Podcasts
Hacking Humans
Ep 215
Hacking Humans 10.6.22
Ep 215 | 10.6.22

What is cyber quantum computing?

Show Notes
Transcript

Pete Ford: Commerce, Labor, State, Defense, Energy, critical infrastructure, etc. All of that would be wide open for any adversary to look at.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Pete Ford. He's senior vice president of federal operations at QuSecure. We're talking about the implications of quantum computing. All right. Joe, before we dig into our stories this week, we have a bit of follow-up here. You want to take us through what our listeners have sent in for us? 

Joe Carrigan: Well, before we get to what the listeners have sent in, I have two pieces of information. No. 1 is there has been an arrest in what is believed to be the Rockstar and Uber hacks. 

Dave Bittner: OK. 

Joe Carrigan: There's a lot of - not a lot of information coming out about the arrest because the person is a minor. But the British police have picked up somebody. 

Dave Bittner: Right. 

Joe Carrigan: And we have a link. We'll put a link in the show notes. There's an article on BleepingComputer that discusses it. 

Dave Bittner: OK. 

Joe Carrigan: Another thing is the week before we recorded this episode, Hurricane Ian moved through Florida... 

Dave Bittner: Yeah. 

Joe Carrigan: ...And did a significant amount of damage to a couple of areas down there, Fort Myers being one of them. What's going to happen right now is there's going to be scams around this, Dave. It's going to happen. So just be mindful of it. That's - I just want to advise people that listen to this show. That's - they know. 

Dave Bittner: Yeah. 

Joe Carrigan: Most of our listeners are - would - you know, these guys watch the news cycles. They're going to do this. 

Dave Bittner: Right. 

Joe Carrigan: And finally, we did get a Dustin writing in, a letter from Dustin, who writes in with information from our listener last week, coincidentally also named Dustin... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Which is interesting. I was - I had to look and see if these were the same people. They are not. 

Dave Bittner: OK. 

Joe Carrigan: So they're just two guys named Dustin. And Dustin writes, listening to your most recent episode now. I'm a registered health information management technician working for a children's facility in the medical records department. I can say that the person who wrote in about their pediatrician's office and obtaining medical records, that he should have been made to produce ID to pick up in person in that way. So he should have been asked for his ID. Furthermore, the pediatrician's office should have submitted a continuation of care release of information request. And those records should have been sent directly to the pediatrician without involving the patient/parent or anything other than, perhaps, a signed authorization. So there is infrastructure that allows that to happen, apparently. 

Dave Bittner: Right. Right. 

Joe Carrigan: That was one of my questions. As far as faxing in health care, it is still the best way to get documents that are time sensitive, communicated and sent between medical facilities. Most now use some sort of faxing software integration that works similar to email. But when you are taking those provider offices that are outliers, those that are out in the far-reaching corners of the countryside, fax may still be their best or only option. That's a good point. You know, infrastructure is not the same. We have the luxury of living in one of the more developed parts of the country, Dave. 

Dave Bittner: Yeah. 

Joe Carrigan: But I frequently travel to the less developed parts... 

Dave Bittner: Right. 

Joe Carrigan: ...Out in Appalachia. It's an excellent point. Believe me, all of us in health care want to get rid of faxing personal health information - PHI. But I'm afraid the technology is not currently available to all health care entities to provide instant communication and the transfer of information. A big part of this is a thing called interoperability. And trying to get every health care entity on a page where they all are OK with sharing information back and forth has proven hard to do given the fact that a lot of health care entities are also a for-profit business. And interoperability is not a friendly word to profit seekers. 

Dave Bittner: Oh. 

Joe Carrigan: Yeah. 

Dave Bittner: Yeah, right (laughter). 

Joe Carrigan: So thank you, Dustin, for writing that in. I will agree with that. But there are other ways we could go about doing this. I remember - I haven't used this system in a long time. But we used to have a secure way of delivering documents to our customers via an encrypted website, you know? We... 

Dave Bittner: Yeah. 

Joe Carrigan: The files would be stored securely. And somebody else could go and get them. And we'd provide a link and then information via another medium. 

Dave Bittner: Well, I've noticed, like with most of my health care providers now, they have some sort of portal that you go to. 

Joe Carrigan: Yes. 

Dave Bittner: And they seem to be quite secure. You know, there's - in fact, I think all of them have some type of multifactor authentication built in. And... 

Joe Carrigan: Yeah. 

Dave Bittner: But that way, instead of emailing stuff back and forth, they can post things to the portal. And you can go to the portal. And they can share things. So I've seen test results and notes from my doctor and things like that. 

Joe Carrigan: Right. 

Dave Bittner: So you know, that seems to work pretty well. 

Joe Carrigan: The product I've seen is called MyChart. 

Dave Bittner: Yeah. 

Joe Carrigan: And I've seen this at multiple places. And I think that's an Epic product... 

Dave Bittner: OK. 

Joe Carrigan: ...That integrates directly with the electronic health record. 

