewSky honeypots late this summer. Researchers for now think that the botnet is the work of skids, but it's yet another annoyance to deal with.

Peter Kilpe: [00:02:48] In the U.S., Senator Warner, Democrat of Virginia, has asked the Federal Trade Commission to look into what it characterizes as Google's inaction against ad fraud. His letter was prompted by a report in BuzzFeed that Google had been sitting on its hands with respect to ad fraud for some time. The article also prompted Google to move against the particular kind of ad fraud BuzzFeed had described. Google hadn't been as utterly inattentive as one might conclude from the senator's letter.

Peter Kilpe: [00:03:14] Mountain View had, as SecurityWeek points out, previously blocked websites from its ad network when they violated Google's policies. What's new is that Google has now moved against applications involved in the fraud. The action seems late to Senator Warner. His letter decries, quote, "inattention to misconduct within the app store," unquote. He also complains that Google did not see fit to conduct a more thorough investigation of ad fraud when researchers brought the matter to its attention in June. The senator calls it quote, "willful blindness."

Peter Kilpe: [00:03:46] After the break, we'll hear Dave's recent conversation with Daniel Prince from Lancaster University, who shares his thoughts on quantum hardware primitives.

Dave Bittner: [00:03:57] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro-segmentation and analytics. VMware's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security – thecyberwire.com/vmware. And we thank VMware for sponsoring our show.

Dave Bittner: [00:04:52] And I'm pleased to be joined once again by Daniel Prince. He's a senior lecturer in cybersecurity at Lancaster University. Daniel, welcome back. We wanted to talk about quantum hardware security primitives today. And I have to admit you sent that topic over. I'm intrigued. What are we going to cover today?

Daniel Prince: [00:05:09] So this is based on some work that I'm doing with a spin-out company from Lancaster University called Quantum Base and some of the work that some of our physicists are doing over at our physics department. Instead of trying to buy off the whole quantum problem, building a quantum computer or doing complete quantum key distribution, we approached that - what we started to adopt here is to actually think about how we use quantum effects to really provide some of the primitive functions within traditional cryptographic solutions.

Daniel Prince: [00:05:42] And so some of the things that we're looking at here are things like random number generation and unique identifiers - which, because of their quantum and their physical properties, means that they are impossible to replicate or clone, but because they're operating on a very small scale, enables us to embed quantum-like effects into our standard integrated circuits. The beauty of that mean - is that what we can do now is start to increase the security capabilities of some of the standard cryptographic processes that we have.

Daniel Prince: [00:06:18] So if you take, for example, the quantum random number generator, instead of using a pseudorandom number generator in terms of cryptographic processes, we now have our source of true random number generation. Now, some of these elements have been around for a very long time. So we've had quantum random number generation, particularly using optical processors. But they require a lot of technology and are often quite large. A number of the systems that are currently available are a full line card or a full card for a PC, and some them are even dedicated pieces of equipment. What we're trying to do is get them down to very, very small scales so they can be - these capabilities can be embedded into chip size.

Daniel Prince: [00:06:59] What's interesting is when you start to move to have quantum elements within standard cryptography, you improve the overall quality of the cryptographic approaches that we have. And that improves the security for everybody without having to have the wholesale leap to, you know, a complete quantum computer or complete quantum key distribution. And so it's that intermediate step before we go straight into having quantum cryptographic solutions for everybody.

Dave Bittner: [00:07:28] Daniel Prince, thanks for joining us.

Peter Kilpe: [00:07:33] GandCrab ransomware has been making a pest of itself for some time. But now, thanks to some cooperation between Bitdefender and the Romanian police, the No More Ransom Project has released an improved free decryption tool for this malware strain. It's an update to the earlier decryptor. This edition works against GandCrab version 1 with the GDCB extension, version 4 with the CRAB extension and version 5 with its random 10-character extension, the latest model of GandCrab on the street. They're still working on a decryptor that will unlock data affected by GandCrab versions 2 and 3. But we agree with Europol that this is nice work, so bravo, Bitdefender and their colleagues in the Romanian police.

Peter Kilpe: [00:08:14] That sort of cooperation makes one think of some other ways in which private persons and businesses can contribute to such matters of public good. We note that many - probably most - do so already, and Bitdefender's release of the decryptor is by no means unusual in the industry. But some are considering ways in which this kind of action can be taken further. The New America Foundation, for example, has published a study calling for the formation of a Civilian Cyber Corps. The volunteer body would, the study says, help redress shortfalls of cybersecurity labor.

Peter Kilpe: [00:08:44] It's to the authors' credit that they don't simply do some lazy handwaving in the general direction of the National Guard. As they put it, quote, "the organization would be modeled after a blend of cybersecurity organizations in other nations and proven models in other domains of security and safety inside the United States, specifically the Civil Air Patrol, Coast Guard Auxiliary or Volunteer Firefighters. The goal would be to better involve and mobilize the wider community in tackling core needs that are unlikely to be met through existing structures," unquote. It would function as an auxiliary of the Department of Homeland Security. And the organization would work mainly in three areas - one, education and outreach, two, testing, assessments and exercise, and three, on-call expertise and emergency response.

