Russian information operations, and lessons on election security from the Near Abroad. Magneto proof-of-concept exploit. Huawei, security, and bugs. Training AI. Labor market news.

Dave Bittner: [00:00:00] Hi, everybody, Dave here. Just a quick reminder that if you are only listening to the CyberWire podcast, there's more to the story. You should visit our website, and check out our CyberWire daily news brief. You can have it delivered to your email every day. Go to thecyberwire.com, and check it out there. It's our daily news brief. Take a look. Thanks.

Dave Bittner: [00:00:22] Huawei is on the U.S. Entity List, and U.S. exporters have been quick to notice. Security concerns are now expected to shift to the undersea cable market. Hacktivism seems to have gone into eclipse. The EU enacts a sanctions regime to deter election hacking. Facebook shutters inauthentic accounts targeting African politics. Salesforce is restoring service after an unhappy upgrade. The OGuser forum has been hacked. And don't worry about a hacker draft.

Dave Bittner: [00:00:58] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Have log-in credentials been compromised? Are attackers hiding in encrypted traffic? Enterprise security teams face questions like these every day. But without complete visibility inside your network, your investigation could take hours or even weeks. And that's assuming you are able to detect potential threats in the first place. ExtraHop helps you rise above the noise of your complex attack surface with complete visibility, real-time threat detection powered by machine learning, and guided investigations the SANS Institute calls fast and amazingly thorough. Learn more at extrahop.com/cyber, or be the blue team in the interactive demo. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.

Dave Bittner: [00:01:54] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 20, 2019.

Dave Bittner: [00:02:02] Huawei is now on the U.S. Entity List, which means that U.S. companies will need a special license from the Bureau of Industry and Security to do business with them. Another of U.S. chip companies, including Qualcomm and Intel, have stopped deliveries of chips to Huawei. Huawei anticipated this rainy day, and the company has stockpiled a year's worth of U.S. goods necessary to sustain production.

Dave Bittner: [00:02:26] The stockpiling would make most sense if Huawei is betting that U.S. sanctions will be relatively short-lived, as they were in the case of ZTE's near-death experience in 2018, when the company was pulled back from the brink by a U.S. agreement to levy a big fine, extract some promises, and call it bygones. But it remains to be seen whether Huawei's tenure on the Entity List will be a short-term trade negotiation ploy or something more enduring.

Dave Bittner: [00:02:53] Equally or more serious consequences are expected from Google's weekend suspension of Huawei's Android license. Huawei immediately loses access to Android updates, and new versions of its devices will no longer have access to Gmail or the Play Store. The loss of these licenses will not be mitigated by stockpiling, and recall that the Android ecosystem is very important to Huawei.

Dave Bittner: [00:03:18] Huawei has been active in public, denouncing the sanctions as one would expect and arguing that the U.S. needs Huawei as much as Huawei needs the Americans. The company points out that it's a big customer of U.S. tech firms, including those that have just cut Shenzhen off.

Dave Bittner: [00:03:34] For all these difficulties, Huawei hasn't been idle in another market where it's likely to bang up against security issues. The company sees its near-term future in the undersea cable market, and it's either laying or upgrading some 100 such cables. It's worth noting that a proposed Huawei cable to the Solomon Islands brought the company into an early open conflict with Australia. Last June, it was decided that Huawei wouldn't get the business, and that was due to Australian objections and some Australian competition. It was that cable incident that stiffened the Australian government's security concerns about Huawei.

Dave Bittner: [00:04:12] Of the three traditional groupings of threat actors - criminals, hacktivists and nation states - one, hacktivists, seems to have gone into eclipse. IBM's X-Force looked at hacktivist actions that were credibly disclosed and publicly reported and in which, quote, "a specific group claimed responsibility for the incident and where there is quantifiable damage to the victim," end quote. They found a nearly 95% drop in such attacks since 2015. In fact, none have taken place in 2019.

Dave Bittner: [00:04:42] X-Force is inclined to think this is more quiescence than disappearance and that hacktivism could reappear under the right conditions. But there seems to be trends that make this unlikely. More effective law enforcement, the arrest of some hacktivist leaders and a lack of consensus about the causes hacktivists ought to take up are obstacles to a resurgence. The third observation is particularly interesting. Hacktivist groups tend to be both anarchic and governed by consensus, which creates a natural tension. As causes drift or expand, consensus tends to dissipate.