Dave Bittner: Oh, OK. 

Joe Carrigan: So you're actually looking at the patient view of the database through that website, which is great, right? 

Dave Bittner: Yeah. No, I'm happy that we're moving in that direction (laughter). 

Joe Carrigan: Yeah. Yeah. And Dustin makes a good point, you know? Not every small office, like out in West Virginia, is not going to have an EHR system. 

Dave Bittner: Right. 

Joe Carrigan: They're not going to do it... 

Dave Bittner: Right. 

Joe Carrigan: ...Because they might not be making that much money. And I'll tell you, Epic is not cheap. 

Dave Bittner: Yeah. 

Joe Carrigan: It's very expensive. 

Dave Bittner: No. And I think the point also that if you're running a for-profit business that you want to have - you know, gatekeeping leads to dollars, right (laughter)? 

Joe Carrigan: Yeah, right. 

Dave Bittner: So if you can charge somebody for access to something, then you have an incentive to do that, whether or not it's ultimately in the patient's best interest or not. 

Joe Carrigan: Or even ethical. 

Dave Bittner: That's a conversation for another day (laughter). 

Joe Carrigan: Right. 

Dave Bittner: All right. Well, our thanks to Dustin for writing in. We do appreciate your expert insights. One other quick little note here... 

Joe Carrigan: OK. 

Dave Bittner: ...We got from someone on Twitter whose Twitter handle is @toddysm and says, about your Catch of the Day - so last week we had a Catch of the Day where the person purported to be someone named Vladimir Petrova (ph)... 

Joe Carrigan: Right. 

Dave Bittner: ...And ToddySM writes in and says, about your Catch of the Day, Vladimir is normally a male name, while all names that end with A are normally female surnames. In addition to the bad English, I doubt that Vladimir Petrova is a combination you will ever see in a real name (laughter). 

Joe Carrigan: So Petrova's a female name, is what he's saying. 

Dave Bittner: Yes. 

Joe Carrigan: Right (laughter). 

Dave Bittner: Yes. So there you go. But, you know, that's the kind of thing where, unless you're a native speaker or someone familiar with that language, that could easily slip by... 

Joe Carrigan: Right. 

Dave Bittner: ...Which it did for us. 

Joe Carrigan: I wouldn't have recognized it. I'll bet Petrova is the female version of Peter in Russian. 

Dave Bittner: Yeah. 

Joe Carrigan: And that's just a guess based on the - my hobby-like love of linguistics. 

Dave Bittner: OK. All right (laughter). 

Joe Carrigan: Yes. 

Dave Bittner: Well, thanks everyone for sending in your thoughtful feedback here. Of course, we'd love to hear from you. Our email address is hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe, let's jump into our stories here. I'm going to kick things off for us. Kind of a quick one here for me this week. This is from Jon Brodkin over at Ars Technica. And this is about the FCC advancing a plan to require blocking of spam text from bogus numbers... 

Joe Carrigan: OK. 

Dave Bittner: ...In the What the Hell is Taking You So Long Department... 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: ...(Laughter) We have - so there are a couple of interesting things here. So the FCC, the Federal Communications Commission, they have released a plan that requires mobile carriers to block a wide range of illegal text messages. So this is a notice of proposed rulemaking. Basically, the FCC is putting the word out to the public that this is something that they're planning on doing. There's a comment period. 

Joe Carrigan: I was about to say, is there a comment period? 

Dave Bittner: There's a 30-day comment period, and then another 15 days for replies to comments. After that, the FCC can draft new requirements, and then they'll set up a final vote - blah, blah, blah, blah, blah (laughter). 

Joe Carrigan: I'm going to go comment on this, Dave. 

Dave Bittner: OK. 

Joe Carrigan: My comment is going to be, what the hell is taking you so long? 

(LAUGHTER) 

Dave Bittner: Yeah. So, but there's an interesting little side note to that, as well. So basically, what they're saying is that wireless providers will be required to block texts at the network level that are from invalid, unallocated or unused numbers and numbers on the Do Not Originate list. I didn't know there was a Do Not Originate list (laughter). 

Joe Carrigan: I have to find out what that list is. That's a new one to me. 

Dave Bittner: Do Not Call list, but I didn't know there was a Do Not - I guess it's, like, a block list for the origin of numbers... 

Joe Carrigan: Right. 

Dave Bittner: ...Which is interesting. You know, they talk about how, rightfully so, the American people are fed up with scam texts. That's from FCC Chairwoman Jessica Rosenworcel. So I think this is good news. Sort of a side note that we've alluded to is that this has been on the FCC's docket for quite a while. And this article points out that the timing is interesting in that there were lots of other things that the FCC was working on that were also, you know, similar types of things and that got addressed. And this just kept sort of being on the back burner. 

Joe Carrigan: Really? 

Dave Bittner: Yeah. But then, according to a report from Axios, the vote finally happened after a reporter started asking around why it was taking so long. 

