The Security Ledger Podcasts

In this week’s episode (#120): more than 100,000 U.S. voters submitted their ballots in the last presidential election via email in 2016. Despite that: hardly any attention has been paid to the security of email and online voting systems used by 32 states.  Also: anxiety about hacking of the midterm elections put the spotlight on state IT systems – particularly Secretary of States offices. But what is the state of state security? We’ll speak with Srini Subramanian of Deloitte about that company’s latest survey of State CISOs! Vote by email? What a great idea! It might be the election insecurity scandal you never heard of. In 2016, more than 100,000 voters across the globe, many of them U.S. service members, voted in federal state and local elections by email or using an online voting portal. If emailing a ballot to a random address sounds like a sketchy way to vote, that’s because it is. Online voting options in 32 states have been subject to hardly any scrutiny by computer security experts or regulators, despite warnings about the inherent risks of such systems. See also: As Election Threats Mount, Voting Machine Hacks are a Distraction Jeremy Epstein, Association for Computing Machinery In our first segment of the podcast, we’re joined by Jeremy Epstein of the Association for Computing Machinery (or ACM) and co-author of a recent report: Email and Internet Voting: The Overlooked threat To Election Security. The report, conducted by ACM, Common Cause, R Street and the National Election Defense Coalition advises that states that offer vote by email or online voting options to abandon them pending “a major technological breakthrough or fundamental change to the nature of the Internet.” The report also recommends a number of stop-gap security measures that can help limit the risk of voting by email – advice that Epstein likened to advising would be drunk drivers to refrain from driving “really drunk.” “This is pervasive and a lot of it is quite risky,” he told me. “The technologies being used are developed in most cases by private companies with no standards. And there’s no certification or validation by any meaningful organization.” State elections officials and Secretary of States offices often lack cyber security expertise to push back on vendors and insist on better security. However, even if they did it might not make a difference: the email system is inherently insecure.  You might also listen to this podcast: Episode 96: State Elections Officials on Front Line against Russian Hackers In this interview, Epstein tells us that experiments with email voting go back more than two decades – and that warnings about the security of such systems have gone right along with those experiments. Twenty years later, Epstein said, the fundamental risks haven’t changed, including malware, hacks of email voting systems, phishing and man in the middle attacks. The State of State Insecurity The midterm elections shone the spotlight on the security (and insecurity) of state IT networks,

In this episode of the podcast, #119: Electronic Frontier Foundation General Counsel Kurt Opsahl joins us to talk about the Coders’ Rights Project. Also: we speak with Senthil Ramakrishnan, a lead member of AT&T’s IoT Security group about that company’s plans to work with Ericsson to certify the security of IoT devices. Vulnerability Research is Not a Crime! The Electronic Frontier Foundation earned its stripes in the 1990s at the vanguard of groups opposing the US government’s efforts to ban the export of strong encryption technology – the so called Crypto Wars -and to rein in the industry-friendly excesses of the DMCA to protect the writing and sharing computer code as an act of free expression protected under the US Constitution’s First Amendment. In the last decade, EFF has turned its attention to protecting the right of independent security researchers to plumb the workings of software and hardware and report what they’ve learned without fear of legal repercussions. The so-called “coder’s rights” project. Now the group is looking to expand its work throughout the Americas, drawing on rights recognized by the American Convention on Human Rights, and examples from North and South American jurisprudence. Read the EFF report “Protecting Security Researchers’ Rights in the Americas.” Kurt Opsahl is the Deputy Executive Director and General Counsel at The Electronic Frontier Foundation To find out more about what EFF is up to and where the rights of vulnerability researchers and security pros stand in this hemisphere, we invited Kurt Opsahl , the Deputy Executive Director and General Counsel at EFF into the Security Ledger studios to talk about the Coder’s rights project and EFF’s new report, “Protecting Security Researchers’ Rights in the Americas. I started by asking Kurt to talk about what the Coder’s Rights Project is all about. Certification for IoT Endpoints? The curious thing about Internet of Things security standards is how many of them there are – a dozen or more. It is a situation that defeats the idea of standards to begin with. In the end, the standard matters less than who or what is behind it. That’s why Security Ledger took note when Internet giant AT&T announced that it was partnering with the firm Ericsson to certify the security of IoT devices. AT&T’s clout as the network across which so much Internet of Things communications and data will travel gives it an outsize importance in determining what kinds and how much IoT endpoint security is needed. To understand AT&T’s thinking about how to secure IoT endpoints and IoT ecosystems, we invited Senthil Ramakrishnan of AT&T’s IoT security group to come in and talk to us. In this conversation, Senthil talks about some of the common security problems it encounters with Internet connected devices and how it is working to try to push better security practices at its customers. Senthil Ramakrishnan is an IoT Security Lead at AT&T. Securing IoT endpoints is an entirely different pr...