Dave Bittner: [00:05:18] The city of Baltimore continues to struggle through the ransomware infestation it sustained recently. The CyberWire's Tamika Smith has an update.

Tamika Smith: [00:05:26] Baltimore City government is the latest to be hit by a ransomware attack. They joined Atlanta, Orange County in North Carolina and Washington County in Pennsylvania among the municipalities to be hit in the past a year and a half, crippling phone systems, hospital records and any documents of value, all for mostly one cause - get paid. Roughly $3.6 million is what victims reported loss to the FBI last year. That tally was created by the Internet Crimes Complaint Center.

Adam Lawson: [00:05:57] So that's an interesting number. Ransomware, I think for any incident response company or threat research company or the FBI, it's a very difficult problem to scope.

Tamika Smith: [00:06:11] Special Agent Adam Lawson works with the FBI's Cyber Division in the Major Cyber Crimes Unit. He explains that the IC3 report only shows what is submitted to their center. He says they know that number is significantly higher.

Adam Lawson: [00:06:26] You know, that does not take into account loss of business, wages, file - files, getting new equipment. It doesn't take into account any third-party remediation services hired by a victim.

Tamika Smith: [00:06:43] Ransomware attacks are costly and cripple basic services. On WBAL's TV 11, Baltimore-area resident Daris Johnson and his family were preparing to celebrate the purchase of a new home - not any longer. Now all they can do is wait.

0:06:58:(SOUNDBITE OF WBAL BROADCAST)

Daris Johnson: [00:06:58] ...Our loan and getting our loan locked - our rate locked in. It's just so many things that are up in the air right now that we don't know what's going to happen with all of it.

Tamika Smith: [00:07:07] This time, local officials confirm the ransomware strain was RobinHood. Early reports say this is a dangerous new strain of Hidden Tear ransomware being sent by an unknown hacker collective. Attacks like the one on Baltimore City are growing increasingly common. FBI Special Agent Lawson says it's affecting the public and private sectors.

Adam Lawson: [00:07:26] Right now we're seeing a larger number of companies or city governments, municipalities, things like that - we're seeing larger numbers in that arena of victims. And we're also seeing higher ransom demands of those victims.

Tamika Smith: [00:07:46] After a ransomware attack, it could take weeks or months to rebuild a system. Ben Yelin, who is a regular on the CyberWire, says prevention needs to be the first step.

Ben Yelin: [00:07:55] First off all, I should say that most of the work in preventing damage from a ransomware attack, unfortunately for Baltimore City, comes before the attack hits. And that's having continuity of operations plans so that you know exactly how you can resume your essential functions.

Tamika Smith: [00:08:12] He's a senior law and policy analyst at the University of Maryland for health and homeland security. He says prevention can be creative, too.

Ben Yelin: [00:08:20] If the absolute worst comes to pass, in that you have a crippling ransomware attack where the network goes down for an extended period of time, you even have a plan to devolve some of your agency's functions to another institution.

Tamika Smith: [00:08:33] Baltimore officials and the FBI are being cautious about how they're working to resolve this ransomware attack. One thing remains clear. They have a choice to make - pay the ransom, or restore the systems from a backup or from scratch. In the meantime, pressure is mounting for residents like Daris Johnson and his family, who depend on the city services.

Tamika Smith: [00:08:53] This is becoming a new reality for cities and municipalities around the country. They're bracing themselves for a cyberwar against the New Age criminal - technologically savvy and boundaryless. For the CyberWire, I'm Tamika Smith.

Dave Bittner: [00:09:09] And joining me now in studio is Tamika Smith. Tamika, welcome, and - so bring us up to date. First of all, how long has Baltimore been dealing with this ransomware attack?

Tamika Smith: [00:09:19] May 7 is the first day that officials basically came out and said they were going to shut down the services. And this word came from Mayor Bernard Young.

Dave Bittner: [00:09:29] And so where do things stand now? What's up and running, and what's not?