Joe Carrigan: (Laughter) Good. 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: Media doing its job is the... 

Dave Bittner: Right. Well, I - that's a really good point. 

Joe Carrigan: Right. 

Dave Bittner: You know, that's why - and as you and I have talked about, we've seen this hollowing out, particularly of local media... 

Joe Carrigan: Absolutely. 

Dave Bittner: ...Is problematic because you don't have people asking these questions - you know, what's taking you so long? 

Joe Carrigan: Right. 

Dave Bittner: So evidently, once this reporter started poking around, the folks on the FCC commission voted. They voted 4-0, bipartisan, to say, yes... 

Joe Carrigan: Yep. 

Dave Bittner: ...This needs to be taken care of. 

Joe Carrigan: Good. 

Dave Bittner: So that's interesting. Good stuff. So, you know, it looks like we are month and a half, maybe two months away from actually seeing some action on this but... 

Joe Carrigan: I hope so. 

Dave Bittner: ...It'd be interesting to see to what degree it actually makes a difference and how the text scammer - spammers pivot and come at it in a different way. 

Joe Carrigan: Yeah, they're not going to take this lying down. They're going to do something else. 

Dave Bittner: Yeah. 

Joe Carrigan: They're going to find some way to get around this. Hopefully, this will make it much more difficult for them, and maybe there will be costs involved for them. 

Dave Bittner: Right. 

Joe Carrigan: I think if you can impose costs on these guys, higher costs, that stops it. 

Dave Bittner: Yeah. 

Joe Carrigan: You can just make it so that they have to pay lots of money to send these kind of texts. It pretty much ends it. 

Dave Bittner: Yeah. This article points out that robocalls are still a bigger problem in terms of the complaints that the FCC gets. But text messages, I think, are No. 2 in terms of things people contact the FCC and have a headache about. So... 

Joe Carrigan: Yeah. I would like the ability to block political robocalls and texts. And there's a big First Amendment issue there... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Because people do have the right to express their opinions and all that stuff. Freedom of speech is very important to me. But this is my platform that I pay for. This is not your platform. You don't get to send me whatever you want and invade my space that I pay for with this. I think there's some limit here. I don't want to hear from anybody on my phone about an upcoming election. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? 

Dave Bittner: It's funny. My co-host Ben Yelin from the "Caveat" podcast was - recently put out a similar complaint on Twitter that he was really tired of all of the political messaging that he was getting. And I shared a bit of advice that I think I've shared here before as well. A friend of the show, Ray Redacted on Twitter, gave me the tip once to make a folder in your email account that anything that contains the word unsubscribe goes into that folder for later review. And, boy, does it clean out your inbox. It unclutters... 

Joe Carrigan: That is a great idea. 

Dave Bittner: Yeah. I mean, you still got to check it every now and then... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Just like you got to check your spam folder. 

Joe Carrigan: Well... 

Dave Bittner: But it just unclutters your mailbox in a very, very satisfying way. 

Joe Carrigan: I will tell you that I might change my current policy because right now what happens is all of my email goes to that folder unless it comes from someone I've sent an email to or someone I've put on a list. So - but I have been missing emails from people, and I have to go into that other folder at least once a day to find them. 

Dave Bittner: Right. 

Joe Carrigan: And it's a lot of work to do that. 

Dave Bittner: (Laughter) I know. I know. I know. Email's just a pain these days. 

Joe Carrigan: It is. 

Dave Bittner: I wish - it's a shame that email hasn't evolved more than it has... 

Joe Carrigan: You know, Dave... 

Dave Bittner: ...For many, many reasons. 

Joe Carrigan: ...It is - it's time for email to change. And maybe I'm going to do something about that. 

Dave Bittner: Be the change, Joe. Be the change. 

Joe Carrigan: Maybe I will be the change. 

Dave Bittner: Yeah. All right. All right. Well, that's my story this week. What do you have for us, Joe? 

Joe Carrigan: Dave, my story comes from Vikki Hopes, who writes for the Abbotsford News. Ever been to Abbotsford? 

Dave Bittner: I - no. 

Joe Carrigan: It's in British Columbia, north of the border. 

Dave Bittner: Oh, OK. Nope. 

Joe Carrigan: So it makes sense. But the story is - the headline is "Two Abbotsford Residents Lose $46,000 in Bank Scam," and "Police Warn Others to be Cautious of Clicking Links on Mobile Devices." 

Dave Bittner: OK. 

Joe Carrigan: So here is how this story unfolds. And I have some questions actually. And I don't know if Vikki is - Vikki Hopes is technical, but this article does raise a couple of questions. But she says two victims have been - have fallen for this bank scam, according to Constable Art Stele. I love the term constable. We don't have enough constables in the United States. 

Dave Bittner: Also, Art Stele is a great name. 

Joe Carrigan: Art Stele, yes. 

Dave Bittner: Sounds like a - someone in a murder mystery novel or something. 

Joe Carrigan: It does. But he's with the Abbotsford Police Department and said that what happened was two people got texts that contained links that installed malware on their phones - or mobile devices, he says... 

