Capital One breach update. CISA warns of avionics CAN bus vulnerabilities. More attacks on local Louisiana governments. Change at the SEC. Cyber summer school for NATO, EU diplomats.
Dave Bittner: [00:00:03] Capital One takes a market hit from its data loss. CISA warns of vulnerabilities in small, general aviation aircraft. Another parish in Louisiana is hit with a cyberattack. The SEC's top cyber enforcer is moving on from the commission. And diplomats go to cyber summer school in Estonia. It's not a coding boot camp, but it should give them the lay of the cyber land.
Dave Bittner: [00:00:31] Now I'd like to share some words about our sponsor, Akamai. You're familiar with cloud security, but what about security at the edge? With the world's only intelligent edge platform, Akamai stops attacks at the edge before they reach your apps, infrastructure and people. Their visibility into 178 billion attacks per day means that Akamai stays ahead of the latest threats, including responding to zero-day vulnerabilities. With 24/7/365 security operations center support around the globe and over 300 security experts in-house, Akamai surrounds and protects your users wherever they are - at the core, in the cloud or at the edge. If you're going to Black Hat USA this year, visit Akamai at booth 1522 to take part in their Crack the Code challenge. Akamai - intelligent security starts at the edge. Learn more at Akamai - that's akamai.com/security. And we thank Akamai for sponsoring our show.
Dave Bittner: [00:01:36] Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.
Dave Bittner: [00:01:51] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 31, 2019.
Dave Bittner: [00:01:59] Capital One's reputation and stock price have taken a hit from the data breach the financial services company disclosed this week, The Wall Street Journal reports. Its share price dropped almost 6% on Tuesday. The company has since its founding seen itself as a technologically savvy operation. Corporate folklore describes Capital One's self-image as being a tech company that delivers financial services. They were an early adopter of the cloud, for one thing, and the misconfigured firewall that escaped notice is what gave the alleged attacker access to their data. The cloud is good, and even good for security, but it can't be used casually or inattentively. This isn't a set-it-and-forget-it proposition.
Dave Bittner: [00:02:43] Another Journal headline calls the incident an example of the insider threat, but it seems instead to be a familiar case of misconfiguration allowing unauthorized access to data in the cloud. The accused hacker, Paige Thompson, seems to have had the technical wherewithal to pull the caper off, but in other respects seemed to struggle with problems with living, again, as reported by The Wall Street Journal. And as WIRED notes, she didn't cover her tracks particularly effectively. The accounts in which she talked about her activities were easily traceable, and Tor doesn't amount to a cloak of invisibility.
Dave Bittner: [00:03:18] Forbes says that Thompson may be under investigation in connection with other incidents, some involving at least one state government, others involving other companies. The Department of Justice isn't commenting on the possibility. Forbes bases its conclusion on things people have observed in accounts that may be associated with Thompson.
Dave Bittner: [00:03:37] Thompson is widely identified as having worked for Amazon, but that was a few years ago, and it seems unlikely that any insider knowledge Thompson may have acquired at Amazon had much, if anything, to do with the attack. The misconfiguration would seem to explain how an attacker got in. Capital One isn't the first to suffer from this sort of mishap, and they're unlikely to be the last. For its own part, Amazon has said it wasn't affected by the incident.
Dave Bittner: [00:04:03] Capital One is now subject to at least one class-action suit, initiated by a Connecticut man who says he's a Capital One customer whose personal information was compromised in the breach. It's expected that more lawsuits will follow. New York's attorney general has also opened an investigation.
Dave Bittner: [00:04:22] Moving to aviation cyber vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency - that's CISA - has issued a warning based on research by Rapid7. The research describes a way in which an attacker could compromise the avionics Controller Area Network - that's the CAN bus - aboard an aircraft. As CISA put it in their warning, quote, "an attacker with physical access to the aircraft could attach a device to an avionics CAN bus that could be used to inject false data, resulting in incorrect readings in avionic equipment. The researchers have outlined that engine telemetry readings, compass and attitude data, altitude, airspeeds and angle of attack could all be manipulated to provide false measurements to the pilot. The researchers have further outlined that a pilot relying on instrument readings would be unable to distinguish between false and legitimate readings, which could result in loss of control of the affected aircraft," end quote.