Tamika Smith: [00:09:33] Now, here's what's interesting. Many of the services were impacted, including real estate services, health care services and even something as small as being able to pay a water bill. As of right now, the city is being able to do limited services when it comes to real estate. And the real estate industry is helping along with this push. Right now anyone buying a home in Baltimore can obtain certificates showing that there are no liens on properties so that they would be able to get insurance on their homes.

Dave Bittner: [00:10:03] Now, Baltimore has been keeping information pretty close to the vest throughout this. Have they opened up any? Any word on how they're planning on dealing with this? Are they going to pay the ransom? Are they restoring from backups? Anything coming out of the city?

Tamika Smith: [00:10:16] During the weekend, there was some word that the mayor may be buckling down a little bit to pay the ransom, but nothing official. As of right now, the FBI is mum on how they want to move forward, and that's totally understandable.

Dave Bittner: [00:10:30] All right. Tamika Smith, thanks for joining us.

Dave Bittner: [00:10:33] At the end of last week, the European Union enacted a sweeping sanctions regime that it hopes will impose serious and swift consequences on organizations or individuals found responsible for cyberattacks against the EU and its allies. The penalties are principally travel bans and asset freezes. The EU hopes the measure will have some deterrent effect against any who would interfere with this week's elections, which conclude this Sunday.

Dave Bittner: [00:10:59] Facebook has shut down accounts allegedly run by Israeli political marketing firm Archimedes Group for coordinated inauthenticity. A total of 65 Facebook accounts, 161 pages, 23 groups, 12 events and four Instagram accounts were closed. The operation has apparently been going on for some time beneath whatever radar is being used in Menlo Park. Facebook says more than $800,000 has been spent on advertising associated with these accounts since 2012. That's about $114,000 a year, since we have a calculator and you might not, especially if you're listening while you're driving.

Dave Bittner: [00:11:37] Targets were in various African nations, and the goal was evidently political manipulation. A number of the pages taken down supported or denigrated particular candidates and parties, misrepresented themselves as new organizations or posted material claiming to have leaked from various political actors. The Archimedes Group seems to be a hired gun in all of this. The inauthenticity was detected in the usual ways - implausible geolocation, linguistic goofs and so on.

Dave Bittner: [00:12:07] A script error in Salesforce's Pardot service affected customers beginning Friday. Service is currently under restoration. An upgrade changed Salesforce's production environment in such a fashion to break permission settings in customer accounts. So, for example, any employee in a given company might have both read and write access to documents the company did not intend for such wide distribution.

Dave Bittner: [00:12:33] OGusers, a popular forum that, despite its bland self-description, traded digital contraband, was hacked by other criminals. The data taken are said to include usernames, MD5-hashed passwords, emails, IP addresses, source code, website data and private messages. How does the site describe itself? As a community-driven online marketplace forum of virtual goods. We host a marketplace for OG gamer-tags, Instagram accounts, Kik and much more. That's how they wrote it.

Dave Bittner: [00:13:04] A lot of the community's drivers would appear to be gamers and low-level skids out for a quick buck and some virtual street cred. KrebsOnSecurity describes them simply as an account hijacking forum.

Dave Bittner: [00:13:17] Scare headlines in CSO and elsewhere suggest that the U.S. Selective Service System - that is, the draft, gone since 1973 - might someday return. One presumed goal of a revived draft would be to enable the U.S. military to conscript hackers. But hackers, we wouldn't sweat this one. The Orioles are likely to contend for a pennant this year than you are to receive greetings from the president.

Dave Bittner: [00:13:41] Cyber services are the sort of thing that the government contracts for. And anyway, think about it. It's relatively easy for a sergeant to keep an eye on three or so unwilling conscripts to make sure they don't foul up while they're cleaning the grease trap at the mess hall. Keeping an eye on the sort of creative incompetence a disaffected coder might bring is another matter altogether.

Dave Bittner: [00:14:03] But if you've decided you really must devote worry to this because you've decided to overlook more probable disasters, like contracting cobalt beer syndrome at Granny's Fourth of July picnic, or an asteroid strike, or being selected by the grey aliens for your superior genetic potential - or you're simply a Country Joe and the Fish reenactor or a member of an Arlo Guthrie cover band - and we understand there are a lot of you out there - why, then, book your ticket to Canada before it's too late. Just make sure the expiration date is something around the end of the 22nd century.