In this week’s episode, #118: modern computer games are like mini economies and that makes them a big target for hackers. We talk with four leading researchers from Bug Crowd about how even popular games fall down on security. Also: Srinivas Mukkamala, the CEO of RiskSense about how artificial intelligence and risk based approaches to securing elections systems could pay off. Bug Hunter Eye on the Gaming Guy But first: the massively multiplayer online game FortNite isn’t just the most popular thing in the under 15 set. It’s a massive money maker for its publisher Epic games. For cyber criminals, its the gift that keeps on giving. Recent weeks have brought stories about malicious mobile downloads posing as Fortnite apps, while hackers have been fencing stolen Fortnite accounts on Instagram and in underground forums. The fact is: games are big business and the most successful among them now resemble mini economies with marketplaces, buyers, sellers and a vast array of virtual goods worth billions of (real) dollars. That puts a premium on security for game software and infrastructure. But our guests this week say that – despite that – security is often an afterthought for game publishers under intense pressure to meet delivery dates for their creations. In our first segment we invited four top vulnerability researchers from the firm Bugcrowd in to talk about their work on games and gaming platforms. Jason Haddix, is Bugcrowd’s VP of Trust and Security – this is his second time back in the SL studios. He’s joined by JP Villanueva, trust and security engineer, Dan Trauner, security engineer and Adam David, software engineer at Bugcrowd. In this conversation, we talk about how popular games often fall down on security, what game makers can do to improve the security of their creations and how the best and most successful gamers might have second careers as bug hunters. Election Security: It’s the Risk, Stupid! Securing election systems is often presented as an intractable mess: a system so hopelessly flawed that middle schoolers can make short work of a sophisticated vote counting console. But Srinivas Mukkamala, the CEO of RiskSense notes that the US election system has a couple things going for it. For one, it is distributed – run by states and localities. Second, the system is – mostly – offline. Both those act as insulation against the worst possible hacking scenarios. “You can influence an election and create local biases, but you can’t change the election,” Mukkamala said. That doesn’t mean there’s no threat to election integrity, especially when you look at the influence of a few, swing districts in predicting the outcome of the election, he told me. From an infrastructure standpoint, Mukkamala said that we’re in better shape than before, but that voter registration systems are an area of major concern. Rather than panic, however, he said that officials should take a risk based approach to security. Elections, he notes, are the sum of multiple systems that manage the lifecycle of an election – from registration through to voting. AI and machine learning can be a big help: narrowing the scope of attention for officials to the most likely sources of compromise. In this interview, Srinivas and I talk about the state of play in the U.S. election system and what a risk based approach to election and voting security may look like. Have a listen!

In this episode of the podcast (#117), we go deep on one of the hottest sectors around: cyber insurance. In the first segment, we talk with Thomas Harvey of the firm RMS about the problem of “silent cyber” risk to insurers and how better modeling of cyber incidents is helping to address that threat. In part II, we invite Chip Block of the firm Evolver back into the studio to talk about the challenge that “converged” cyber physical systems pose to insurance carriers as they try to wrap their arms around their exposure to cyber risk. Editor’s note: as an experiment this week, we’re posting each interview as a separate download, to see if that makes it easier for listeners to jump to the content they’re most interested in. Use the comments section or Twitter (@securityledger) to let us know what you think or whether you prefer the single download!  Part I: not ransom…ransomware! You’re a mid-sized corporation with a few thousand employees and offices around the world. A million years ago, you purchased Kidnap and Ransom insurance (or K&R in insurance industry lingo). The idea was to protect your company in the event that one or more of your executives was kidnapped in some distant, shady location. Sure, that seemed like an unlikely (though not unprecedented) risk. But what the heck? The insurance was dirt cheap. Fast forward a decade. You’re still paying for your K&R, and now your company is facing a ransom demand…from faceless cyber criminals who have planted ransomware software on your network, locking down key IT assets and data. The question your board and executives are asking is obvious: does that K&R insurance also cover the cost of paying ransom to free encrypted data from the grasp of cyber criminals? That question – and a thousand others like it are one of the main questions for insurance carriers and their customers. The so called “Silent Cyber” risk – the degree to which existing insurance protections can be invoked to cover damages resulting from cyber incidents – is lurking on millions of policies. It was a major topic of conversation at the recent Cyber Risk Summit* in Santa Monica. [Check out:Report: Organizations say IoT devices pose ‘catastrophic risk’, then shrug] One way insurance companies are responding is by improving their modeling of cyber risk. To understand more about how they’re doing that and how the output of those risk models might effect the kinds of cyber insurance that is offered to companies an area of expertise for our first guest: Thomas Harvey,  a senior Product Manger at RMS, who I caught up with at the Cyber Risk Summit. In our first segment, we speak with Thomas about the fast growing silent cyber risk problem and the equally fast-evolving cyber security marketplace. We look at how insurers are using data analysis and sophisticated modeling to better understand their exposure to cyber risk, including the risk posed by the Internet of Things. Part II: Cyber physical risk is real. Are insurers ready? When a buffer overflow problem causes an infusion pump to malfunction, who’s job is it to address the problem? Nurses and doctors don’t have the training to patch hardware. Hospital IT staff are overwhelmed and lack clinical training. Medical device manufacturers often take a hands off approach to lifecycle management of their d...

