The CyberWire Daily Podcast 11.9.18
Ep 723 | 11.9.18

Critical infrastructure resiliency. Lazarus Group’s FASTcash robberies. China’s ongoing industrial espionage. Trolls aside, Russian observers think the US elections were A-OK.

Transcript

David Bittner: [00:00:03:24] Britain’s NCSC warns again, that the UK is likely to face a Category One cyberattack within the next few years. In the US, Government industry academic partnerships work toward making critical infrastructure more resilient to cyberattack. Pyongyang’s Lazarus Group continues to rob ATMs using malware. US officials complain that China is in violation of 2015’s agreement to avoid industrial espionage. Bruce Schneier joins us to discuss his latest book, "Click here to kill everybody." And Russian observers give the US a passing grade for fair midterm elections.

David Bittner: [00:00:46:14] It's time to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day, organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. Want to learn more? Check out their newest white paper titled Threat intelligence platforms, open source versus commercial.

David Bittner: [00:01:32:02] As a member of a maturing security team, evaluating Threat Intelligence Platforms or TIP, you may be asking yourself whether you should use an open source solution like a Malware Information Sharing Platform or MISP or buy a TIP from one of the many vendors offering solutions. In this white paper, ThreatConnect explains the key technical and economic considerations every security team needs to make when evaluating threat intel solutions to help you determine which is right for your team. To read the paper, visit threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.

David Bittner: [00:02:17:04] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 9th, 2018.

David Bittner: [00:02:29:03] National Cyber Security Center deputy director Peter Yapp warned again that Britain hadn’t yet experienced a devastating Category One cyberattack, but that such an attack is likely. The NCSC has been sounding this alarm for the better part of a year and one hopes they’re being taken seriously. The threat they see comes from hostile nation states, especially Russia.

David Bittner: [00:02:52:18] To put this in perspective, WannaCry, which had wide-ranging economic consequences, ranked only as a Category Two cyberattack. A Category One attack, in the UK’s system would be a national emergency. It’s defined as, a cyber attack which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life. Warnings began late in 2017, and they continue today.

David Bittner: [00:03:26:11] In the US, the Department of Homeland Security and the National Institutes of Standards and Technology, NIST, are working with private industry on a wide range of industrial control system and IoT security measures to prevent or mitigate such an attack on their side of the Atlantic. DHS is continuing the progress it made toward securing election infrastructure and it’s also working on increasing opportunities for critical infrastructure operators to receive education and training that will help them keep their operations safer and more resilient.

David Bittner: [00:03:59:07] NIST has a new proposed set of standards out in the form of NISTIR 8219 Capabilities Assessment for Securing Manufacturing Industrial Control Systems and they’re taking comments through the 6th of December. The industry partners in this effort to develop an anomaly detection and prevention capability include CyberX, OSIsoft, Securenok and Security Matters.

David Bittner: [00:04:25:04] DARPA also conducted some power grid restoration exercises this week at the decommissioned animal disease research station that occupies Plum Island, New York, an isolated island in Long Island Sound. More reports on the exercise are expected in the coming days.

David Bittner: [00:04:42:10] The Lazarus Group continues its efforts to redress Pyongyang’s financial shortfalls through theft. They’ve been making recent use of a Trojan known to researchers as FASTCash. Researchers at security firm Symantec have dissected and described FASTcash, which has been employed in ongoing campaigns to loot ATMs.

David Bittner: [00:05:04:13] NSA cyber strategist Rob Joyce described at Aspen Institute meetings how China has circumvented an agreement negotiated in 2015 that would have precluded industrial espionage in cyberspace. Joyce said that China has been in violation of the accord for the last two years at least. His statement is taken as a sign of growing frustration within the US Government over continuing Chinese cyber operations conducted for economic gain, mostly through the theft of intellectual property.

David Bittner: [00:05:36:03] With all this, Microsoft has renewed its pleas for an international accord that would bring formal norms to cyberspace. It’s circulating an online petition for "Digital Peace" that’s brief, well-intentioned, earnest and frankly a little utopian. The petition decries the "weaponization of our shared online community." One certainly hopes for peace of course, analogue as well as digital, but the record of state conflict in the other four domains of potential conflict, land, sea, air, and space, moves one, reluctantly, to pessimism.

