Dave Bittner: [00:00:03:13] Investigation into the doxing campaign German political leaders suffered continues and the Interior Minister promises a transparent inquiry. Attribution remains unsettled but a lot of people are looking toward Russia. Marriott thinks fewer guests were affected by its Starwood breach than initially feared. Online gamers have been affected by breaches. The Dark Overlord continues to make a pest of itself. And can alt-coin production become less of an energy hog?
Dave Bittner: [00:00:38:13] And now a word from our sponsor ExtraHop, the enterprise cyber analytics company delivering security from the inside out. As your organization continues to expand outside the data center to the cloud, branch office and device edge, your attack surface opens up to more and more risk. With major breaches announced nearly every day, security operations teams need a better way to identify vulnerabilities and hunt threats inside the perimeter. ExtraHop cuts through the noise of traditional security alerts with network traffic analysis that provides full east west visibility, real time threat detection from core to cloud and guided investigation work flows. All the clarity and context you need to act quickly and with confidence. Don't just take our word for it. Explore the interactive demo at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:41:06] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, January 7th, 2019.
Dave Bittner: [00:01:49:22] Investigation into the doxing campaign against German political figures continues. The magazine Bild reports that Germany's BSI intelligence service asked its US counterparts, in NSA especially, to lean on Twitter to isolate and take down accounts involved in distributing the leaked material. Bloomberg says the BSI argued to NSA that some US citizens were also victims of the incident thus assistance would be in order. Interior Minister Seehofer has promised transparency in the investigation with an interim report due out by midweek.
Dave Bittner: [00:02:27:04] Attribution, as one would expect, remains unclear. Speculation centers for now on either a right-wing party that was largely unaffected by the incident or on Russian information operators. Trend Micro has pointed the finger toward Russia's Pawn Storm group and the amount of patient preparation that seems to have gone into the attack is more often seen in intelligence services than partisan operators. As Herr Seehofer has promised, we should know more later this week. It's worth noting again that the material released so far doesn't appear to contain much if anything that's either shocking or particularly discreditable.
Dave Bittner: [00:03:07:02] On Friday Marriott released more results of investigation into its Starwood reservation systems breach. The good news is that fewer customers than feared were affected. The bad news is that the compromised data include a lot of unencrypted passport information. Marriott had initially believed that the number of guests affected was around 500,000,000. The hospitality company now regards 383,000,000 as the upper limit and believes with a fair degree of certainty that the actual number is lower still. But the hackers accessed 5,250,000 unencrypted and more than 20,000,000 encrypted passport numbers. Roughly 8,600,000 encrypted paycards were also exposed in the incident. Marriott doesn't believe the attackers got the master encryption keys.
Dave Bittner: [00:03:57:14] In 2012 a public-private partnership was formed between NIST, industry stakeholders, the state of Maryland and Montgomery county in Maryland to launch the National Cyber Security Center of Excellence, the NCCoE, with the mission to build and publicly share solutions to cyber security problems faced by US businesses. Joining us today are Karen Waltermire and Harry Perper, both cyber security engineers at NIST and the NCCoE.
Karen Waltermire: [00:04:25:22] We are an applied group that takes next generation standards, technologies that you can commercially buy and apply those in the best way possible for the fastest way to adopt secure technologies and we're really looking at this from a business perspective not just a federal government perspective. It's a public-private partnership. So what we do here being so transparent is we, we provide guidance and solutions that could fit all sectors of industry, small, medium and large-sized businesses as well as the Federal government and our partners.
Dave Bittner: [00:05:05:19] What is the, the type of engagement that you get from the private sector? Are-- do they provide financial support? Are you working with them to, to-- hand in hand to solve problems together?
Karen Waltermire: [00:05:15:08] We work hand in hand with industry, executives and thought leaders, also vendors and integrators but it's all considered in kind. There is no membership, there is no fee. Again we're a federal agency and a group within a federal agency so the, the work and the collaboration that we do is on a voluntary basis and it is bound by an agreement that is called a cooperative and research development agreement, CRADA.
Dave Bittner: [00:05:43:06] Now can you give me some examples of some of the types of things that you're working on?
Harry Perper: [00:05:47:09] Through discussions with commercial industry, we've identified a number of projects. I've been working in the finance sector so the three projects that we've identified and worked on so far there, address IT asset management, identity in access management and most recently we published a practice guide on privileged account management. We identify those problems or issues to address through conversations with thought leaders and organizations in the commercial space, primarily the critical infrastructure sectors of the economy. So we agree on a reference architecture that's practical for implementation and then we get vendors to volunteer their products and services to help us build a proof of concept of that reference architecture here in our lab where we have our cyber security engineers along with the vendors work hand in hand to build an operating example of that reference architecture that we test. We do functional testing. Again we are not recommending those products in our practice guides. We state that they worked in the way we used them, it provided the capability that we state in the practice guide.