Dave Bittner: [00:14:41] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. According to a recent CA Technologies research report, 53% of organizations confirmed insider attacks within the last 12 months. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer network or system data. But to stop insider threats, you need to track a combination of user and data activity. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT free - no installation required - at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:15:54] And I'm pleased to be joined once again by Jonathan Katz. He's a professor of computer science at the University of Maryland. He's also director of the Maryland Cybersecurity Center. Jonathan, it's great to have you back. I saw an article come by from The Record, and this was about researchers at University of Waterloo who are working on an app that would help protect people's privacy at the border. What are they working on here?

Jonathan Katz: [00:16:16] Well, people are concerned about reporters or other people who may have important files on their laptop or on their phones that they don't want other people to gain access to, including border security officials. And of course, you can try to encrypt the data on your laptop or on your phone. But then there's the concern that when you're stopped at the border and they identify these encrypted files on your device, they may ask you for the password or the key that's needed to unlock

David Bittner: [00:00:04:01] Ukraine prepares for elections this weekend and they'll be held in the midst of intense Russian information operations. Estonia's experience with such interference may hold lessons. A Magneto vulnerability, just patched, could compromise paycards on e-commerce sites. Huawei reports record profits and comes in for sharp British criticism over slipshod engineering. Prisoners in Finland will be helping train AI. I chat with Lorrie Cranor, she's Director of Carnegie Mellon University's sci-lab security and privacy institute. And, security companies hungry for talent should take note of tech lay offs in the larger IT sector.

David Bittner: [00:00:47:21] Now, a moment to tell you about our sponsor, ThreatConnect, designed by analysts, but built for the entire team. ThreatConnect's intelligence drive security operations platform is the only solution available today with intelligence, automation, analytics and work flows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, drive by work flows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, SOAR Platforms, everything you need to know about security, orchestration, automation and response. The book talks about intelligence driven orchestration, decreasing time to response and remediation with SOAR, and ends with a checklist for a complete SOAR solution. Download it at Threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.

David Bittner: [00:01:58:11] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, March 29th, 2019. Happy Friday everybody.

David Bittner: [00:02:07:18] The first round of Ukraine's presidential election will be held this weekend with a run off, should one prove necessary, scheduled for April 21st. Ukrainian elections have been subject to Russian influence operations for years, most notably in 2014, and direct hacking has also been a matter of concern. The Ukrainian election task force and monitoring group seems cautiously optimistic that the vote will go off as planned and will result in a credible outcome. The task force notes that unlike some other neighboring countries they might mention, voting in Ukraine actually matters. They also note that Russian influence campaigns have been focused on the election for some time, Moscow's general line has been that Ukraine is a violent, dangerous, radicalized place where groups of government inspired thugs, bandits, will beat you, assault your wives and daughters and burn down your house, should you show up at the polls with the wrong candidates in mind. But, such is the actual commentary from Russian government controlled television shows on Russia One TV. The Russian radio and television are widely consumed in Ukraine, where most speak Russian, and where the closely related languages are, for the most part, mutually intelligible anyway.

David Bittner: [00:03:24:12] Russian information operators have been active online as well. According to the New York Times, one new tactic, designed to circumvent social network's efforts to call inauthentic accounts, has involved paying Ukrainian citizens to allow Moscow's trolls access to their legitimate Facebook accounts.

David Bittner: [00:03:42:15] The Estonian experience with Russian attempts to meddle in elections is being cited as an example by stories published in Quartz and elsewhere. The Estonian response has been complex, but, in outline, it involved wider adoption of technical defenses against hacking, assistance to political parties and candidates with network and account security, anti-bot sweeps and, finally, public education in media literacy designed to induce skepticism and resistance in the face of disinformation.

David Bittner: [00:04:13:11] Security firm, Sucuri, has a proof of concept exploit for an SQL-injection vulnerability in the core of the widely used Magneto e-commerce platform. They disclosed it privately to Magneto, which has prepared a patch. Access can be gained without the need for authentication, the researchers say, the risk to consumers is card-skimming, as Ars Technica points out, the vulnerability is so potentially lucrative that criminals can be expected to exploit it in the wild as soon as they have the means to do so. About 300,000 e-commerce sites use Magneto and all users are advised to apply the fix Magneto has issued.