Peter Kilpe: [00:09:30] We stress, of course, that this is one think tank's proposal, not an existing or planned government program. But it's worth considering since we hear similar ideas floated in various conferences and policy symposia. We might suggest a few thoughts of our own on the matter. First, it's good to see the study's authors focusing on specific areas as opposed to offering the sweeping rhapsodies about whole-of-nation engagement one so often hears.

Peter Kilpe: [00:09:53] Second, it's worth noting that there's a regular market for all the kinds of services the authors list. There isn't a comparable market for search and rescue or firefighting, and it would not be a trivial matter to structure a volunteer corps in ways that don't compete or displace that market. The study does point out sensibly that bug bounty programs amount in part to a mobilization of hobbyists. They don't overstate this. It's clear that the participation in bug bounties is also a kind of job, either in the gig economy or even for some businesses. But there are enough white hats who do this as a side hustle to make the point worth considering. Bug bounties do pay successful hunters.

Peter Kilpe: [00:10:31] Regular trade does provide essential services. Food, for example, is sold by groceries and supermarkets, and it's an important and legitimate business. There are community food banks that seek out to provide for those who can't for one reason or another participate in that market. Could a Civilian Cybersecurity Corps take some lessons from food banks? Or would its activities map narrowly to what Washington calls inherent government responsibilities - that is, the kinds of things you don't leave to the market, like the Army's ground combat functions or the court's role in trying criminals?

Peter Kilpe: [00:11:03] Third, they suggest education and inspections as possible activities for their proposed corps. The model here would be the Coast Guard Auxiliary with its safety inspections and boating safety classes. They'll help you see that you've got a problem with your boat, but they're not going to fix it. That's a job for the boat yard. And the training they offer is solid but at the enthusiast level. They have no intention of putting the maritime academies out of business. Fourth, it's with respect to the kinds of emergency response that the study seems on its strongest ground. The study's authors take the Civil Air Patrol as the principal model here, although volunteer fire departments and the Coast Guard Auxiliary offer some analogies as well.

Peter Kilpe: [00:11:40] We'd like to offer in our own volunteer spirit a possibly instructive analogy we haven't encountered elsewhere - ham radio. Amateur radio has long had a good reputation for providing emergency communications into areas hard-hit by natural disasters. This is less true today than it was in the glory days of ham radio, the '50s and '60s, largely because of improved resilience in telecommunications and emergency service networks. But there may be lessons there as well. The American Ham Radio Relay League would be the place to start. You can find them aarl.org. They've been around for a little over a hundred years, and the cyber sector may be able to learn a thing or two from them about volunteering in the public spirit.

Peter Kilpe: [00:12:20] Britney Hommertzheim is the director of information security at AMC Theatres. When we come back, we'll have her conversation with Dave on building partnerships within your organization to strengthen security's role.

Dave Bittner: [00:12:35] And now a message from our sponsors SecureStrux. Cyberattacks, intellectual property theft, ransomware - these are just some of the cybersecurity events that have become commonplace in the news and in our lives. Protect your data. Protect your company. Don't lose sales. In 2018, a study from Cisco indicated over 65 percent of companies' sales are delayed by at least one to two years simply because their customers don't feel satisfied with the company's existing focus on privacy. Seventy-four percent of privacy-immature companies in that study saw losses of over $500,000 while privacy-mature companies had losses half that number. At SecureStrux, their seasoned cybersecurity professionals can assess your current cybersecurity practices, create simple processes and procedures for complex solutions and fix vulnerabilities to protect your data. Visit SecureStrux to learn how they can help. That's S-E-C-U-R-E-S-T-R-U-X, a one-stop shop for all your cybersecurity needs. And we thank SecureStrux for sponsoring our show.

Dave Bittner: [00:13:50] My guest today is Britney Hommertzheim. She's director of information security at AMC Theatres, the largest movie theater chain in the world with over 10,000 screens in nearly a thousand theaters worldwide. She's responsible for the development and implementation of AMC's global security strategy. She oversees all security personnel and ensures security concerns are addressed at the executive level.

Britney Hommertzheim: [00:14:15] So when you think of a theater, you don't really think about all the different interactions and different types of networks that you have as well as the data that you have to protect. So if you think of a store, a theater is similar to that. So we have transactions and merchandise that happen. We have third parties that are actually streaming the feeds to the actual cinema. And then a big chunk of our focus goes on our loyalty program. So anyone that signs up using one of our loyalty programs, we have a duty to them to protect their data that they provide us as well.

Dave Bittner: [00:14:51] And so how do you protect each of those systems individually? And is there - I mean, is there crosstalk between them? What's your approach to that?

Britney Hommertzheim: [00:14:59] All of our environments are fairly well segmented. Some of those are proprietary feeds. So like IMAX, those types of things we generally keep separate. Of course our PCI environment we keep separate. Our corporate network is a little bit different than what hits our website. So everything kind of - we try to segment it as much as possible.