Dave Bittner: Yeah. 

Joe Carrigan: ...That then provided username and passwords for their bank account. So I don't know - that's the part that makes me go, hmm, because it doesn't line up with the rest of the story. 

Dave Bittner: OK. 

Joe Carrigan: Because what happens then is these - the fraudsters would call the victims by phone, usually very early in the morning, claiming to be employees of the bank. And they would ask if the person had made a recent purchase on gift - of gift cards... 

Dave Bittner: Oh. 

Joe Carrigan: ...Right? Of course, the person would be like, no, I didn't do that. And they'd be like, OK, so we got some fraudulent activity here. Let's get the ball rolling on getting this done. And of course, in order to get the ball rolling on resolving fraudulent activity of purchasing gift cards, I need you to go out and buy some MasterCard gift cards... 

Dave Bittner: Oh, is that right? 

Joe Carrigan: ...And then provide the information to me - the security codes on them to make sure everything's good. Additionally, these people were then asked to take their money - large quantities of money out and go to a bitcoin ATM... 

Dave Bittner: Oh, my word. 

Joe Carrigan: ...And send money to these - send bitcoin to these scammers. 

Dave Bittner: Wow. 

Joe Carrigan: So any money sent to them via bitcoin is gone. There's no hope of getting that back. 

Dave Bittner: Right. 

Joe Carrigan: That's - unless they can actually catch the scammers and get their private keys. There - I mean, there is a way to get it back, but probably not going to happen. 

Dave Bittner: Sure. 

Joe Carrigan: But here's my question about this thing. I don't know. If you had taken someone's username and password into a bank account, why would you need to call them and do fraudulent - some kind of fraudulent activity? Why wouldn't you just go in and send yourself a big check? Also, how did these guys get this malicious software installed on people's phones? It - was it something in one of the - like, the Google Play store or the - probably the Google Play store. Probably not the Apple - maybe the Apple, who knows? 

Dave Bittner: Yeah. 

Joe Carrigan: The Apple - what's the Apple store called? 

Dave Bittner: The App Store. 

Joe Carrigan: Oh, the App Store. 

Dave Bittner: Yeah. 

Joe Carrigan: App Store. Right, Apple App Store. Got it. 

Dave Bittner: Yeah. 

Joe Carrigan: So it's much more likely that these malicious apps exist in one of these stores. And maybe they don't send credentials, but they send information about banking transactions that have happened. Or maybe they do send the credentials, and that's how these guys get in there. But then they can't transfer any money because - I don't know how this works. 

Dave Bittner: I mean, as you were describing it, I was wondering - like, if I called someone - if I were doing this scam... 

Joe Carrigan: Right. 

Dave Bittner: ...I would call them in the morning, right? 

Joe Carrigan: Right. 

Dave Bittner: So they're bleary-eyed and half-awake - and say, hi, I'm from the bank. I'm here to help. Well, there's been some fraudulent activity. I'm going to send you a link to log in to your bank account... 

Joe Carrigan: Right. 

Dave Bittner: ...Right? And then I would send them the link, which, of course, is a phishing link. And it's going to go to a web page that looks like the bank. 

Joe Carrigan: Right. 

Dave Bittner: And then they're going to log in with their username and password. Now I've got their credentials, and I'm off to the races. 

Joe Carrigan: Right. 

Dave Bittner: That's what I would do. 

Joe Carrigan: Right. 

Dave Bittner: Is that not what's going on here? 

Joe Carrigan: No, what's going on is they're actually telling these people about transactions they've seen on the bank account. 

Dave Bittner: OK. 

Joe Carrigan: So that's how they're getting trust from the people... 

Dave Bittner: Right. 

Joe Carrigan: ...To show them that they are from the bank when, in fact, they're not. They've just gone in and they've gotten this information. I don't know how they've gotten this information. Maybe they're using the credentials to log in, then looking at it. But if you've done that, why not just fraudulently transfer the money? Maybe it's - maybe... 

Dave Bittner: Well... 

Joe Carrigan: ...There are ways to detect that. 

Dave Bittner: Yeah. You know, it's - it could also be that if you can get the person who owns the bank account to withdraw the money... 

Joe Carrigan: Right. 

Dave Bittner: ...Then the bank's not going to claw back the money... 

Joe Carrigan: Right. 

Dave Bittner: ...Because that person was authorized to transfer that money... 

Joe Carrigan: That's probably a good point. Yeah. 

Dave Bittner: ...You know, there's - the bank didn't do anything wrong. 

Joe Carrigan: Right. This person went to the bank and withdrew the money and then bought bitcoin with it. 

Dave Bittner: Right, right. 

Joe Carrigan: Yeah. 

Dave Bittner: And so the - yeah. So the bank is not - if you got the - if you went in and just transferred the money to your bank account, first of all, that points to your bank account and also... 

Joe Carrigan: Right. 

