May 9, 2019

Axios Codebook

Welcome to Codebook, the cybersecurity newsletter that didn't actually hide "Avengers" spoilers in last weeks newsletter. We made that up.

With special thanks to the Industrial Exchange conference for letting us moderate a panel on Tuesday, and slightly less thanks for posting this photo of it. There's a list of questions to ask the panel on that phone, we promise.

1 big thing: Plan now for the quantum apocalypse

Illustration: Aïda Amer/Axios

We probably have as much as a decade before quantum computers pose a threat to the encryption systems that sit at the foundation of contemporary cybersecurity. But we'd better start strengthening that foundation now if we hope to protect it down the road, experts say.

Why it matters: Encryption is critical for economic and national security, protecting trade secrets, communications, and classified information.

The big picture: Quantum computers, which take advantage of the spooky weirdness of quantum mechanics, can solve certain types of complex problems in fewer steps than a traditional microprocessor (or, for that matter, a human). One of those problems is reading data that's been protected by any of several common encryption algorithms.

The catch: Ask most of the rank and file working in cybersecurity, and they'll tell you that quantum computing is more a topic for barroom conversation than an imminent threat.

  • For the most part, people who work in cybersecurity are concerned with how people can steal data today or tomorrow.
  • Quantum computing, which is still in the early stages of development, could take 10 years to be a real threat to systems — and may never get to that point.
  • People in the field have a sense that there's still time before this has to be a front-of-mind concern.

But, but, but: While it could take a decade to develop a quantum system that attackers could use to crack our codes, it could take nearly as long for defenders to migrate from vulnerable algorithms to new systems based on quantum-safe encryption.

  • Changing encryption algorithms takes an incredible amount of effort. Brian LaMacchia, who works on post-quantum cryptography at Microsoft, notes that the last time an industry-wide change took place, when Microsoft included the new algorithm in Vista, the 2006 edition of Windows — and the industry still hasn't fully completed that transition.
  • Software relies on layers of code dependent on other code, and the more layers there are, the more complex it is to update those systems. There are many more layers stacked on top of encryption than ever before, making this migration the most complicated one yet, LaMacchia said.
  • While some encryption algorithms can be made quantum-safe with only minor changes, any software using any type of encryption will need to updated.

The timing: Complicating matters further, while quantum computers may be a decade away, data encrypted today may need to be secret for more than a decade. So while we may not go toe to toe with quantum computers until much later, we need to start using post-quantum encryption now.

  • "We still have information about the John F. Kennedy assassination kept classified," said Steve Grobman, CTO of McAfee. "Some secrets have a long shelf life."
  • And systems will likely be at risk before we're told they are at risk. "If a government develops quantum computing well in advance of its peers, it will keep it a secret, just like the allies did when they cracked Enigma," said LaMacchia.

Next steps: Lawmakers, including Rep. Will Hurd (R-Texas), are pushing for greater U.S. investment in quantum research.

  • "Quantum capabilities will likely define hegemony in this century's increasingly digital, interconnected economy, and the U.S. cannot abdicate our leadership in this crucial field," said Hurd.
2. How attacks progress, and where to cut them off

This week, Verizon released its annual Data Breach Investigations Report — a sort of clearing house for breach statistics gathered from dozens of security firms. The most interesting part of the report, author Gabe Bassett tells Axios, is a detailed look at how attacks progress.

Details: Attacks often take multiple steps to succeed — a hacker may steal credentials through a phishing email, then install malware to exfiltrate data. But according to Verizon's data, the odds of failure exponentially increase with each additional step.

  • That means every time you can make hackers take a more convoluted path to getting to the their goal, you reduce their effectiveness.
  • "Most attackers really don’t take long, complex paths," said Gabe Bassett, "and while some hackers pivot their techniques if they get stopped, that's not the majority of hackers."

By the numbers: The Verizon report doesn't give specific numbers, but does compile which types of tactics are most likely to occur at different points in an attack.