David Bittner: [00:04:53:10] ZDNet reported earlier this week that some criminals were apparently using a weakness in the PayPal Payflo Pro integration with Magneto to test stolen cards for validity. Much pay card data traded in the criminal markets are unsurprisingly outdated or simply hoaxed up so the hoods will do a bit of testing. Magneto urges businesses to upgrade, lest they lose their PayPal access.

David Bittner: [00:05:19:24] Huawei, bellwether of China's tech sector, continues to receive a mixed reception abroad. The company is defending its security record as it reports annual sales of $100 billion. The EU has finessed security concerns about the company's participation in 5G networks. Australia and the US are unrepentant in their wish to keep Huawei out of their own networks, and the UK has harshly criticized the company's failure to remediate security issues. The Register characterizes Huawei's efforts to address known router vulnerabilities as "half-arsed", this is an industry term should you be unfamiliar with it, it means roughly poorly prepared and badly executed and it often connotes both indifference and lack of effort. WIRED expressed the current mood about risk surrounding the company's products as a feeling that it's not the back doors but the bugs that matter. We heard similar sentiments expressed last week at the Three Seas focused CYBERSEC DC conference last week.

David Bittner: [00:06:20:24] And, finally, correctional authorities in Finland have an idea for training artificial intelligence, have prisoners answer questions and use their answers to make the AI smarter. The country's Criminal Sanctions Agency has contracted with AI firm, Vainu, to provide the inmates' labor to the project. It's seen as a win-win-win, the jailers keep their charges busily on the road to rehabilitation, the prisoners get learning and self-improvement, and the machines get smarter. Or at least, street smarter.

David Bittner: [00:06:52:09] It's an alternative to the manufacture of automobile license plates that former guests of the governors tell us is the traditional occupation given to those whom the courts have offered a period of reflection, but a lot of other stuff has been made in prisons too, packaging for various consumer products, processed meat, belts and handcuff cases for police forces, even, for a time in the 1990's, lingerie.

David Bittner: [00:07:16:13] Our corrections desk tells us they once knew a guy who taught a university extension course in ethics to a student body composed of long-term residents of a Midwestern penitentiary, his account of class discussions and consultations during office hours suggests that some of the models the AI will receive may be, shall we say, unrepresentative of the norms of natural intelligence.

David Bittner: [00:07:39:20] Anyhow, the folks doing a nickel or so in Helsinki will look at the Internet and answer questions like, "does this article talk about a business acquisition?" The same question would be posed to a large number of inmates and their answers in the aggregate will be used to converge on a right answer to help train the artificial intelligence to do a better approximation of natural intelligence. We might suggest other questions perhaps suited to areas of local expertise, because, after all, learning is learning. Consider: "Is this guy an undercover narc?" "Does Charlie have a shank on him?" "Is baloney on the menu today?"

David Bittner: [00:08:17:11] We note that the sample question is basically a true-false one with a binary solution set. Could AI also be trained using more complicated multiple-choice questions? Perhaps even nested sequential questions. Consider "Is this a convenience store?" "If it is a convenience store, that's a place where you can, a, buy smokes, b, shoplift smokes, c, jackpot the ATM, d, all of the above." Stuff like that.

David Bittner: [00:08:45:14] If we may end on a more serious note, we've seen stories this week about layoffs on both US coats, Salesforce, Oracle and PayPal are all downsizing their workforces. A lot of people with transferable skills are going to be searching for work, and the security industry around both San Jose and Baltimore might do well to give them a look.

David Bittner: [00:09:10:20] And now a word from our sponsor, KnowBe4. E-mail is still the number one attack vector the bad guys use, with a whopping 91% of cyber attacks beginning with phishing, but, e-mail hacking is much more than phishing and launching malware, find out how to protect your organization with an on demand webinar by Roger A. Grimes, KnowBe4's data driven defense evangelist. Roger walks you through ten incredible ways you can be hacked by e-mail and how to stop the bad guys, and he also shares a hacking demo by KnowBe4's Chief Hacking Officer, Kevin Mitnick. So, check out the ten incredible ways, including how silent malware launch, remote password hash capture and rogue rules work. Why rogue documents establishing fake relationships and compromising a user's ethics are so effective. Details behind click jacking and web beacons, and how to defend against all of these. Go to knowbe.com/10waystowatchthewebinar. That's knowbe4.com/10ways, and we thank KnowBe4 for sponsoring our show.