Dave Bittner: ...Possibility for clawing it back. So that could be a reason. 

Joe Carrigan: Yeah, I think that's actually a good analysis. 

Dave Bittner: Yeah. 

Joe Carrigan: Probably right. Probably correct. So, OK, so maybe it is, but I'd still like to know how they got this malicious app installed. Why is it in the App Store? I doubt they got these guys to sideload it from some third-party marketplace, right? I mean, how do you do that with a text message? Unless the people have already got the developer options enabled - maybe that's the case. 

Dave Bittner: I don't know. Yeah... 

Joe Carrigan: These are questions I have for the... 

Dave Bittner: ...I mean, if you send someone a - I'm just thinking, you know, on Planet Apple, where I live... 

Joe Carrigan: Right. 

Dave Bittner: ...Someone could send you a link that would take you to an app on the App Store. 

Joe Carrigan: Sure. 

Dave Bittner: And then they'd say, OK, I'm going to take you to our security app, you know, and when you see the install button, just hit install. And there you go. 

Joe Carrigan: Right. 

Dave Bittner: Right. 

Joe Carrigan: But there has to be a malicious app that's in the App Store. 

Dave Bittner: Right. That's an... 

Joe Carrigan: Right. 

Dave Bittner: ...Excellent point. Yeah. 

Joe Carrigan: Yeah. 

Dave Bittner: Yeah. And so how do you do that... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Right? Yeah. Trust me. The app says that it's Panda Pop, but it's actually our bank security. 

Joe Carrigan: Right. 

(LAUGHTER) 

Dave Bittner: It's actually our bank - we're just doing this to stay one step ahead of the scammers. 

Joe Carrigan: Yeah. Again, the... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...The problem is that a lot of the technology is a mystery to most people using it, right? 

Dave Bittner: Yeah. 

Joe Carrigan: It's not clear how this thing works. All that's clear is that you have a screen in front of you, and if you push in this location, then - you know, if you interact in X way, then Y happens. 

Dave Bittner: Right, right. 

Joe Carrigan: Right? 

Dave Bittner: Yeah. 

Joe Carrigan: So it all stems from that. 

Dave Bittner: I think about - I certainly have family members who interact with their electronic devices in that way. They know what to do but they don't know why or what it's really doing. They just know this is the order of operations of things I have to press... 

Joe Carrigan: Right. 

Dave Bittner: ...In order to do the things I want to do. And that's tough because it makes them more likely to be able to be manipulated in this sort of way. 

Joe Carrigan: Yeah. 

Dave Bittner: Yeah. All right. Interesting story. We will have a link to all of our stories in the show notes. Joe, it's time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Dave, our Catch of the Day comes from Joseph. A lot of name pairing going on in today's episode. 

Dave Bittner: (Laughter). 

Joe Carrigan: Got two Dustins and two Joes. 

Dave Bittner: Yeah. 

Joe Carrigan: But Joseph writes, I was surprised this made it through my spam filter. I think it's because they CCed noreply@paypal.com. And as I'm writing this, I just checked, and it's actually paypal@no-reply.com 

Dave Bittner: Oh. 

Joe Carrigan: Those scammers, he says. 

Dave Bittner: OK. 

Joe Carrigan: It'd be interesting to register the name - domain name, no-reply.com. 

Dave Bittner: Yeah. Well... 

Joe Carrigan: Right. 

Dave Bittner: ...Remember there was that whole story about the guy who owned donotreply.com... 

Joe Carrigan: Yeah. 

Dave Bittner: ...And the stuff he got. He - like... 

Joe Carrigan: Got tons of stuff. 

Dave Bittner: Classified documents. 

Joe Carrigan: Classified documents, yeah. 

Dave Bittner: Yeah, all kinds of stuff. Yeah. 

Joe Carrigan: That's a completely different... 

Dave Bittner: (Laughter). 

Joe Carrigan: I could go on for days about that. They had some convincing parts to this and obviously put some thought and work into it. But then they did weird things like leaving out a subject and adding a random string of numbers in the body of the email. Dave, why don't you take it away and read this message that looks like it came from PayPal but did not. 

Dave Bittner: All right. It says, dear customer, your order has been placed, and here's the order number. Thank you for shopping with PayPal account. Your order has been successfully registered with us. You'll get your shipping as we get confirmation of payment from PayPal. Please keep this receipt number for future reference. You'll need it if you contact customer service at PayPal. You have 24 hours from the date of the transaction to open a dispute. For assistance, call this number. Please don't reply to this email, it'll just confuse the computer that sent it and you won't get a response. 

Joe Carrigan: So... 

Dave Bittner: OK (laughter). 

Joe Carrigan: So I think the random string of numbers that Joseph is referencing here looks kind of like a bitcoin address, but it - I don't know that it's a bitcoin address. Doesn't - maybe it is, maybe not. I don't know. 

Dave Bittner: Yeah. 