Dave Bittner: [00:15:22] So today one of the things we want to touch on is this notion of educating your board and getting your security projects funded. So what is your approach to this? What is the interaction you have with your board?

Britney Hommertzheim: [00:15:34] I generally talk to them - we have our board meetings every quarter. So it is my responsibility to kind of give them the threat landscape at what we're looking at, some of the projects that we have going on and where to take it next.

Dave Bittner: [00:15:48] And has the board been open to your message?

Britney Hommertzheim: [00:15:51] So when I originally started here - and I think this is a good place for everyone to start - generally boards and executives only come into contact with security via media feeds. So anything that they see on TV or they hear about on the radio, they're generally interested in that. Security is relatively new. So being able to change that into a business approach and explain those things in a way that they understand can be very difficult. But you have to know that you're going to be asked about those things. So you have to be prepared and be able to relate that to your business.

Dave Bittner: [00:16:29] Now, in terms of getting things funded, what's your approach there?

Britney Hommertzheim: [00:16:33] So first you need to understand your executives. So what motivates them? Is it just fear, not being that headline company? Is it more compliance related, so maybe audit findings or the penalties that come along with those? Are they more interested in reputational, brand damage that may hurt their stock prices? Are they looking to get some financial gain out of having these security capabilities?

Britney Hommertzheim: [00:16:59] So first, you need to understand what your executive team wants, what motivates them to invest in security. A lot of times you'll be asked to compare to other industries. So this is kind of something that you want to be cautious about. So whenever you're talking about your industry vertical and they start looking at these other companies, you have to start thinking about, what is the size of the company that you're comparing yourself to? Are they the like industry? Are they feeding and protecting the same type of data? And then most importantly, is their program successful?

Britney Hommertzheim: [00:17:37] A lot of times we see all these metrics and these dollars behind businesses of this industry, of this size that are spending X percent of their IT budget or X percent of their annual budget on security. But how effective is that? So you have to be a little bit cautious when you start comparing companies and like verticals.

Dave Bittner: [00:17:58] Yeah, that's some really interesting insight. How do you handle pushback from the board?

Britney Hommertzheim: [00:18:02] It depends. I don't I guess is the answer.

(LAUGHTER)

Britney Hommertzheim: [00:18:07] I really take the approach that my job is to educate the board. So if I can effectively communicate the risk, I have to be OK with them taking the business approach and saying, that's not in the cards for this year or there's another project that's going to need to be funded over this and them accepting that risk. So I don't necessarily push back. But if I fail to educate my board so they can make educated decisions, that's certainly on me. I guess my first step in this strategy is starting to create a security committee. And the security committee is comprised of various business leaders. So you want to have anyone from marketing, HR, certainly IT, but a representative from each part of your business be a part of this security committee. And you need to understand what's important to them.

Britney Hommertzheim: [00:19:03] So how is the business making money, first of all? And those are the first things that you need to think about defending. But before you can start to put those processes in place, you should start creating these partnerships, understanding your executives, understanding your board members. Sometimes this means lunches or coffees or walking and knocking on someone's door.

Britney Hommertzheim: [00:19:26] It takes a lot of time to do this. But what you gain in this - you start to understand your business partners' objectives. So if I'm talking with HR, I need to understand why they need to click on that attachment, right? It's probably a resume that - their job is to open up the resume. And you have to think about how your security projects are going to start to impact and affect the way that they do their day-to-day business. Is this going to be something that's going to help them? Is this going to be something that hinders them? Because if it's going to be something that hinders them, they're probably going to figure out a way to work around it.

Britney Hommertzheim: [00:20:01] I like to think that everybody really wants to do their job. And maybe that's me putting on my rainbow glasses, but (laughter) I feel like people want to do a good job. And so they're going to figure out a way to make the business more effective, make their department more effective and streamline processes. So you have to figure out a way that you can integrate your security projects that actually improves their job functions.

Britney Hommertzheim: [00:20:25] So one of the things that I like to do is - when I sit down and I'm creating these partnerships is ask them, if there was one thing that would make your job easier, what would that be? Sometimes you get information sharing. Sometimes it's being able to have this type of tool. Well, that's good for me to know because then I can go back, and I may see a bunch of people across the business. Security is kind of unique in that it crosses multiple departments. So you can start seeing consistencies in the actual business and provide a tool that may actually help the business.

Britney Hommertzheim: [00:21:01] And once you're able to do that, you create that partnership, then you start generating these business champions. And so these are the people that you've actually helped along the way. These are the people that are going to start feeding your security message for you. And once you start to get these people on your security committee, these business leaders that you've made changes and improvements in their department, you start to really get the ball rolling, right? People are starting to buy into this idea of security, that it's no longer a hindrance. This is a security department, a security team that can really provide some value to the company.

Dave Bittner: [00:21:41] That's Britney Hommertzheim from AMC Theatres.

Peter Kilpe: [00:21:48] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.

Peter Kilpe: [00:21:55] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.

Peter Kilpe: [00:22:11] Thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Peter Kilpe: [00:22:18] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, and I'm Peter Kilpe sitting in for Dave Bittner. He'll be back next week. Thanks for listening.