Dave Bittner: [00:05:18] The immediate recommendation for mitigation of this risk is to restrict physical access to aircraft. CISA hopes that aircraft manufacturers will address the vulnerability with upgrades and with new production.
Dave Bittner: [00:05:31] A number of the stories reporting CISA's warning are illustrated with stock photographs of airliners, but this might be misleading. The study on which the warning was based didn't look at airliners. Patrick Kiley, the researcher at Rapid7 who looked into the problem, was talking about small aircraft. Indeed, from his blog post, it appears he got interested in the problem while working on his own kit-built airplane. He worked on two CAN bus implementations that are popular with small aircraft pilots. If you're familiar with earlier research into vulnerabilities associated with CAN bus implementation in automobiles, these findings will have a familiar ring. The CAN bus is a standard protocol for vehicles that allows their internal systems and devices to communicate electronically.
Dave Bittner: [00:06:16] Kiley shared his findings with CISA, Idaho National Laboratory, the Federal Aviation Administration and the Aviation Information Sharing and Analysis Center, the A-ISAC. He urges other researchers to do likewise. He found it a valuable exercise.
Dave Bittner: [00:06:33] He also points out in his blog that general aviation's reliance on physical security at airports to protect airplane systems may have made the sector less attentive to cyber risk than the similar automotive sector. That is, you park your car on the street and usually lock it, but otherwise, people can gain access to it. So the automobile sector has paid some attention to things like network segmentation and other security controls. That hasn't yet been the case with general aviation, Kiley thinks.
Dave Bittner: [00:07:02] The Women's Society of Cyberjutsu is holding a special cyber exhibition fundraiser next week in Las Vegas. They're calling it the Wicked6 Cyber Games, and we're proud to be media partners for the event. Jessica Gulick is CEO at Katzcy and vice president of the Women's Society of Cyberjutsu.
Jessica Gulick: [00:07:21] We had this idea - why not try to take this to Black Hat and really start to encourage people to recognize cybersecurity as a sport - as an esport, specifically? Because it brings such a great dynamic to the conversation around cyber skills, as well as playing as a team, as well as the career aspect of cybersecurity.
Jessica Gulick: [00:07:46] So we wanted to focus first on college students, a coed competition. Bring them out, have some excitement like you would at a football game. So much of cybersecurity in the media really goes to talking about major hacks. And we talk about infamous hackers, if you will. We wanted to spend some time on really celebrating those people that are honing their skills for good.
Dave Bittner: [00:08:08] Yeah. It's interesting to me, too, because I think we were all aware of that stereotype of that, you know, loner sitting in their basement hacking away at a keyboard, you know, at all hours of the night. And so I think of the emphasis here on team sports. That's really something fresh.
Jessica Gulick: [00:08:27] You know, it's interesting that you say that 'cause I feel that way, as well. In the reality - and reality has a vote. In reality, when you're running a cyber team, it's a team, right? It's not - you're not doing cyberdefense and it's one individual working from home. They are usually working together. And whether it's a penetration test, an adversary emulation or any kind of defensive tactic, real cybersecurity happens in teams. They happen in operation centers, 24-by-7. And so it's important to have that team dynamic. And that, to me, is always fun, right?
Jessica Gulick: [00:09:05] I remember the first time that I went on a penetration test exercise, if you will. We had it at a client. I was the project manager. I was expecting everybody to open up their laptops and just start attacking the network. It's not what happened. What I found was it was a heist. They planned it out, and they were very careful on what steps they took, when they took it. There was a lot of communication. There was this best athlete, where they would literally rotate chairs - OK, your turn. Looks like I got through. Next. Your turn. And there was this team dynamic that really excited me.
Jessica Gulick: [00:09:40] And that's really what got me started in wanting to be supportive of cyber competitions like this. And I think that part of the story is not being told out there, and if more people heard about it, more people would be interested in playing or having this as a career.