Harry Perper: [00:06:58:22] Once we build that proof of concept then we know this works. We create the practice guide. And the practice guide includes a description of the reference architecture, the theory of operation of that architecture, a mapping to the cyber security framework to help organizations that use the CSF to organize their cyber security program. We also include documentation of that proof of concept, step by step instructions if somebody wanted to try to recreate what we built in the lab. For the most part I don't expect people to recreate but it does give them a starting point for their own implementation. It gives them an understanding of the kinds of skills that they need and that practice guide is published publicly at NCCoE, at nist.gov.
Harry Perper: [00:07:49:20] At that point once it's published we advocate in different ways including podcasts, other interviews, speaking engagements around the country to get people to know that these exist and that there are great ideas within them that they can use to help improve the way they do that particular area of cyber security, of which account management happens to be the most recent one that we published.
Harry Perper: [00:08:14:23] Another area of adoption for us is where we interact with vendors and they make changes to their product generally to either improve the integration and the way their product is compatible with standards, or making more user friendly or in some cases maybe more secure. So an example of that is our wireless infusion pump project that we did for the healthcare industry where we believe that the next generation of wireless infusion pumps will be more secure because of the work we did here in conjunction with those manufacturers.
Dave Bittner: [00:08:55:24] Our thanks to Karen Waltermire and Harry Perper from NIST for joining us. You can learn more about the National Cyber Security Center of Excellence by visiting nccoe.nist.gov.
Dave Bittner: [00:09:09:17] The breach at Town of Salem, the role-playing game not the Massachusetts city, affected around 7,600,000 players. As reported by HackRead, the data exposed include username, IP address, email ID and hashed password. BlankMediaGames, the proprietor of Town of Salem, says they don't handle money so no paycard or bank data were exposed.
Dave Bittner: [00:09:35:15] The Dark Overlord, the gang that's trading in 9/11 insurance claims and suggesting conspiracy theories about the terror attacks has continued to tease and dribble out stolen files on Steemit, the same blockchain-based platform used for, by example, the ShadowBrokers. The motive is purely financial. The Dark Overlord crassly self-describes its greed for Bitcoin and disclaims any high hacktivist purpose. They've apparently received a few thousand bucks from misguided crowdfunders.
Dave Bittner: [00:10:08:16] So this blockchain thing. Have you heard of it? These Bitcoins the Dark Overlord and the other kids are all talking about? Here's something we've wondered about for a long time. You mine this stuff, right? It's like free money, right? Not much money maybe if you're just using your phone but mining Bitcoin and other cryptocurrencies takes computational resources and those use electrical power. Sure, we're all used to turning our devices on, leaving them on, charging them up and so on. Still, does power consumption place limits on alt-coin and those who love it?
Dave Bittner: [00:10:43:24] There was that school principal in China who was sent up the river when municipal authorities wondered what was up with all that electricity being used at the school during off-hours. They investigated and found that the enterprising gentleman had plugged a coin-mining rig into his school and was accumulating Bitcoin on the city's dime. True story. Well, he went too far. But surely there's no problem with a little mining, no? Maybe yes.
Dave Bittner: [00:11:10:20] Our Baby Boomer desk reminds us of a public service ad that ran on New York TV back in the mid 1960s. "What's one little snowflake?" the ad asked and it answered, "Nothing. But put enough of them together and you've got a blizzard. Or what's one little grasshopper? Nothing. But put enough of them together and you've got a plague. And what's one little piece of litter? Nothing. But put enough of them together and you've got a dirty city."
Dave Bittner: [00:11:37:18] So too with Bitcoin. Testimony before the US Senate Committee on Energy and Natural Resources this past August estimated that Bitcoin mining accounted for about 1% of the world's energy consumption. Last May a study published in the magazine Joule looked at coin mining and concluded that solving for cryptocurrency was then consuming at least 2½ gigawatts of power, a little shy of what Ireland uses. And the researchers speculated that consumption would exceed 7½ gigawatts or nearly Austrian levels by the end of 2018.
Dave Bittner: [00:12:13:10] So that's a lot, right? Wouldn't this mean that the cryptocurrency world was self-limiting? I mean, we need power for other things, right? What good do all these profits do if someone ends up with a huge stack of alt-coin and winds up sitting in the cold dark with the rest of us? And the rest of us would be a pretty tough crowd, we think.
Dave Bittner: [00:12:34:02] Anyhoo, power consumption seems to be a bit down. Some of the drop is market driven. As Bitcoin's price crashed over the past year, speculators have turned to other, more attractive plays, probably like state lottery scratch-off cards, consumer debt portfolios and so on. But there are also some technical responses maybe in the offing. IEEE Spectrum reports that Ethereum, the smaller but still significant alternative to Bitcoin, its power consumption is about a fourth that of Bitcoin's at roughly Icelandic levels, well, they're working to overhaul code to cut the electricity needed to mine Ether. Roughly speaking the change will involve a shift from proof-of-work to proof-of-stake, an alternative approach to distributed consensus that the Ethereum Foundation thinks could cut power use by a hundredfold by randomly assigning computation to one processor as opposed to an indefinitely large number of competing processors. Proof-of-stake validators, not miners, note, but validators, would put up collateral in the form of Ether. The more Ether, the more likely you are to be chosen and if you're caught cheating, you've got more to lose. So good luck.