In this Spotlight Podcast, sponsored by RSA: October is Cybersecurity Awareness Month. But what does that mean in an era when concerns about cybersecurity permeate every facet of our personal and professional lives? Russ Schrader of the National Cybersecurity Alliance (NCSA) and Angel Grant of RSA*  join us to discuss the history of Cybersecurity Awareness Month and how the event is changing to meet growing demand.  October is Cybersecurity Awareness Month. And this year is a special occasion: a Quinceañera of sorts recognizing 15 years since the first Cybersecurity Awareness Month in 2004. As my guests this week note: the goals of Cyber Security focus and importance of cyber security awareness month has changed a lot since the early 2000s. Back then, the biggest threats were from nuisance attacks like NIMDA and SoBig. Cyber crime was more theory than reality/ Today, destructive wiper attacks like NotPetya can cause billions of dollars in damages in a matter of minutes and cyber crime is a multi-billion dollar global industry. How have those changes affected the mission and purpose of NCSAM? And what does Cyber Security Awareness Month mean in 2018 as opposed to 2003?  To answer those questions we invited two experts into The Security Ledger studio to talk about the evolution of the event and of the cyber security industry itself: Russ Schrader is the Executive director of the National Cybersecurity Alliance (NCSA) and  Angel Grant is the Director, RSA Identity and RSA Fraud & Risk Intelligence. [See also: DHS announces New Cybersecurity Strategy] The Computers in our Pockets Russ noted that one of the biggest changes in the last 15 years was the arrival of powerful smart phones like the iPhone and Android, which consolidated a range of functions on a single, portable device: web, video, email and so on. “In 2002 I had a phone, but I had a separate piece of plastic and metal that was a camera and another piece of plastic and metal that had my music on it.” Compared with today, those were sleepy times – when you might update your desktop antivirus weekly or even monthly -like changing the batteries in your TV remote, but not be overly concerned about debilitating cyber attacks or scams, Schrader noted. “People weren’t aware of the threat,” nor were the threats as closely interwoven with individuals lives as they are today, he said. Problems like cyber crime were predictable outgrowths of growing connectivity and convenience – from electronic banking to online retail, Angel Grant of RSA told me. [You might also be interested in: Podcast Episode 111: Click Here to Kill Everybody and CyberSN on Why Security Talent Walks] Progress…at a price “In the past there was a…lack of focus and awareness of the consequences of (going online) and the vulnerabilities that opened up with technology changes,” Grant told me. “We have now come to the realization with what that means with all crime we’re seeing over last 15 years,” she said. These days, cyber security is personal, Grant said: from corporate losses and fines to personal identity theft. Its harder to believe “it won’t happen to me,” Grant argues. Also: corporate executives have had their consciousness raised – if for no other reason than that they’ve been witness to so much carnage. “The c-suite and board have opened up to the reality that (cyber) security is a business problem,