Dave Bittner: [00:09:55] Can you give us some insights into the actual formation of the teams themselves? Did some of the teams come to you preformed, or have you been putting folks together yourselves, or a mix of both?
Jessica Gulick: [00:10:07] So for this first year, what we wanted to do was focus on college teams because many of the colleges already have a team identified. We wanted to provide a format so that they could create a team if they didn't have it. For example, community colleges might not typically play in this arena, and we still wanted to allow for that kind of opportunity.
Jessica Gulick: [00:10:29] So we put out parameters. We did a lot of scouting, if you will, reaching out to college teams we knew already existed, either through individuals that we know or online through social media. And we had 21 collegiate teams come together. There are requirements. They have to have six players, four active players, and one of those active players need to be a female. But for the most part, they have a lot of flexibility.
Dave Bittner: [00:10:55] Right.
Jessica Gulick: [00:10:56] But we'll also have an opportunity, because this is a fundraiser, for some of the adults that are walking in that, you know, either they feel like, hey, I could do that, or, I'm curious - they'll have the opportunity to donate and put their fingers on a keyboard and try out a mission or two themselves.
Dave Bittner: [00:11:13] So can you give us a little background information on the Women's Society of Cyberjutsu?
Jessica Gulick: [00:11:18] So the Women's Society of Cyberjutsu was started in 2012. And our mission, really, is to advance women into cyber careers. We also have Cyberjutsu Girls, which reaches down all the way to middle school and provides some programs for them, both of which are across the nation. It's a really exciting program. It's not competing with training. This is really about opportunity for workshops and to really taste it and try out your skills. We have over 2,000 members, and they're ranging of a variety of skill sets. We have seen quite a number of them coming in from IT careers, so they're crossovers or what we call boomerangs, coming back into the career. And they just want to belong to an organization to allow for them to learn new skills and network and understand where they want to take their career.
Dave Bittner: [00:12:10] That's Jessica Gulick. The Wicked6 Cyber Games are August 8 at the Luxor Hotel and Casino in Las Vegas. You can find out more at their website, wicked6.com.
Dave Bittner: [00:12:22] A fourth school district in the state of Louisiana has sustained a cyberattack. The Advocate reports that Tangipahoa Parish is the latest victim. Some, although not all, of the attacks on the four parishes so far affected have involved ransomware, but the identity and motives of the attackers remains unclear.
Dave Bittner: [00:12:41] The SEC's top cyber enforcer is moving on after 15 years with the commission. Robert A. Cohen, who led the U.S. Securities and Exchange Commission's Division of Enforcement's Cyber Unit since its inception in 2017, will be leaving the agency in August, the SEC announced.
Dave Bittner: [00:12:59] And, finally, in its now-familiar role of a country that punches far above its weight in cyber matters, Estonia offered a summer school for NATO and European Union diplomats designed to give them some necessary familiarity with the issues, technologies and strategies that shape international relations in cyberspace. One of the objectives was to familiarize them with basic hacking techniques, like what's a botnet? What's a distributed denial-of-service attack? They don't need to be coders, but knowing the lay of the land in cyberspace is undeniably a good thing.
Dave Bittner: [00:13:38] And now a message from our sponsor, ObserveIT.
Unidentified Person #1: [00:13:43] Great party, huh?
Dave Bittner: [00:13:44] Yeah, yeah. Great - great party. Could you excuse me for just a moment? Hey, you. What are you doing? What? Oh, no. Looks like another insider got into our systems when we weren't looking. I am going to be in so much trouble with the boss.
Unidentified Person #2: [00:14:04] Did someone say trouble? I bet I can help.
Dave Bittner: [00:14:06] Who are you?
Unidentified Person #2: [00:14:07] To catch insider threats, you need complete visibility into risky user activity. Here. I'll show you how ObserveIT works.
Dave Bittner: [00:14:15] Wow. Now I can see what happened before, during and after the incident, and I'll be able to investigate in minutes. It used to take me days to do this.
Unidentified Person #2: [00:14:24] Exactly. Now, if you'll excuse me, I think there's a cocktail over there with my name on it.