Dave Bittner: [00:13:48:03] Returning to New York a half century ago, we're sad to say that the Boomer desk remembers it as a pretty dirty city despite the PSA's best efforts. Lots of bad behavior too. True story. One member of the desk recalls that a kid brother had an elephant in the Central Park Zoo steal his Deputy Dawg lunchbox during a field trip to get at the peanut butter and jelly sandwich Mom had packed for his sustenance. Sad.
Dave Bittner: [00:14:19:08] Now a moment to tell you about our sponsor, Attila Security. Attacks on the US Defense Industrial Base supply chain, otherwise known as DIBs, is one of the most pervasive cyber threats facing our nation today. DIBs are vulnerable for a variety of reasons ranging from legacy software and systems and a corporate culture that values operations over IT security. Cyber criminals exploit these weaknesses and target their attacks on DIBs in order to gain access to government networks. Attila Security is tackling this threat head on. Attila Security's GoSilent technology features a portable security appliance that installs in minutes by any non-technical user. GoSilent is a firewall and VPN in one and turns unsecured data transmissions into top secret level security communications in just minutes. Attila Security's products and solutions enable organizations to keep data secure while avoiding disruptions to daily operations. To learn more about how Attila secures the DIB supply chain, visit attilasec.com. That's spelled a-t-t-i-l-a-s-e-c.com. And we thank Attila for sponsoring our show.
Dave Bittner: [00:15:43:02] And joining me once again is Professor Awais Rashid. He's a professor of cyber security at University of Bristol. Awais, welcome back. Today we wanted to touch on some of the challenges when it comes to securing large scale infrastructures. What can you share with us today?
Awais Rashid: [00:15:57:13] Our critical infrastructures on which our society relies such as water, power, transportation, healthcare, energy generation and distribution, they are becoming increasingly connected. And we are through, for example in the Internet of Things, devices and so on and connecting these systems also to enterprise systems, we are increasing this connectivity all the time. And that has great business benefits but it also means that the size and interconnectedness of these infrastructures make security a very challenging problem.
Awais Rashid: [00:16:30:09] So I'll give you one example. For instance as we roll out many smart devices including, say, for example, smart refrigeration across wide areas then the scale of attacks can be very large and attackers can potentially compromise smart refrigeration across a whole area and hence overload the power grid and you can imagine that the impact of attacks are considerably larger as well, disruption to a large population and massive business losses.
Dave Bittner: [00:16:57:05] Yeah, I've seen stories come by recently about potential problems with, for example, hot water heaters. You know, devices that require a large amount of energy and if you could spin up some sort of botnet to trigger them simultaneously, well, that could cause some trouble in the grid.
Awais Rashid: [00:17:12:06] Absolutely, and I think is really where the challenge comes because there is good business reasons to not isolate these systems from the rest of the environment in the first instance, but we need to have more systematic ways of having security assurances about their behavior. And I will go even further and say we need to have more resilience assurances about their behavior. So imagine, anyone, you do not want your-- you do not want to have to take your power grid offline because there is an attack going on. What you want to do is you want the power grid to be able to respond to it gracefully and maintain perhaps its operation at somewhat reduced capacity and then recover very, very gracefully. And I think this is really where, I would say, the, the frontier lies at the moment for cyber security because while we create these massively connected infrastructures from which we derive great value and they're now in our society, we also have to think about as to this is not a case of these infrastructures being compromised and then being unavailable. They have to be able to be resilient in an increasingly adversarial world where secure and insecure devices and systems interact.
Awais Rashid: [00:18:22:23] The attack does not necessarily need to lead to a massive data breach or even a massive disruption of service. It can just be, just be what you would call a nuisance attack but that does not mean that it does not create a huge cost to the organization that operates the system or the infrastructure and also those who are charged with maintaining and defending the infrastructure and ultimately people who work on game theoretic notion of security, they, they would say, you know, this is ultimately a game theoretic problem as to how do you-- the attacker wants to, you know, increase the cost to the defenders and the defenders of course want to minimize their cost but increase the cost to the attackers. And here I go back to this, this point that we need to have more, more resilient systems who can actually withstand these kind of issues and gracefully recover.
Dave Bittner: [00:19:11:09] Professor Awais Rashid, thanks for joining us.
Dave Bittner: [00:19:18:14] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:30:22] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cyber security teams and technology. Our CyberWire editor is John Petrik. Social media editor, Jennifer Eiben. Technical editor, Chris Russell. Executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.