In this week’s episode (#116): we speak to noted researcher Troy Mursch (@bad_packets) of the Bad Packets Report about the recent surge in crypto-jacking malware attacks. Troy and I talk about the role played by a months old security hole in RouterOS, software that runs on routers by the firm MikroTik has helped fuel the surge in crypto-jacking attacks. MikroTik’s bad-feeling feel good patch story When researchers at the firm Tenable first presented evidence of a number of serious router security flaws to the Latvian firm MikroTik in April, 2018, the firm’s response was uncharacteristically awesome. In contrast to the response of many hardware makers, MikroTik acted promptly on the news and issued patches within months – in August 2018. It also issued stern advice to customers to apply the fixes immediately. But in the months since the patches were released, MikroTik’s has become the feel-good patching story that feels pretty bad. We now know that the vast majority of MikroTik’s thousands of customers – most carriers and telecommunications firms – simply failed to apply the patches. Cyber criminals were not forgiving. Even before a patch was available, hundreds of thousands of the company’s devices began being targeted by attacks targeting the vulnerabilities. For those that were compromised, the attackers modified a proxy service on the routers to inject crypto mining code onto the computers of anyone who used the infected router to connect to the Web. Check out: North Korea’s Lazarus Tied to Cryptojacking Campaign Targeting MacOS MikroTik routers were also targeted by the Russian advanced persistent threat actor known as “FancyBear,” which targeted MikroTik devices using default credentials, the standard usernames and passwords enabled on the device out of the box, and as-yet-unknown vulnerabilities to load VPNFilter, a malicious software program, on the devices. Last week, more than two months after the MikroTik patch was released, Tenable published the results of its research as well new tools for analyzing the RouterOS software. Long Tail Wagging the Dog How did vulnerable, carrier grade routers end up enlisted in a crypto-jacking campaign? And what do the attacks on the MikroTik routers mean for overall Internet security? To find out, we invited security researcher Troy Mursch of the consulting firm Bad Packets into the studio. Troy is an expert on crypto-jacking malware and has studied the growth of crypto-jacking campaigns that are using vulnerable MikroTik routers. You might also be interested in: Kaspersky Deems Crypto-jacking the New Ransomware as Crypto-miners up Their Game Mursch told us that the MikroTik is part of a bigger problem: the failure of infrastructure owners to take appropriate action to address serious security holes in products. That’s especially true of MikroTik, whose user base is large and diverse, with thousands of customers owning low concentration of MikroTik gear. Also,

In this week’s episode (#115), noted hardware enthusiast and hacker Joe Grand (aka “Kingpin”) told reporters from Bloomberg that finding an in-the-wild supply chain hack implanting malicious hardware on motherboards was akin to witnessing “a unicorn jumping over a rainbow.” They went with their story about just such an attack anyway. Joe joins us in the Security Ledger studios to talk about whether Bloomberg got it right. Also, Adam Meyers of Crowdstrike comes into the studio to talk about the U.S. Department of Justice indictment of seven Russian nationals. Adam talks about the hacks behind the charges and what comes next. News Flash: Unicorn Jumps Over Rainbow Joe Grand(@joegrand) is one of the most noted experts on the security of computer hardware. His work dates back to the mid 1990s, when Grand (aka “Kingpin”) was a member of the Boston-based hacking collective L0pht Heavy Industries. That reputation is probably why Grand was among the experts that two reporters from Bloomberg: Jordan Robinson and Michael Riley reached out to him almost two years ago as they chased down a blockbuster story about a sophisticated campaign by China’s military to place compromised hardware directly on motherboards made by the U.S. firm Super Micro, a supplier to the U.S. military and intelligence sector, not to mention the likes of Amazon and Apple. Grand described for them the advantages of planting malicious hardware directly on motherboards – the difficulty in detecting them, the near-permanent access they afford to attackers skilled enough to place one. But such attacks were beyond rare – more in the realm of mythical. Absent any knowledge of what the reporters had uncovered and stretching for a way to explain how rare and elusive they were, Grand told the reporters that “having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow.” [See also: Spotlight Podcast: Flashpoint’s Allison Nixon on SIM Swapping and the Looming Online Identity Crisis] Fast forward more than 18 months, and the work of those two reporters, including Grand’s “unicorn” quote finally hit the news stands, dominating conversation in both the technology – and mainstream media for much of last week. It has also generated lots of controversy and open questions about whether Robinson and Riley got it right. In the days since the story ran, both Apple and Amazon – not to mention Super Micro – have issued categorical denials of the facts presented by Bloomberg. Both Apple and Amazon describe multiple internal investigations that failed to turn up evidence of a compromise and subsequent conversations with incredulous Bloomberg reporters to refute the allegations. [See also: Podcast Episode 92: Uncle Sam Ices Tech Acquisitions and RSA Conference 2018] Where does that leave us? To answer that question, we invited Joe  into the Security Ledger studios. He is the founder of Grand Idea Studio, a San Francisco-based research and development firm and a noted expert on hardware-based vulnerabilities. In this interview, Grand says he counts himself as a skeptic on the substance of the Bloomberg report. While hardware implants – done well – may be impossible to spot in a physical inspection of compromised devices, that doesn’t mean they stay hidden.