Dave Bittner: [00:14:30] But wait; what's your name? Oh, well. Thanks, ObserveIT - and whoever she is. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. Get your free trial at observeit.com/cyberwire.
Dave Bittner: [00:14:57] And I'm pleased to be joined once again by Jonathan Katz. He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center. Jonathan, it's great to have you back. We had an article come by from Scientific American, and this was titled "The Quantum Internet Is Emerging, One Experiment at a Time." We've got some progress being made here when it comes to quantum things in the digital world.
Jonathan Katz: [00:15:22] I think that there's some early progress here. There are certainly people talking about making progress. And what's going on here, really, is, you know, we know a lot about or we've heard a lot about quantum computers, which you can think of as, you know, local computation devices that are relying on quantum mechanics to do things that we can't do classically. People have probably heard about quantum key distribution, which allows two computers to use quantum mechanics in order to agree on a classical cryptographic key.
Jonathan Katz: [00:15:50] And what they're talking about here is basically going to the next level and thinking about what it might look like to have a fully quantum internet, meaning to allow computers - quantum computers to be able to communicate quantum states with each other - fully general quantum states with each other and what that might allow. So people are just, I think, really only starting to think about this. People are doing initial experiments to try to determine feasibility. And people are also thinking about what that might mean and what kind of applications that might allow.
Dave Bittner: [00:16:18] Yeah. One of the things the article dug into here, which I found fascinating, was that thing that Einstein called spooky action at a distance, with, you know, quantum entanglement. Well, what are the implications of that?
Jonathan Katz: [00:16:30] Right. So quantum entanglement would basically mean, essentially, that you have two different entities who are able to share, let's say, pieces of a quantum state. And then when any one of those entities would measure the state that they hold at their side, it would instantaneously cause a change in the state held by the other party at the others - at the other side some distance away. And that's the spooky action at a distance that you were referring to.
Jonathan Katz: [00:16:54] And this could allow, potentially - well, it's not clear what it might allow, to be honest with you.
Jonathan Katz: [00:17:00] I think, you know, one of the things that people are talking about using these kind of protocols for secure communication because that action at a distance would be something that an attacker would not be able to observe. It's not...
Dave Bittner: [00:17:12] It's truly instantaneous, right? We're talking, you know, faster-than-the-speed-of-light kind of stuff, yes?
Jonathan Katz: [00:17:17] Well, so you have to be a little bit careful. It's true that it's instantaneous. It does not allow you to communicate faster than the speed of light, but it - still, it does give you some other properties, like this privacy I was talking about, or it allows you to basically defer certain choices until a later point in time. And there are cryptographic applications and distributed computing applications that you can do once you can share entangled states like that. And that's the kind of thing that people are talking about. The quantum key distribution that we already have some examples of experimentally is not sharing entangled states, and so this is basically the next level up.
Dave Bittner: [00:17:52] And any sense for what we're talking about in terms of a timeline? Is this the sort of thing that's decades away, or sooner than that?
Jonathan Katz: [00:18:00] (Laughter) Well, it's likely to remain five years away for the next decade.
Dave Bittner: [00:18:04] Of course. Yes, I understand.
Jonathan Katz: [00:18:05] It's really not clear, to be honest. I think there are so many things that have to happen before this can become a reality. I think, you know, there are really two questions. One is at what point can we say that, in principle, we can build a quantum internet? And that's going to take some research and some experimental prototypes and things like that. And then there's the question of what time frame this quantum internet actually gets built, and that's maybe more of a business decision than an economic decision - how much demand there is for these things. And that's really unclear.
Dave Bittner: [00:18:34] All right. Well, I have to admit that this stuff is incredibly fun but also mind-bending and head-spinning and all that sort of stuff. But I'm glad I have folks like you to help explain it to me. So, Jonathan...
Jonathan Katz: [00:18:46] I appreciate it. Whatever I can do to help.
Dave Bittner: [00:18:47] Yeah. On behalf of our listeners, thanks to you. So, Jonathan Katz, thanks for joining us.
Jonathan Katz: [00:18:54] OK. Thank you.
Dave Bittner: [00:18:59] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:12] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.