David Bittner: [00:10:30:14] And I'm pleased to be joined once again by Ben Yelin, he's a senior law and policy analyst at the University of Maryland's Center for Health and Homeland Security. Ben, it's always great to have you back. I saw an interesting story from Columbia Journalism Review, and this is about law enforcement organizations using encryption on their radio communications, and some folks are not very pleased with that. What's going on here?

Ben Yelin: [00:10:55:22] Yeah, so, Dave, you and I are located in a pretty high crime city, unfortunately, in Baltimore, and the way most reporters in Baltimore get news of impending crimes or crimes already in progress is by listening to police radio, the police scanner. This is a free, open source for most of our police departments, generally you can access it online or through various apps, and it's a key tool for journalists because, you know, if they are listening to the scanner they'll hear about the initial response to an incident, and they themselves can get out to provide transparency as to exactly what's happening. What we see now, and what's mentioned in this article, is that a bunch of different law enforcement agencies across the country, this was an article about law enforcement agencies in Colorado, are encrypting those radio communications, so, that means journalists cannot access them. Now, there are legitimate reasons to want to encrypt these communications, it could provide a tactical advantage for officers to not have the public be able to figure out where certain police officers are going to be deployed, I think that is a very legitimate concern, but there is a first amendment problem as well, journalists aren't able to provide transparency, accurately cover crimes and other police involved activity, if they're not able to access these scanners. So, I think it's a problem that's going to present itself increasingly, as more police departments use this encryption device. I mean, from their perspective you can certainly understand why they'd want to keep these communications private, unavailable to the public, especially if criminals themselves are reacting to what they hear on police scanners. But, it would be a major blow to journalism and to transparency to have this tool removed.

David Bittner: [00:12:51:21] Yes, I think it's interesting too, because one of the aspects that they point out here is the privacy of victims of crimes, who very often will have their names and personal information read out over these radios, by necessity, for the police or first responders, so there's that privacy component of it as well.

Ben Yelin: [00:13:12:06] Yes, and certainly that's a very compelling privacy interest, I think it's incumbent upon media organizations to work directly with police departments so that they can monitor the scanners and have informal, or formal, agreements in place not to release personal information. And, just anecdotally, I mean, I follow a lot of different crime reporters here in Baltimore, all of them seem very responsible about not revealing the identity of victims or perpetrators, and, being somewhat circumspect about identifying location and not asserting something as true without it being confirmed by a source beyond the police scanner. And, I think there's generally a good practice among larger, mainstream media outlets to treat the police scanner as sort of a rough sketch of what's happening, there are a lot of false reports, there are a lot of false leads, so I think the future solution to this problem is to have journalists work closely with the police departments to protect that personal information while still giving them access to real time crime updates, to make sure that the public is properly made aware of what's going on in their community. And, as an extension, I think it is potentially dangerous to permanently encrypt those communications as a matter of policy, because that's a drastic solution to this problem of revealing individual private information.

David Bittner: [00:14:41:08] Is there any legislation that there's swings either way on this, either requiring that law enforcement agencies keep these communications in the clear, or specifically allowing them to encrypt?

Ben Yelin: [00:14:53:20] The one piece of legislation that is cited is just a proposed piece of legislation, that is by a representative in the state of Colorado, a republican representative was introduced a house bill to prohibit law enforcement agencies from using encryption, he says that the use of encryption should not be ritualistic, but should be only used in extraordinary circumstances, so far that bill has not been enacted, that legislator proposed it in the last session of the Colorado State Legislation, it was bottled up in committee, you know, and I think there is a tendency to give deference to law enforcement, particularly when it comes to these tactical issues, and I think obviously they have a large sway over state legislators. You know, I don't see a quick legislative fix to this issue of encrypting police radio communications.

David Bittner: [00:15:43:22] Alright, well it's one we'll keep an eye on. Ben Yelin, thanks for joining us.

Ben Yelin: [00:15:49:08] Thank you.