In this week’s podcast: Facebook revealed that a breach affected 50 million accounts and as many as 90 million users. Is complexity at the root of the social media giant’s troubles? We speak with Gary McGraw of the firm Synopsys about it. Also: BIOS-based malware has been demonstrated at security conferences for years.  Last week, the security firm ESET warned that it identified a sample in the wild. Even worse: the Russian Hacking Group Fancy Bear was believed to be responsible. We’ll talk to firmware security expert Giovanni Vigna of the firm Lastline about the truth and hype around LoJax and other firmware based attacks. The movie The Social Network brought the heady tale of Facebook’s founding to the Big Screen, including dramatic scenes like that one, the famed “coding shots party” where contestants competed for a position as interns on Facebook’s development team. If that scene gives you pause, as a Facebook user, about the quality of some of the social network’s underlying code, nobody will blame you. Facebook’s Biggest Adversary: Complexity But today, more than 10 years later, Facebook sports a $469 billion market capitalization and 2.23 billion active monthly users. More importantly: the company can afford and has built one of the top security teams in Silicon Valley. And yet, last week saw Facebook doing a forced log out of some 50 million users following a security breach that allowed unnamed attackers to steal session tokens that allowed them to take over Facebook users’ accounts. [See also: Veeam mishandles Own Data, exposes 440M Customer E-mails] How did one of the software industry’s best security teams miss a hole large enough to expose tens of millions of accounts? Our first guest in this week’s podcast, Gary McGraw of the firm Synopsys says that whopping security may be inevitable: a byproduct of the frothy web application development space that has prioritized rapid and agile development and Dev-Ops at the cost of thoughtful planning and design. In this conversation, Gary and I talk about the Facebook breach and why others like it may be lurking out there on fast- growing web based platforms. LoJax: the Rat You Can’t Kill Malicious software like remote access tools and ransomware can be very challenging to remove from infected systems. But when all else fails, the support desk is likely to tell you to just reinstall the operating system on the machine to get rid of what ails it. But what if even that step wasn’t enough? What if there was a piece of malicious software that could survive even that radical measure? The security firm ESET reported finding just such a beast last week: a rootkit dubbed LoJax that targets UEFI the Unified Extensible Firmware Interface – software that operates at the lowest levels of modern computing devices: connecting operating systems to the firmware that runs the underlying hardware like hard drives, communications ports and network adapters. The malware, LoJax, is thought to be a tool of a Russian, state-sponsored hacking group known as Fancy Bear – and “yes” that’s the same Fancy Bear that broke into the Hillary Clinton campaign back in 2016. What does the discovery mean for companies and individuals worried about persistent malware infections?

In this week’s podcast (#113): Everybody worries about hacked voting machines. But an exercise in Boston last week showed how hackers can compromise the vote without ever touching an election system. Also: October is just around the corner and that means Cyber Security Awareness Month is upon us. So what are top cyber security professionals “aware of” these days? We talk with Justin Somaini the Chief Security Officer at SAP to find out. A Bad Day in Nolandia It’s a bad election day in Nolandia, the fictional city in an unnamed “Swing State.” A shadowy hacking group calling itself the “Broken Eagle Task Force” (or BETF) is protesting the ‘global order,’ and looking to disrupt voting within the city’s environs. That’s the scenario of an exercise that took place high above Boston last week. The election hacking table top exercise, hosted by the firm Cybereason, pulled together city officials from the City of Boston, the City of Lowell, the Massachusetts State Police and the office of Massachusetts Governor Charlie Baker.  There have been volumes written about the danger posed by hackers attacking voting machines and other election systems. But what if elections could be swayed by other means – without even touching voting equipment, vote tabulation systems or government networks? The point is that election hacking need not involve election systems, said Ross Rustici, the senior director of intelligence services at Cybereason, who designed the exercise. In our first segment, I was joined in the Security Ledger studio by Ross and Sam Curry, a Red Team member and Chief Product and Security Officer at Cybereason to talk about the goals of the election hacking exercise and also what surprises the event held. I noted that disinformation was a big part of the Red Team’s arsenal, including the use of hoax emergencies – a gas leak, a bomb threat – to sow chaos.  SAP CSO Justin Somaini October is Cybersecurity awareness month. For consumers, that means boning up on account security – maybe getting a password manager. But what if you’re the Chief Security Officer of an $128 billion global corporation? In our second segment of this week’s Security Ledger podcast We sat down with Justin Somaini to talk about what he’s making himself “aware of” this October. Somaini has the distinction of being the first CSO at Yahoo and also at Symantec. We talk about how even sophisticated tech firms can lose their way on security and the challenge of being the first Chief Security Officer on the ground inside a large, sophisticated global technology firm.