Joe Carrigan: Unfortunately, what Joseph sent was a picture, so I can't copy and paste the text. I could go and manually enter it, but I'm not doing that. I love that - this is a typical scam that you're going - what's going to happen here is you're going to call this number and these guys are going to be like, well, let's - there's going to be some fake tech support guy on the other end, and he's going to try to take over your computer and try to get you to send either bitcoin or money to them or just take all the money out of your account. 

Dave Bittner: Right. Right. Access... 

Joe Carrigan: They need to get access to your PayPal account... 

Dave Bittner: Exactly. 

Joe Carrigan: ...And start draining your bank accounts. 

Dave Bittner: Yeah. Yeah, absolutely. 

Joe Carrigan: So don't reply to any of these. Never call the number. Look up the PayPal number. Also, by the way, that's the way to defend yourself against the story that I had, as well. 

Dave Bittner: (Laughter). 

Joe Carrigan: When somebody calls you from the bank, tell them - hang up and call them back. Call the bank back. 

Dave Bittner: All right. Well, our thanks to Joseph for sending that in. And again, we would love to hear from you. If you have something you'd like us to consider for the show, you can email us. It's hackinghumans@thecyberwire.com 

Dave Bittner: Joe, I recently had the pleasure of speaking with Pete Ford. He is the senior vice president of federal operations at a company called QuSecure. And our conversation is about the implications of the coming wave of quantum computing. Here's my conversation with Pete Ford. 

Pete Ford: I would relate it to, where did we stand with Y2K back in '93, when Peter de Jager wrote, this is a big problem, and it's 2,308 days away? So we knew that because we knew that January 1, 2000, was upon us. In our world of quantum right now, particularly quantum communication and quantum computing, that date isn't fully defined, but we can measure how fast things are going based on the technology that we see coming out, the results we see coming out and the level of effort, not just with individual commercial entities but with governments. So most people consider that a quantum computer that can break our classical encryption - is 4,099 coherent qubits - is sometime between three years from now and seven years from now. 

Dave Bittner: You know, for folks who are kind of going through their day-to-day lives and depending on the various types of encryption that we've all become accustomed to - whether using our banking apps and, you know, secure web browsers, all that sort of thing - to what degree will this affect them? How much concern should they have? 

Pete Ford: They should be pretty concerned in that all of our public key infrastructure is built around asymmetric keys. And those asymmetric keys have PSRK, pseudo-random keys, that are nonpolynomial hard math protecting them. So a classical computer can't break those, but the quantum computer that we're concerned with can, and it can break them really fast. So all the information that's protected - and right now, well-protected - by our PSRK and public key infrastructure won't be protected when that quantum relevant computer comes out. So anything that's stored or stolen or hacked right now that can be decrypted later is exactly what we need to be concerned with. And those are things like your mortgages, our bank accounts, all of our private information. And on the federal side - what I'm really concerned with - that also means a lot of things that we consider nation-state important - commerce, labor, state, defense, energy, critical infrastructure, et cetera. All of that would be wide open for any adversary to look at. 

Dave Bittner: And where are we on the journey to making our encryption routines quantum safe? 

Pete Ford: Well, like anything we got - we're a little on our heels, but we're catching up fast. Some of the most important pieces really happened this year. Alike, most of IEEE and several other high-end organizations consider the quantum decade to have started in 2020. And in May of 2021, we had some executive orders come out and said, we really need this to go faster. We need to get rid of legacy encryption data, metadata that we're holding on to that's already outdated. And we need a modernization plan. And then this year, in 2022, on 19 January and again on 5 May, two executive orders came out. They're called National Security Memorandum. Memorandum Eight was January, and Memorandum 10 was in May. They came out classified, and we have the unclassified version. And the neat part about those was, aside from reinforcing what we saw before, I don't want legacy equipment and encryption anymore. We need to get rid of that. I need a reinforced modernization plan, post-quantum communication and quantum resilience. 

Pete Ford: And the important pieces were, this administration and the legislative branch both agree, yes, we're going to put a time frame around this. And those time frames were, one, show me the money. That's always a good thing when the Office of Management and Budget says we have skin in the game because you told us to, and we're putting funding against this. And then, two, we see the NIST make a move forward to declare an actual post-quantum algorithm on 5 July, just in accordance with the timeline that those executive orders came up with. 

Pete Ford: The next piece I think is important to look at is three different bills, one on the Senate and two on the House of Representatives going through, that have quantum language in them that will put funding and growth and technology development against getting us in the right place to recognize how critical this is going to be as this next, I would say, change in our computing infrastructure will be one of the largest we've ever seen. So I think we're catching up fast. We're putting a lot of people on it and we're leaning into it correctly. 

Pete Ford: The situation is - it's not a race run by ourself, Dave. It's, quite frankly, run against other nation-states. And they are leaning into it fast, and they have not taken a break. Let's consider China's 14th five-year plan that specifically calls out the fourth informationization revolution - that's hard to say - basically, the fourth IR. And their focus is that quantum core because they know how critical it is to get ahead of that. So we're not running this race alone, so we can't judge it just based on what we're doing. We need to judge it based on the technology advances we see globally. 