David Bittner: [00:15:54:06] Now it's time for a few words from our sponsor, Blackberry Cylance, they're the people who protect our own end points here at the CyberWire and you might consider seeing what Blackberry Cylance can do for you. You probably know all about legacy anti-virus protection, it's very good as far as it goes, but, you know what? The bad guys know all about it too. It will stop the skids, but, to keep the savvier hoods hands off your end points, Blackberry Cylance thinks you need something better. Check out the latest version of Cylance Optics, it turns every end point into its own security operations center. Cylance Optics deploys algorithms formed by machine learning to offer not only immediate protection, but security that's quick enough to keep up with the threat by watching, learning and acting on systems behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, Cylance Optics can help. Visit cylance.com to learn more, and we thank Blackberry Cylance for sponsoring our show.

David Bittner: [00:17:00:22] My guest today is Lorrie Cranor, she's a professor at Carnegie Mellon University in computer science and engineering and public policy, and director of their CyLab security and privacy institute. Earlier in her career she served as Chief Technologist at the US Federal Trade Commission, was co-founder of Wombat Security, and served on the board of directors for the Electronic Frontier Foundation. She joined us from Carnegie Mellon in Pittsburgh.

Lorrie Cranor: [00:17:27:06] We have lots of security and privacy work across departments and, you know, each department runs its own programs, hires its own faculty, but we formed CyLab because we wanted to have a way of coordinating all these efforts in bringing people together to collaborate, and so, through CyLab, we're able to coordinate, we also have some larger collaborative research efforts that involved people across multiple departments, and we have some collaborative space, and so we have people all sitting together from engineering and computer science, all sitting side by side in the CyLab space.

David Bittner: [00:18:04:21] And so, what's the focus on security and privacy? Why is that an important area for Carnegie Mellon to make this sort of investment?

Lorrie Cranor: [00:18:13:16] Well, security and privacy are increasingly important to us, more and more things go online and our world is increasingly digital. Protecting security is critical for our infrastructure, for everything. Privacy is also something which I think has become increasingly important, both because there are more privacy threats out there now, but also there's more privacy regulation, and it needs to comply with privacy laws. And so, there is a lot of research needed into what are the best ways to protect security and privacy. So, this is a really important area for research. There's also a big need to hire people in these areas, and so, Carnegie Mellon is doing our best to produce lots of excellently qualified graduates, who can go out into the security and privacy workforce.

David Bittner: [00:19:13:09] Yes, and it's my understanding that a particular area of success for Carnegie Mellon has been encouraging women and minorities, people of color, to participate in the program, so you've seen some numbers that you can be proud of.

Lorrie Cranor: [00:19:29:21] Yes, we've been working really hard to improve the diversity of our computer science and engineering programs, more generally, as well as in the security and privacy area. So, our undergraduate computer science program is now 50-50 women and men, which is really amazing and has come a long way.

David Bittner: [00:19:51:10] And so, what's your take on the notion that we have this shortage of qualified people in the security industry?

Lorrie Cranor: [00:20:00:04] So, it seems that we do need to educate more people in this area, and the number of women and minorities in the security area is just ridiculously low, I mean, it's much lower than computer science in general. I just got back from an RSA conference and, you know, you look around and you just don't see that many women there, so, you know, we're missing out on that opportunity, half of our population is not really considering this as a career choice, so, that seems like kind of an obvious place to go to try to increase our ranks.

David Bittner: [00:20:37:05] And does that outreach extend back to high schools and middle schools trying to create that pipeline into universities like yours?

Lorrie Cranor: [00:20:46:08] Absolutely, I think people are ruling out certain careers, you know, in elementary school, in middle school, and so if we can spark that interest among middle schoolers, we have a much better chance of convincing them to enroll in technical programs later on, and so, there are many great efforts trying to encourage young girls and people of color at those lower age levels. At Carnegie Mellon we have tech nights for girls every Monday night for middle school girls in the area, we're also running the cyber security challenge for middle school and high schoolers, called picoCTF and we have thousands of students around the world are participating in this program.

David Bittner: [00:21:39:10] What's your advice to folks out there, who want to encourage young women and people of color to pursue these sorts of careers in security? What sorts of things can they do to make that an easier pathway for them?