In this week’s episode (#112): top bug hunters can earn more than $1 million a year from “bounties” paid for information on exploitable software holes in common platforms and applications. What does it take to be among the best? We talk with Jason Haddix of the firm Bug Crowd to find out. Also: The Internet Society’s Jeff Wilbur talks about the new #GetIoTSmart campaign to educate device makers and the public about Internet of Things security.  Will Hunt Bugs for Cash As recently as 15 or 20 years ago, security researchers who discovered and reported vulnerabilities in common software like Windows did it mostly for kicks, status within their community or maybe as a high minded gesture of public service. Today, the best bug hunters can make a million dollars a year or more from their discoveries. What has changed? For one thing: bug bounty programs, which started more than a decade ago and have sprouted like dandelions in the past 10 years. Working through bounty programs, companies like Microsoft, Apple, Google, Twitter and Facebook can direct six figure payouts to researchers who uncover the most serious and exploitable holes. What does it take to be a great bug hunter? In our first segment, we invited Jason Haddix (@jhaddix), the Vice President Of Trust and Security at bug bounty hosting platform BugCrowd into the Security Ledger Studios to talk about what’s happening on the bug bounty scene and whether -given the big pay days – bug hunting might be drawing more interest as a profession. Before he joined BugCrowd, Haddix was a BugCrowd customer: one of the site’s top-ranked bug hunters. In this interview he talks to us about the qualities that make someone a good bug hunter and the latest trends in bounty programs. Get (IoT) Smart As The Washington Post noted today: in California, a bill that sets cybersecurity standards for Web-connected devices — from thermostats to webcams to cars — cruised through the state legislature and is now awaiting Gov. Jerry Brown’s signature. The bill would make that state the first in the nation to pass legislation to govern security of the Internet of Things. Outside of The Golden State, however, progress towards IoT security standards has been slow. Part of the reason is the complexity of IoT ecosystems, which involve device manufacturers, software publishers, platform providers like Google and Microsoft as well as regulators and consumers. The other reasons is that good information on IoT security is hard to come by. But a new program from The Internet Society is trying to bridge the information gap. GetIoTSmart aims to educate both device manufacturers and end users – businesses and consumers – about what makes an Internet of Things device secure, or insecure. [Read Security Ledger coverage of Internet of Things security standards here.] To talk about the new program, we invited Jeff Wilbur, the Director of The Online Trust Association, which is part of The Internet Society, in to talk about the new program and how it intended to work. Jeff Wilbur is the Director at The Internet Society’s Online Trust Association. He was in the studio to talk about the Internet Society’s new GetIoTSmart program.

Your smart phone does double and triple duty: letting you do banking, buy a cup of coffee, board a plane or access a sensitive online account. But that doesn’t mean that your phone number is equally as trustworthy. In this Spotlight Podcast, we speak with Flashpoint* head of research Allison Nixon about how a recent rash of SIM swapping attacks highlights a looming crisis in online identity.  The risks of using phone numbers as a form of identity are on vivid display, amid reports of so-called “SIM swapping” attacks in which phone numbers are hijacked and transferred to devices controlled by a malicious actor. In August, for example, authorities in Santa Clara, California  charged a 19-year-old area man in connection with SIM swapping schemes to steal large sums of bitcoin and other cryptocurrencies. Phone numbers were never intended to be unique identifiers, Nixon told me. As a result, there’s very little inherent security in a phone number. For one thing, your number is either public or nearly so. Second, the protections for your phone number are baked into access control for web applications or rest with workers at cellular providers. The success of SIM swapping attacks has revealed that both mechanisms are vulnerable. Phone company workers might shrink from an irate customer and just decide to do what they say. Alternatively, the phone employee may be unreliable: working in cahoots with the attacker. “Any time you’re relying on humans to execute a security protocol, you’re going to get inconsistency and those inconsistencies can be exploited,” Nixon told me. An Identity Hack In this conversation, Nixon says that are habit of using phone numbers as a form of identity is really a shortcut or, as she calls it: “a hack” that only works if you take a lot of things for granted, without bothering to verify any of those assumptions. “It assumes that that you’ve paid your phone bill every month; that you never change your phone number; that you have the same phone number for a long time and you are never going to get rid of it. It assumes that the phone number only serves one person.” Any of those assumptions – or all of them – could be proven false. And, when you broaden the scope of the inquiry beyond wealthy, Western nations to include developing countries, the problems grow, Nixon said. That isn’t to say that smart phones themselves aren’t useful forms of ID. Still, Nixon foresees big challenges with identity as Internet access extends to billions of people in developing nations. Check out our entire conversation, where Allison talks about the ways that mobile phones are valuable as a means of identity and, also, what you should use as an alternative to phone number based security – such as SMS two-factor. (*) This post is sponsored by Flashpoint, which is a supporter of The Security Ledger. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.