David Bittner: [00:06:11:07] The Internet Research Agency, aka Fancy Bear’s St. Petersburg troll farm, seems to have conducted an odd ask me anything Reddit with itself. The Daily Beast noticed that the IRA used questions the Beast posed in response to an invitation to ask them stuff to develop an illustrated audio interrogation suffused with hipster irony. They never replied to the Beast but just posted their own IMAs to an obscure corner of Reddit, asked and answered them all by themselves, while yucking it up about not being able to buy ads with rubles any more. It’s like the old letters from the editors the National Lampoon used to run.

David Bittner: [00:06:52:11] A study by behavioral scientists at MIT says, basically, that people fall for fake news because they’re careless and want to believe. As WIRED puts it in their coverage of the research, "if you don’t want to fall for fake news, don’t be lazy." The researchers are convinced that laziness and inattention are more important than bias and ideological prejudice in causing people to swallow phony stories.

David Bittner: [00:07:18:07] And finally, TASS is authorized to disclose that Russian election observers reported to the Organization for Security and Co-operation in Europe, that they found no irregularities in the US midterms. So, sleep easy, America. The Russian election observers, both of them, looked into exactly two polling places in DC and seven in Maryland and they solemnly concluded everything seemed on the up and up. But watch your steps, Yankees, the Duma certainly will if you don’t.

David Bittner: [00:07:48:08] We'd like to say, thanks, guys, but you seriously need to up your game. Nine locations are nothing. That number wouldn't cover even one congressional district. And if Russian observers were in the presence of election fraud, how would they even know it in the first place?

David Bittner: [00:08:09:05] And now, a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro segmentation and analytics. VMware's white paper on a comprehensive approach to security across the digital workspace will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security. Thecyberwire.com/vmware. And we thank VMware for sponsoring our show.

David Bittner: [00:09:09:18] And joining me once again is Professor Awais Rashid, he's a Professor of Cyber Security at the University of Bristol. Welcome back. We wanted to talk about some blockchain issues, particularly establishing trust when you're using blockchain based systems. What can you share with us today?

Professor Awais Rashid: [00:09:26:12] Blockchain is seen as the silver bullet increasingly for everything and it's not uncommon for us to hear discussions about how blockchain with revolutionize everything from banking security and then to other things from press to government, with a presumption that the transparency of the ledger will promote trust in the industry. That's true to a large extent because the underlying cryptographic protocols actually do provide computational notions of trust. However, it's not to say that the most human aspects of trust are not to be considered because ultimately, it's people and organizations that engage in transactions using these blockchain technologies.

David Bittner: [00:10:12:14] What's the intersection between those two things, the tech and the human side?

Professor Awais Rashid: [00:10:18:13] There are multiple aspects of trust in this case and the key thing in that underlying cryptographic assurance it's provider says that a transaction that takes place is logged and is visible for everyone to see but that does not necessarily provide trust with regards to exchange of goods in the first instance which still requires other aspects of trust. That's what we see in systems like Bitcoin, where we have Escrow systems and those kinds of things and they all indicate that trust is more than just the underlying blockchain, but requires other institutional entities. There are other aspects of trust, for example; we take it for granted that if a blockchain is implemented, then it is implement correctly and there is immediate trust in the people, the software engineers who are developing and maintaining the blockchain.

Professor Awais Rashid: [00:11:11:03] Of course, trust can also be dependent on our sentiment towards the system. And again, we see this in cryptocurrency such as Bitcoin because when you hear negative stories like exchanges falling down, then that has an impact on how people behave in terms of their transactions and for example; trying to get rid of Bitcoin or trying to buy Bitcoin, depending on whether they're positive or negative stories. So, it's not unreasonable to assume that we will see similar things when it comes to for example; doing energy training or other kind of publications using blockchain.

David Bittner: [00:11:49:12] Is it fair to say that blockchain has a bit of a PR problem right now? It's become a punchline in the industry sometimes.