Lorrie Cranor: [00:21:53:24] Yes, I think, you know, part of it is to have mentoring and role models to help women and people of color see themselves in these types of careers, by seeing examples that there are diverse people in these careers. We also need to make sure that we take down barriers and remove some of the hostility that there's been in the past. You know, I've been to security conferences where it was hostile to women there, where I definitely felt very uncomfortable being in those situations, and that was a few years ago, and, you know, the good news is that I think things are changing, that I think, you know, when I go to security conferences now, I do feel a lot more comfortable there, and I think a lot of efforts are made to make sure that these are more inclusive environments. But we still have a ways to go.

Lorrie Cranor: [00:22:54:04] So, at Carnegie Mellon we have a masters program in privacy engineering, and this is actually the only program like this anywhere in the world, where we're actually educating technical students to take on privacy engineering roles, which are becoming increasingly common at companies, especially in light of GDPR. And then the other thing I wanted to mention was in Carnegie Mellon, we have a big focus on the human side of security and privacy, we have a course on usable privacy and security and we have a lot of research which combines the core technology of security and privacy with the social science and psychology and human side of security and privacy, which is really important.

David Bittner: [00:23:42:09] That's Lorrie Cranor, she's a professor at Carnegie Mellon University in computer science and engineering and public policy, and she's director of their CyLab security and privacy institute.

David Bittner: [00:23:57:13] And that's the CyberWire, thanks to all of our sponsors for making this CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. This CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where their co-building the next generation of cyber security teams and technology. Our CyberWire editor is John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, our staff writer is Tim Nodar, executive editor, Peter Kilpe, and I'm Dave Bittner, thanks for listening.

that device.

Jonathan Katz: [00:16:41] And so people have been trying to come up with different sort of solutions that would address this potential event. And so what these researchers have proposed is an idea where you would essentially use a password or use a cryptographic key to encrypt your files, but then you wouldn't even know the key yourself. You would basically send it either to another individual or some set of individuals who would all need to be compromised in order to get access to your device. And even if these border officials were to ask you for the password, you fundamentally would not be able to give it to them because you don't know it yourself.

Dave Bittner: [00:17:12] Yeah, and one of the interesting things about this that caught my eye was that it seemed as though you can sort of split up the password among a group of people, and you would need a certain number of them to be able to unlock your information.

Jonathan Katz: [00:17:25] That's right. This is a basic idea called threshold cryptography that has been researched actually for a couple of decades. But now these researchers are trying to put it into practice and use it for protecting encrypted files on people's devices.

Dave Bittner: [00:17:38] So it's a compelling case here. Are there any drawbacks?

Jonathan Katz: [00:17:41] Well, I think that I've seen some other approaches that try to hide the presence of encrypted files on someone's device altogether. And I think that can be potentially a better approach because the issue with this one is that even though it's true that you won't be able to give up the password and so the border officials will not be able to get access to your files, they will become suspicious, right? They will observe that you have these encrypted files on your device. They're going to know that you're refusing to give up your password. That's very likely to make them detain you and potentially then investigate you further and try to understand why it is that you're not giving up the information about these files.

Dave Bittner: [00:18:15] Right.

Jonathan Katz: [00:18:15] So I'm a little bit suspicious overall about how well this will play out in practice and how many people would be willing then to be detained rather than either give up the files or come up with some other mechanism for dealing with it.

Dave Bittner: [00:18:25] Yeah, it's interesting. You're also sort of bringing your friends into this, or your colleagues, as well that could - I don't know - cause a headache for them.

Jonathan Katz: [00:18:35] Yeah. Well, there was an interesting comment in the article. They were saying that this is for people who would rather not get - essentially rather not give up their files than give up the password after being tortured. Now, you know, the funny - or I shouldn't say funny - but the thing about that is if you're being tortured, you might actually prefer to give up your password rather than tell them, well, I don't have it; just continue torturing me, right? (Laughter). So it's, you know, like I said, there are some physical assumptions, you know, assumptions that they're making about the real world and about how people prefer to operate in the real world that may not be true for most people.

Dave Bittner: [00:19:06] Yeah. No, it's an interesting edge case, I suppose. All right, well, as always, Jonathan Katz, thanks for joining us.

Jonathan Katz: [00:19:13] Thanks, always a pleasure.

Dave Bittner: [00:19:19] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:19:31] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.