In this week’s podcast (episode #111), sponsored by CyberSN: what happens when the Internet gets physical? Noted author and IBM security guru Bruce Schneier joins us to talk about his new book on Internet of Things risk: Click Here to Kill Everybody. Also: everyone knows that cyber security talent is hard to come by, and even harder to keep. But why does precious cyber talent walk? In our second segment, we’re joined by Deidre Diamond of cyber security placement firm CyberSN, who has all the answers. “I don’t think this issue will end our society” “I don’t think this issue will end our society.” Those were what counted as words of comfort by Bruce Schneier at the tail end of our recent discussion about his latest book, Click Here to Kill Everybody: Security and Survival in a Hyper Connected World. Still, its hard to see that statement as hyperbole. The subject of this latest book  (Bruce’s 15th by my count) is cyber physical risk – or what happens when we connect all the stuff that populates our environment to the Internet. This isn’t a new concern if you’ve been reading Security Ledger’s coverage of Internet of Things insecurity. In fact, our very earliest conceptions of malicious computer hacking -including the 1980s classic War Games – imagined the possibility that computer mischief could have real world consequences. (In the case of War Games, that was nuclear war). Only today, 35 years after War Games’ release, are we on the precipice of an era in which cyber attacks with physical consequences are the rule, rather than the exception to the rule. That’s because the fast-growing Internet of Things is wiring the machines that populate our homes, businesses and communities to the global Internet. And that includes “stuff” like cars, hospitals, dams, power stations and water treatment plants. In other words: the very systems that protect our life and property are now vulnerable (at least in theory) to cyber predation. The consequences of this shift are already manifest, even if they are yet to be fully comprehended. That fact prompted Bruce Schneier to write Click Here to Kill Everybody, in which he takes a deep dive into the security implications of the Internet becoming physical. The wiring of the physical world, which Schneier dubs the “Internet Plus” is happening in almost every sector of the economy, he notes. With it, organizations are realizing huge productivity games. But at the same time, security and physical risk is metastasizing in ways that, barring an intervention, could lead to a disaster. What’s needed, Schneier argues, is more government oversight of The Internet Plus in the name of public safety. [You might also like: FDA Medical Device Plan: a Baby Step in the Right Direction] In this conversation with The Security Ledger, Schneier talks about the dangers that the IoT poses and why he thinks government oversight of the Internet of things is inevitable. I started by asking Bruce to talk about the theme of his new book. Got security talent? Fear the Holidays! It is common knowledge that there aren’t enough information security professionals to fill all the cyber security jobs that our economy is...

In this week’s episode (#110): the second major flaw in Apache Struts 2 in as many years and has put the information security community on alert. But is this vulnerability as serious as the last, which resulted in the hack of the firm Equifax? We talk with an expert from the firm Synopsys.  And: we’ve heard a lot about the risk of cyber attacks on the critical infrastructure used to generate and distribute electricity. But what would happen if someone figured out to how to hack electricity demand? The Internet of Things just might make that possible. We talk to a Princeton University researcher behind a paper that discusses how even small changes in demand can have big consequences for the grid. Struts 2: why this is bigger than a patch Last week brought us news of yet another remotely exploitable vulnerability in Apache Struts 2, the open source framework that powers many modern web applications. This is the second major flaw in Struts 2 in as many years and has put the information security community on alert. A similar flaw in Struts in 2017 was weaponized by cybercriminals and used to hack into high profile organizations including Equifax. The alarm bells about another round of Struts focused attacks rang louder over the weekend, after a proof of concept exploit for the hole was discovered on the open source code repository known as GitHub.But is the newly discovered vulnerability as serious as the 2017 flaw that led to the Equifax hack? The security community is of two minds about that. To understand better what the latest Struts 2 vulnerability is all about, we invited Tim Mackey of Synopsys into the studio to talk about it. Tim is a technology evangelist in Synopsys Software Integrity Group and authored an excellent analysis of the latest Apache Struts vulnerabilities, which you can read here. In the first part of our podcast, Tim and I talk about what’s behind the latest vulnerability and why patching this hole is just the beginning of the work that application development shops need to do to harden their applications against attacks. Hacking Electricity Demand with IoT As smart homes and businesses take root, more and more power hungry appliances are being connected to the Internet. Already, products like air conditioners and HVAC systems, water heaters and kitchen appliances sport IP addresses and web-based interfaces that allow their owners to monitor and control them from a distance. But what if all those power-hungry devices could also be compromised and – like the hundreds of thousands of webcams and video recorders that made up the Mirai botnet – made to do the bidding of a malicious actor? [Also listen to: Podcast Episode 94: Black Report takes Hacker View and...