Dave Bittner: Yeah, I know you and your colleagues are really at the front line here in terms of working with the federal government to provide some of these quantum solutions. I'm curious. Is there a chance that, you know, we could have the equivalent of a Sputnik moment, you know, where suddenly one of our adversaries, unexpected to us, surprises us with how far ahead they've gotten? Or might we put our own Sputnik moment out to the rest of the world? 

Pete Ford: That is a great reference, and it's one that I use. The - think about the Space Race, when Yuri Gagarin took a lap around the Earth, and all of us looked wide-eyed at it in the U.S. and said, man, we better get busy. That same thing could happen at any given time, and it's really hard to find out - for us, looking at what we were thinking - let's consider where - back in that day, we had the telltale indicators of what was going on. And then once it became a newsworthy event and we saw Russia in space, we started catching up. The same thing will be true here, but it will be harder to find. And it could be a very devastating moment where something's released as an attack that we weren't ready for, or we see some things solved technologically that show the advances that other nation-states have made that we haven't made. And then we have to come honest where we are in this race. 

Pete Ford: Yeah, Dave, those things could happen in a moment. It's a little bit easier to see and study spacecraft on pads and infrastructure and logistics and some of the more mechanical, open, obvious things that happen in a space race or a nuclear race. In this race, a lot of the quantum world we're living in - first of all, it's pretty complicated. It's what Einstein called spooky action at a distance. So it's hard to understand just how far other technology has advanced. And then it's also hard to imagine just how much or how big a result could happen from a quantum advance from another nation if we're not ready for it or at least expecting it. 

Dave Bittner: Are there questions that folks should be asking their financial institutions or - you know, if I'm a small business owner, should I be working with my suppliers to make sure that they're on top of this? Or are we at the moment now where people need to be doing their own due diligence? 

Pete Ford: I think so. Just like anything, it's always - it pays to have insurance. So we have HIPAA regulations. We have personally identifiable information that we need to protect. We need to start asking those questions, especially at the broader, larger level, all the way down to high-end investors and other folks that are trying to make long-term investments. How are you protecting the information that you have on me so that we can continue to do good work together in the future? So that question just in and of itself says, are you prepared for the future and making sure that the investment that I'm making in you or the investment you're making in me to protect my body so that I last a long time in health care, that you're ready to protect who I am and all the information around the business we do. 

Pete Ford: So that means you have a - on your game plan, just like our nation does, you have a modernization plan. You have a plan for post-quantum communication and quantum resilience. I usually call that pre- and post-quantum. I would like to have no heartbeats raised, no concern whatsoever, before that quantum computer, the cryptographically relevant quantum computer comes out and after, that we already have a plan in place that keeps us steady, ensuring freedom and protection of information beforehand. Those are valid questions to ask, and they're usually followed up with, how much is it going to cost? And that, secondarily, follows up with, what does it cost if you lose this information? So you need to weigh those ahead of time. 

Pete Ford: And then that's one of the reasons I really like what we're doing is we're providing and making every attempt to provide a backward compatibility for post-quantum calm. So the current infrastructure you have - if we can put 60,000 quantum resilient keys over your current layer that isn't going to be broken by that quantum computer, then you get to keep doing exactly what you're doing without significant bandwidth or latency hits, and your information is protected now and then after. 

Dave Bittner: Joe, what do you think? 

Joe Carrigan: Dave, I want to start by saying this. I am by no means an expert in quantum computing. 

Dave Bittner: Is anybody (laughter)? 

Joe Carrigan: Yeah, that's a good question. 

Dave Bittner: Right. Right. 

Joe Carrigan: You know, if you read - one of my favorite books in the world is a book by Simon Singh called "The Code Book" that's essentially a history of cryptography. 

Dave Bittner: OK. 

Joe Carrigan: It is a great book. 

Dave Bittner: Yeah. 

Joe Carrigan: And it's really easy to understand right up until he starts talking about quantum cryptography (laughter). 

Dave Bittner: OK. 

Joe Carrigan: And that's where I go, like, I have no idea what's going on. 

Dave Bittner: Yeah. 

Joe Carrigan: And it's interesting. And I kind of understand the high-level concepts of it. Like, for example, if you have something that is a problem, like factoring large numbers, a quantum computer can solve that in, I think, one operation if it has enough bits in it. Whereas a traditional computer has to try everything between zero and the square root of the number - or one or two and the square root of the number - right? - so, to see if it's a factor. And that takes a very, very, very long time because these numbers are very, very large. And because these numbers are very, very large, you're going to need to build a quantum computer that has a very large number capability, like a 496-bit quantum computer. 

Dave Bittner: Right. 