Professor Awais Rashid: [00:11:58:17] Yes. All technologies go through this hype cycle, the Gartner Hype Cycle. In the beginning, there is great hype, then there is that drop, almost a disillusionment and then there is further progress. I think blockchain does have a lot of value to bring to a number of applications, but the key that we need to think about is that no system is successful simply because it is computationally sound in terms of the security guarantees that it can provide. It's ultimately people and organizations and the structures around it which lead to adoption in the first instance. And again, we are seeing that with regards to things like the cryptocurrencies that use blockchain and I think as other applications develop, we can learn from those experiences and understand what kind of structures do we need to create around blockchain based systems that will engender trust within people to actually engage with them.

David Bittner: [00:12:56:08] Professor Awais Rashid, thanks for joining us.

David Bittner: [00:13:03:00] And now, a few words about sponsor, our friends in the technology news world, Techmeme. You probably know Techmeme from their curated online comprehensive view of all the days tech news. And now, they also produce a daily podcast, Techmeme's Ride Home. If you like The CyberWire and you're looking for even more technology news, Techmeme's Ride Home is the podcast for you. We're fans and we think you'll like it too. It's 15 to 20 minutes long and it's hosted by veteran podcaster, Brian McCullough. You may know Brian from the Internet History podcast. The Ride Home distills Techmeme's content into well, the kind of stuff you'd like to listen to on the ride home; headlines, context and conversation about the world of tech. It posts every week day afternoon around 5pm, great for afternoon drive time in the US.

David Bittner: [00:13:51:21] Be sure to search your favorite podcast app for Ride Home and subscribe today. That's Techmeme's Ride Home, and we thank Techmeme's Ride Home podcast for sponsoring our show.

David Bittner: [00:14:08:24] My guest today is Bruce Schneier. He's a well known security technologist and author of a dozen books. His latest is titled, "Click here to kill Everybody. Security and survival in a hyper connected world."

Bruce Schneier: [00:14:22:01] It is a provocative title. It is my first clickbait title. It's really not what I'm used to writing, I'm generally the anti-fear kind of person. But remember, the goal of a title is only to get someone to read the subtitle. You need something provocative to have people look and the subtitle is more what the book is about, security and survival in a high protected world. I think it's a great title. It talks about something that is unique to computers and computer threats and that's this notion of a class break, that all copies of Microsoft Windows or the website software or in the future, a car or a medical device, can be hacked at once in a way that is impossible in the real world things.

David Bittner: [00:15:10:16] Let's dig into this, you start in the introduction of the book with this notion that everything is becoming a computer. What are you getting at there?

Bruce Schneier: [00:15:17:24] The idea that computerization is affecting things. Old computers are screens we stare at and our metaphors really reflected that. We go online. The very physical, we upload, we download, we enter a chat room. Computers are something we went to and interacted with. Our phones and laptops. What's changing is computers are becoming embedded in our environment, our cars, our appliances, medical devices, large things like power plants, toys. It used to be that these devices had some kind of computerization. My toaster has to have had chips and computing for a long time. But now they are really general purpose computers with peripherals attached to them. So a refrigerator is a computer that keeps things cold and a Microwave oven is a computer that makes things hot. An ATM machine is a computer with money inside and a car is a computer with four wheels and an engine.

Bruce Schneier: [00:16:25:06] There's this reconceptualization going on where the computer becomes the core and everything else is the peripheral attached to the computer.

David Bittner: [00:16:34:05] Your book is organized into two main sections. Part one is trends, part two is solutions. In the trends section, you have a chapter called, "Everyone favors insecurity." What's your notion there?

Bruce Schneier: [00:16:47:23] Surveillance capitalism is the business model of the Internet. The way companies make money on the Internet, they spy on us and they use information against us generally for advertising, that's the business model, that's the core business model of the Internet. As these computers go into physical devices, devices that do stuff, we're seeing a different model emerge and that's a model of control. This is a model where the company that sells you the thing, controls how you use it. For example; a Kindle. You own the Kindle but Amazon can reach into your Kindle and remove a book if they want. They can decide whether a particular book you're allowed to do text to speech. They could if they want, decide if the Kindle works in different geographical areas or maybe for different books, you can expand or contract the text different amounts. They have an amount of control.

