April 17, 2018
Greetings from RSA! Please reply to this email address with tips or comments. Send all applications for the newly vacant White House cybersecurity czar position to John Bolton (see below).
1 big thing: We built the internet to be insecure
Today's cybersecurity mess has its roots in decisions a small group of engineers made in the internet's youth. Paul Vixie was one of them.
RSA, the annual San Francisco-based conference where the cybersecurity industry sings an ode to its latest and greatest new products, is where the internet's security elite gather each year to cope with the world those early decisions shaped. As the event kicked off Monday, Axios caught up with Vixie, an internet hall of famer known for his foundational work with the DNS protocol.
How it happened: "Every app we built for the internet was designed as if it was for a boy in a plastic bubble, a completely clean environment with nothing malicious," he said.
Why it matters: Vixie is confident that his work hasn't caused today's security woes. But other basic elements of the internet have proven fundamentally insecure, like email and data routing.
- "No one ever thought someone would want to lie in the 'from' field of an email, or send email the recipient wouldn't want. And that made sense for a network of academics and military contractors, before anyone who could pay an internet service provider could get online," he said.
- By the time such openness stopped making sense, massive growth made it tough to change basic services.
Take Border Gateway Protocol (BGP), which routes data from a far off server to a local computer. There are known flaws, "but the last update was BGP-4 in the 1990s," Vixie said. "Back then, only a handful of ISPs cared. If you could get a thousand people to agree to a change, you could change it."
Today, so many people, companies and institutions are affected by changes to fundamental services like routing and email that they are almost impossible to enact.
2. This year at RSA, it's "back to basics"
The key message of this year's RSA conference is to get basic security right. That's the view of Amit Yoran, chairman and CEO of Tenable Security and founding director of the Homeland Security's Computer Emergency Readiness Team (US-CERT), the group that alerts critical infrastructure to looming cyber threats. That's a mindset shift for a conference known for its gigantic product expo featuring new solutions to increasingly complex problems.
"The major theme, when I've talked to CISOs [chief information security officers], has been back to basics."
The big picture: Many of the major cybersecurity incidents last year, including the Equifax breach, WannaCry and NotPetya, were the result of failures to patch known computer vulnerabilities. And many of the breaches in 2017 were made worse by companies not segregating different aspects of their computer networks.
"There’s a mismatch between what the vendors are producing — all of the AI, machine learning, pick your buzzword — and what makes a difference in the real world," said Yoran. "Now security people are realizing that only after getting the basics right do you deserve to move on to the more advanced threats."
- AI isn't always bad, said Yoran. It just gets overapplied to problems it isn't suited for. Scanning files for malware might get a boost from artificial intelligence. Patching systems won't.
Worth noting: Tenable doesn't offer a product for managing patches. Its tools address another basic problem: Most IT managers are unaware of how many networked devices are even on their network and with what permissions.
3. States, senators meet to prep election security bill
Secretaries of State huddled with senators behind the Secure Elections Act Monday around the pending legislation.
A legislative source familiar with the meeting said discussions covered "implementation of the bill, general election security challenges and whether further resources are needed to help states be ready." A state source emphasized clarifications he hoped to see in the final draft.
In the room: Secretaries of state from California, Colorado, Indiana, Louisiana, Minnesota, Missouri, New Mexico and Washington met with Sens. James Lankford (R-Okla.) and Amy Klobuchar (D-Minn.).
- Indiana's Republican secretary of state Connie Lawson, who heads the National Association of Secretaries of State, is a key figure in any effort to smooth interaction between the federal government and state governments. States often fear federal security efforts are a slippery slope to federalizing elections that are a state responsibility under the constitution.
- Colorado secretary of state Wayne Williams told Axios Colorado hopes to see the draft bill adjusted so it "addresses changing the definition of an audit to reflect our more advanced process."
The big picture: The bill presents a multifaceted approach to election security, including improving information sharing and new grants for more secure voting systems. It's probably too late for any new spending to kick in before the 2018 polls, but if the bill becomes law it would likely bolster elections after that.
4. White House cyber czar Rob Joyce resigns
Why it matters (to cybersecurity): Joyce, Trump's first and only pick for the role, was a well-liked and able to draw on his expertise as a former leader of the NSA's elite hacking corps. As of two weeks ago, he and then-homeland security adviser Tom Bossert formed a core of digital-defense expertise inside the White House. Now both have resigned.
Why it matters (to politicos): Bossert and Joyce are two of a number of officials who have resigned after new national security adviser John Bolton took the helm last week. Though Joyce was never expected to stay the full Trump term, he had been tapped as Bossert's temporary replacement — which puts his sudden departure in higher relief.
Bolton will head search for replacement: In a small press event at the RSA conference, secretary of homeland security Kirstjen Nielsen said that Bolton will lead the hunt for a new cyber czar.
“This is a natural inflection point when you have a new national security adviser, sometimes the team switches out,” she said.
Obligatory Rob Joyce video: Joyce gave a presentation to a DC hacker conference this year about designing complex Christmas light schemes. It wasn't a metaphor for anything. Rob Joyce unironically loves Christmas lights.
5. US and UK jointly call out Russian hacking effort
Russia is conducting a widespread effort to hack internet infrastructure like routers and switches, the FBI and the Department of Homeland Security said Monday in a rare joint attack attribution with Britain's National Cyber Security Centre.
From the announcement: "Russian state-sponsored actors are using compromised routers to conduct spoofing ‘man-in-the-middle’ attacks to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations. Multiple sources including private and public-sector cybersecurity research organisations and allies have reported this activity to the US and UK governments."
Man in the middle: This kind of attack is like someone at the post office opening all of your mail. By infiltrating infrastructure that transmits data, a Russian attacker could read — and potentially alter — information without the recipient knowing.
6. A trove of real programs will help AI find malware
Endgame researcher Hyrum Anderson has released the world's largest database of authentic computer programs, which could be instrumental in training computers to root out malware through machine learning.
Why it matters: If a computer can tell whether a program is mundane or unusual, it can identify previously unidentified malware. Most antivirus programs use some form of that approach in addition to looking for known malware. But to use machine learning to find previously unknown patterns, designers need gigantic databases of information to train the computer with.
The details: The Endgame Malware BEnchmark for Research (EMBER) contains 1.1 millon programs, a mixture of benign and malicious programs.
What might make malware unique: Malware sometimes uses obfuscation techniques to hide the true intention of the code. Malware designed by artificial intelligence might look different from human-designed programs. And certain methods malware programs use to travel across systems might look distinct.
7. Odds and ends
- Intel announced a system to scan memory using its integrated graphics cards, an academic partnership with Purdue and other new security programs at RSA. (Intel)
- Google deleted three apps from its Play Store that were used for malicious surveillance in the Middle East. (Threat Post)
- An alleged Ukrainian cyber criminal may extradite himself to the U.S. to prove his innocence. (Cyberscoop)
- Singapore is testing facial recognition systems attached to lamp posts. (Naked Security)
- UK lawmakers have evidence Cambridge Analytica helped the Brexit push. (Reuters)
- TaskRabbit shut down during a hack investigation. (Axios)
- UK warns telecommunications firms to stop using products from Chinese manufacturer ZTE (ZDNet)
We return on Thursday. Rob Joyce's Christmas display returns early December.