Joe Carrigan: If you're thinking about our current architecture, we have 64 bits. And people are like, well, I mean, they can't build - you know, if they can't build a 496-bit computer for our desktop, why would you build something like that for a quantum computer? But the thing about this is you're not talking about a production computer. You're not talking about a microcomputer. Think back to the days of UNIVAC, right? You're building something like that. So you only need to build one of these computers that has the capability of processing 496-bit infrared numbers, right? 

Dave Bittner: Right. 

Joe Carrigan: Which is the large cryptography numbers. 

Dave Bittner: Right. Next thing you know, you've got the computer in "Hitchhiker's Guide to the Galaxy." 

Joe Carrigan: Right. Exactly. 

Dave Bittner: (Laughter). 

Joe Carrigan: Isn't that the Earth? 

Dave Bittner: Yeah. 

Joe Carrigan: So I think the Y2K analogy is a good one. And I'll tell you why I think it's a good one, because Peter de Jager made the announcement of the problem in 1993, right? Do you remember when we started panicking about Y2K? It's like 1998. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? 

Dave Bittner: Yeah. 

Joe Carrigan: That's when we started seeing all the jobs come out going, we've got to fix this problem. Five years of doing nothing while this happened... 

Dave Bittner: Right. 

Joe Carrigan: ...Knowing that full well that it was coming. And I expect the same thing is going to happen here with quantum computing. There's no firm date either. So it's not going to be taken care of until the problem is upon us. It's going to be like you were describing, the Sputnik moment. 

Dave Bittner: Right. 

Joe Carrigan: And then everybody's going to go, oh, holy crap. 

Dave Bittner: Right. 

Joe Carrigan: What's happened? 

Dave Bittner: Right. 

Joe Carrigan: There will be some orgs that have prepared. There are - and I think a lot of them are going to be in fintech. 

Dave Bittner: Yeah. 

Joe Carrigan: I think they're going to be the first ones on board. But most will not be prepared for this. I think - that's - there's my prediction. 

Dave Bittner: Yeah, I agree. I've said it before, and I'll say it again. I think human beings have proven ourselves a reactive species. 

Joe Carrigan: Yes. 

Dave Bittner: (Laughter). 

Joe Carrigan: So this is my Joe-stradamus (ph) prediction. 

Dave Bittner: OK. 

Joe Carrigan: Not everybody is - most people will not be prepared for this. Most organizations will not be prepared for this. 

Dave Bittner: Right. 

Joe Carrigan: Here is another problem about the dawn of quantum computing. Intercepting communication on the internet is actually pretty easy, right? And that's why we use cryptography. The assumption is that anybody is seeing your information go across the wire. So we've been encrypting our communications more and more. But for years now, governments around the world have been hoarding this information with the idea that sometime in the future, this encryption will be easy to break. 

Dave Bittner: Right. 

Joe Carrigan: Right? Either due to Moore's law or due to some revolutionary thing like quantum computing. And here we are. According to Pete, that will happen in the next 3 to 7 years. And all the information that has already been captured is just going to be decrypted. 

Dave Bittner: Yeah. 

Joe Carrigan: And relatively quickly, as well. There is something very interesting that came out. On July 5, NIST published an article that said they have announced four algorithms that are quantum-resistant. And they've been working on this for six years. So NIST has been out in front of this, which is great. I have a link. Can we put that in the show notes? 

Dave Bittner: Sure. 

Joe Carrigan: OK. So it's - there's a link to the NIST article at NIST.gov about the four articles that are quantum-resistant. So that's great news. If you're responsible for maintaining infrastructure at your company, this needs to be something that you're working on now. This is something that has to be taken into consideration now and needs to be brought to the forefront of what's going on. Because soon this - all these communications will be vulnerable to cryptographic attacks or to quantum attacks on the cryptography. And your algorithms that you use to protect your communication with your customers' needs to be protected against that. 

Dave Bittner: Yeah. I mean, isn't going to take sort of widespread adoption in things like our browsers to really... 

Joe Carrigan: Yeah, it is. 

Dave Bittner: ...Make a difference? 

Joe Carrigan: They're going have to be rolled out into browsers, going to be rolled out into web servers. 

Dave Bittner: Yeah. 

Joe Carrigan: I think that these algorithms are pretty modular. So I don't know that that's a big problem. 

Dave Bittner: Right. 

Joe Carrigan: It just needs to be done. 

Dave Bittner: Yeah. 

Joe Carrigan: It needs to be done. 

Dave Bittner: Well, I'm sure we'll get on top of it in the same way that we did with Y2K. 

Joe Carrigan: Right, so. 

Dave Bittner: (Laughter). 

Joe Carrigan: I'm not optimistic about this one, Dave. 

Dave Bittner: (Laughter) Yeah. Yeah. And with good reason. 

Joe Carrigan: Yeah. 

Dave Bittner: With good reason. All right. Well, our thanks to Pete Ford for joining us again. He's from QuSecure, and we appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu The Hacking Humans Podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan, is a Senior Security Engineer with the Johns Hopkins University Information Security Institute. He has been a Software Engineer for over twenty years and has been working in the security field for more than ten years focusing on usable security and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.