  • Social engineering — attacks like phishing that involve tricking employees — generally occurs early in the process. Malware is typically a middle-of-the-operation tactic.
3. Authorities seize dark web marketplaces and a dark web news site

Screenshot from DeepDotWeb

Five days after authorities at Europol announced seizing two dark web criminal marketplaces, U.S. authorities announced taking down a dark web market directory/news site in collaboration with Europol and other authorities.

Why it matters: Dark web markets provided an anonymous forum for drug and other illegal purchases.

Details: Europol announced seizing the Wall Street and Silkkitie marketplaces late last week. Wall Street had more than 1,150,000 users and 5,400 vendors.

  • The Department of Justice announced Wednesday it had indicted two Israeli citizens in April for taking kickbacks for dark web marketplace referrals from their website, DeepDotWeb.
4. Russia-linked Turla group is in your emails

Russia-linked hacking group Turla has been using newly discovered LightNeuron malware to infect Microsoft Exchange email servers since 2014, according to the cybersecurity firm ESET.

Details: LightNeuron can read, edit, compose and block emails.

  • While ESET hasn't found a Linux version, artifacts in the code lead it to believe there is one out there.
  • Turla hides the commands it sends LightNeuron in innocent looking PDF and image files, making communication with infected systems appear to be innocuous traffic.
5. SWIFT adding 125 to its IT division

SWIFT, the interbank messaging system used globally to coordinate the financial sector, will increase its IT division by 125 people, or 15%, in 2019, the firm announced, focusing on improved services including security.

Why it matters: SWIFT was used in a series of digital bank robberies attributed to North Korea.

  • While the company says the planned improvements responsible for the increase in staff predated the bank heists, the improvements would nonetheless help prevent similar attempts at robberies.
  • While SWIFT was used in the robberies, SWIFT wasn't itself hacked. Banks were hacked to access SWIFT. Scheduled improvements include a new cloud system to access the SWIFT network, which would prevent security problems at a bank from granting access to the network.
  • A new system allowing tracking of transactions is also in the works.
6. In case you missed this week

The Israeli military bombed suspected Hamas hacker HQ: It was one of Israel's targets in returning fire after rocket attacks. Israel announced its completed attack on Twitter Sunday as part of a spree of posts taunting Hamas. (Twitter)

  • This is not, as some reported, the first physical — often called kinetic —attack a military has launched against hackers.
  • In 2015, the U.S. killed Junaid Hussain in a drone strike. Hussain doxed Tony Blair and generated a hit list of potential targets for ISIS.
  • It's still highly abnormal, however. While the UN has acknowledged cyberspace is a field of battle, most experts believe that kinetic attacks should only be used against hackers if the hackers cause damage risking human lives, a rare occurrence.

Microsoft releases vote verification system: Microsoft announced 2 new elections tools Monday, including a free, open source system allowing voters to be sure their votes were accurately counted and third parties to check voting totals without seeing balots. (Axios)

  • The voter auditing system, called ElectionGuard, was developed with the security firm Galois,.
  • The difference between ElectionGuard being a useful tool and a neat thought experiment is whether election infrastructure vendors implement the program. While the finalized system won't be released until summer, said Burt, several vendors (Democracy Live, Election Systems & Software, Hart InterCivic, BPro, MicroVote, and VotingWorks) have publicly expressed interest.

Cyber attack technically disrupted energy grid: The United States has a very broad definition for when energy providers have to file a disruption report. So, although a DDoS attack waged against an unnamed U.S. power utility did not affect power generation or distribution, the utility did file a report on March 5. (EENews)

  • The utility faced a denial of service attack — an attack where vast networks of computers contact a server at the same time, collapsing it under the weight of the traffic.
  • While the attack affected visibility over the affected systems, consumers lights stayed on.

Baltimore ransom: Wednesday marked day 2 of Baltimore's struggles with the RobinHood ransomware locking city employees out of their systems, emails and phone systems. (Ars Technica)

Yes, but: Baltimore is actually in a pretty good place, all things considered.

  • Baltimore said it has backups of its files, but is taking time to make sure hackers won't still be in the network after restoring them.
  • Emergency services are still online.
  • Though employees have been forced to work manually, and residents of Baltimore were unable to pay bills, the city announced it would not pay the ransom.
7. Odds and ends:

Codebook will return next week on Thursday.