In this Spotlight Podcast, sponsored by Arctic Wolf Networks: sessions at this month’s Black Hat Briefings on PTSD and substance abuse among security workers are proof that the high pressure, high stakes world of information security can take its toll. So what  does it take to find, train and nurture information security pros? Sam McLane, the Chief Technology Services Officer at the firm Arctic Wolf Networks joins us to talk about how his company holds on to top security talent.  It wasn’t so long ago that The Black Hat Briefings in Las Vegas were all about the hacks, the lulz and the 0days. But, slowly, that has changed. As cyber security has matured from a niche of the technology industry to a full fledged, multi billion dollar industry, more and more attention is being paid to the challenges facing the industry itself: from worker shortages to racial and gender imbalances to the stress of front line cyber security jobs. That was the case at this year’s Black Hat Briefings and the DEF CON conference, where talks on problems such as PTSD and substance abuse among security practitioners were part of the agenda. But with talent scarce, but burnout commonplace, what is the best way to identify, train and cultivate security talent? What are the problems that front line cyber security professionals working in secure operations centers being asked to handle? And How do modern day SOCs manage threats across both traditional IT environments and newer cloud-based deployments? To find out, we sat down on the sidelines of the recent Black Hat Briefings to chat with Sam McLane, the Chief Technology Services Officer at the firm Arctic Wolf Networks, which offers SOC as a Services. In this conversation, Sam and I discuss what it takes to develop top notch cyber talent, why the information security profession is so prone to burn out, and how employers can cultivate a work life balance in what is a high stress career. Sam said it can take 5 to 6 years of on the job experience to develop a top-notch security analyst – maybe more if employees are stuck in narrowly defined roles or don’t have the opportunity to broaden their skillset. “I think the training is getting better but it truly is what you’re exposed to,” McLane said. And, while it might be tempting to let your security pros work 60 hour weeks and burn the midnight oil, McLane said,  that might not be the best approach in the long run. If top talent burn out and leave the industry, companies are often left with “really smart people who have no practical experience.” The result, McLane said is that “we’ll have to relive history.” Check out our full conversation using the link above. You can also listen to our podcast over at Blubrry or on Soundcloud.

In this week’s episode of the Security Ledger Podcast (#109): what lurks in the dark recesses of online information operations? How about a secret “US Freedom Army” linked to Russia? Dave Aitel of Cyxtera joins us to talk about it. Also: hacking critical infrastructure isn’t just for nation states anymore. Cybereason joins us to talk about its recent report on cyber criminals hacking into industrial control systems.  Psst! Want to join the Freedom Army? In the wake of the 2016 Presidential election, studying social media activity has gone from a niche obsession for a few social scientists to something akin to a national security priority. New analyses of the activity of twitter bots and networks of fake social media profile now pop up frequently, and just as frequently garner mainstream media attention. But what is hiding out there among the online influence campaigns? You might be surprised, says Dave Aitel, the Chief Technical Security Officer of the Threat Management and Analytics Division of the firm Cyxtera. Dave recently completed an analysis of Twitter bot data. Among the revelations: many efforts to organize real world gatherings. Those include the “US Freedom Army,” a quasi military organization promoted via Twitter and other social media to U.S. survivalist groups. [You might also be interested in: U.S. sanctions Russian companies, individuals over cyber attacks] As frightening as that sounds, Aitel is skeptical of both social networks’ efforts to clamp down on bots and other false accounts and efforts to understand the scope of the online bot problem.  Platforms like Twitter still have a financial incentive to keep bots and front accounts active. Until the economics of such networks change to penalize traffic from false and automated accounts, Aitel believes, it is unlikely we’ll see progress in reducing the number of bots. “In order to get rid of (information operations) we have to find a way to penalize Twitter for having bots, financially, because right now they’re incentive-ized to encourage bots,” – David Aitel, Cyxtera. Aitel cautions the growing ranks of researchers trying to understand online influence campaigns. The sheer volume and diversity in online disinformation and influence campaigns make it easy to misunderstand the shape of online activities or, even worse, engaging in what Aitel described as “auto ethnography.” Check out our full conversation in this week’s podcast. Critical infrastructure hacks: not just for nation states anymore When the firm Cybereason set up a honeypot network designed to look just like a functioning industrial control system environment, they were expecting to attract a few flies. What they weren’t expecting was a swarm of online attackers, including one who managed to compromise the network and then offer it up for sale on a cyber criminal bulletin board. But Ross Rustici, Cyber Reason’s Senior Director of Intelligence Services says that we shouldn’t be surprised that rank and file cyber criminals have taken an interest in critical infrastructure systems. [You might also like: FBI,