Bruce Schneier: [00:17:48:06] And we're seeing this with John Deere and the tractors they sell to farmers. We're seeing this with high end espresso machines sold into restaurants. This notion of control allows a company to extract a lot more money from their customers by separately charging for different features and access and repairs, so the entire life-cycle. Both of these business models, the surveillance and control, rely on the manufacturer getting into your device after they've sold it to you and that is an insecurity. To do that you must have these devices be insecure. So, we are seeing everything being built with these insecurities. At the same time, governments also want to reach into your devices for law enforcement purposes in the US, for social control in China, and other reasons in-between and there again, that access relies on insecurity. It's very hard to build security into the Internet when all these interests favor insecurity.

David Bittner: [00:19:00:12] How do you see this playing out as we continue down this path, how are these risks going to show up, what effects are they going to have on us?

Bruce Schneier: [00:19:10:20] We don't know. My worry is we're going to see the same kind of computer attacks against all of these new computers. So, ransomware against cars, DDoS attacks against power plants, spam being sent from your refrigerator and some of these we are seeing. The difference really is that these new computers, Internet of things, whatever you want to call it, affect the world in a direct physical manner, that they are no longer about data, they are about life and property. And I worry about real physical risks. I worry about what happens when someone hacks all of the computer door locks in a city and they open or they refuse to open or something happens. We've already seen demonstrations of remote hacking of cars where at speed, a hacker can disable the steering, disable the brakes. It used to be just about data, now it's about life and property.

Bruce Schneier: [00:20:13:02] What I talk about in the book and that sort of echo's the title, that suddenly computers can kill people in a way they couldn't five years ago because they were just about data.

David Bittner: [00:20:23:11] Let's go through some of the possible solutions, that's the second half of the book, how do you suppose we can get a handle on this?

Bruce Schneier: [00:20:30:15] I really see this as a policy issue. The problem is less tech and more policy. Yes, there are tech problems and they're real and they'll require money and engineering to solve, but they are just got to go to the moon hard and not faster than light travel hard. They're things we can do. The real problem I see is that the policies don't favor more security. The current policies in place favor less security. They favor the security we saw with Equifax or Facebook. Underspend on security and weather any storm if bad things happen and just hope you don't get regulated. That's not going to fly when it is actual dangerous things. So, I look at a whole series of solutions. It's never going to be one thing.

Bruce Schneier: [00:21:26:16] I look at regulations and actual government mandating levels of security. Like we saw just recently when California passed an IoT security law. I mean they did a little bit but it's a start. I look at things that different regulatory agencies can do, Federal trade commission and others. I look at international agreements, liabilities, ways that we can sort of generally raise the cost of insecurity so companies are more likely to choose security. And then how that would spur innovation in new techniques of security once there is a market for it.

David Bittner: [00:22:10:10] We see companies like Facebook, Twitter and I guess to a lesser extent, Google, saying that they would welcome some sort of regulation, so at least they'd have some certainty there. Do you think they're being sincere in that request?

Bruce Schneier: [00:22:27:23] They're not being sincere, no company wants regulations, it tells them to do things. What's going on is interesting, the states are starting to look at regulation. I mentioned California, also New York and Massachusetts. We're going to start to see states regulate both security and privacy. And these companies don't like that because the states are likely to be effective and there's less lobbying that they can do. What the big companies want now is for the Federal Government to step in, pass very lax regulation that these companies can influence to forestall the states. So, I see it as very self-serving, as a way to avoid regulation while pretending to like it.

Bruce Schneier: [00:23:14:20] Additionally, there's another dynamic, regulation if done badly, favors incumbence. It becomes a barrier to competition. I see larger companies looking at this in two ways; as a barrier to forestall state action; and as, if they can craft it right, a way to forestall competition.

David Bittner: [00:23:41:08] Our thanks to Bruce Schneier for joining us. His latest book is titled, "Click here to kill Everybody, security and survival in a hyper connected world."

David Bittner: [00:23:53:15] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. Find out how Cylance can help protect you using Artificial Intelligence, visit cylance.com. And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire.

David Bittner: [00:24:13:02] And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.

David Bittner: [00:24:31:05] Our CyberWire editor is John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.