Archives for November 2016

Exploring the Cybersphere – November 2016

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

Paging Jill Stein. Did the Russians really elect Donald Trump?

Cybersecurity threats to American elections
My colleague Ben Buchanan and I have written a paper on cybersecurity threats to American elections. While we examine operations that try to influence American voters—like the much-publicized hack of various Democratic Party entities—we also examine threats to voting infrastructure itself. We consider the motivations of hackers for targeting elections, the plausible threats to election security, and the effects of real and perceived manipulation. We tackle two vital questions. First, how concerned should we be about election cybersecurity? Second, how vulnerable is the United States to a foreign power or other actor trying to undermine the public’s confidence in our elections?

Russian hackers launch targeted cyberattacks hours after Trump’s win
Merely a few hours after Donald Trump declared his stunning victory, a group of hackers that is widely believed to be Russian and was involved in the breach of the Democratic National Committee launched a wave of attacks against dozens of people working at universities, think tank tanks, NGOs, and even inside the US government.Around 9 a.m. ET on Wednesday, the hackers sent a series of phishing emails trying to trick dozens of victims into opening booby-trapped attachments containing malware, and clicking on malicious links, according to security firm Volexity, which observed and reported the five attack waves. The targets work for organizations such as Radio Free Europe / Radio Liberty, the Atlantic Council, the RAND Corporation, and the State Department, among others. One of the phishing emails included a forwarded message appearing to be from the Clinton Foundation, apparently sent by a professor at Harvard. The email used the professor’s real address, and according to Volexity’s founder Steven Adair, it’s likely that the professor got hacked and the attackers then used his account to send out the phishing emails.

What might happen on cyber in a Trump Administration? The early forecast.

What a Trump presidency means for cybersecurity, net neutrality, and internet freedom
As one of Facebook’s board members, Thiel’s move sparked criticism among the ultra liberal tech community of California. “There are many reasons a person might support Trump that do not involve racism, sexism, xenophobia or accepting sexual assault,” Zuckerberg, who launched Facebook in 2004, wrote in an internal company memo.While Trump’s views on building walls and lack of belief in climate change are well documented, the president elect’s stance on the issues that will directly affect technology firms, and by extension, much of the world are less obvious.

Trump’s vague cybersecurity platform needs a combover
The campaign is over, the votes have been cast, and Donald Trump will officially take over the Oval Office on January 20th. When he does, we’ll finally find out what changes he has in mind to make America great again — and how he plans to address the nation’s cybersecurity needs. His campaign’s policies page offers some insight, but there are still a lot of blanks to fill in.

In the lame-duck, how Congress makes cybersecurity a non-partisan priority
With a lame duck session of Congress looming, federal lawmakers are scrambling to push key legislative items through last-minute. One key area of concern is cybersecurity. Recent headlines have exposed a wide array of victims, ranging from both corporate to government entities. Stoking concerns is the ongoing controversy surrounding Russian hacking of Democratic presidential candidate Hillary Clinton’s campaign emails and the DNC, in a perceived effort to influence the outcome of the U.S. presidential election. Against this backdrop, several members of Congress have introduced amendments to the National Defense Authorization Act (NDAA) to strengthen cybersecurity. Yet, is this enough?

One can go from villain to victim very quickly these days.

Russian Banks Become Latest Victim of Mirai Cyberattacks
Five top Russian banks were hit by prolonged cyber attacks on Tuesday, believed by experts to stem from the same source that took down large portions of the internet last month.
The websites of the banks were targeted with what is known as a distributed denial of service (DDoS) attack. According to Russian security firm Kaspersky, who first reported the attacks, as many as 24,000 hijacked devices—insecure items such as webcams and smart home appliances—were used to knock the websites offline by flooding them with traffic. The cyberattacks are the latest in a series of major DDoS attacks that have been carried out by a network of compromised Internet of Things (IoT) devices known as the Mirai botnet. Under the control of hackers, Mirai was able to cause dozens of major websites to go offline in October, including Twitter, Reddit and Netflix.

By Tom Davis, SDI Cyber Risk Practice
November 30, 2016

Do As I Say???

iotDo as I say, not as I do.  Many a child has heard this admonition. A dispute rages (rages might overstate the case) as to its origin. Noted English jurist, politician and scholar John Selden is widely credited with creating the phrase in his book “Table Talk” where he wrote:  “Preachers say, ‘Do as I say, not as I do.’”  The book was written in 1654, which suggests the sense of the phrase has stood the test of time. But there are those who trace the saying back to the King James Version of the Bible, and I wouldn’t be surprised if at some future time pictures drawn on the wall of some yet to be discovered cave convey the same general sense of appropriate conduct.

I’m reminded of the phrase after reading the testimony of Bruce Schneier, a Fellow at the Berkman-Klein Center at Harvard University, and a cybersecurity expert. Testifying before the  House Energy and Commerce Committee after a massive cyberattack took down parts of the internet, Schneier said there is no way to fix compromised devices currently in use. “They’ll remain in use because of an additional market failure: neither the seller nor the buyer of those devices cares about fixing the vulnerability. The owners of those devices don’t care. They wanted a webcam—or thermostat, or refrigerator—with nice features at a good price. Even after they were recruited into this botnet, they still work fine—you can’t even tell they were used in the attack. The sellers of those devices don’t care: They’ve already moved on to selling newer and better models. There is no market solution….”

Taking Mr. Schneier’s point at face value, the lack of a market solution provides a strong argument for government intervention, and there does seem to be some momentum developing for legislation that will require built-in security for internet connected devices. Still, I’m struck by the recognition that owners of infected devices do not seem to care.  When surveyed, consumers consistently put data security at the top of their list of concerns. For example, the 2016 Norton Cyber Security Insights Report says, “Within the last year, 689 million people in 21 countries experienced cybercrime. It has become so prevalent that many people equally fear online and real-world risks. More people believe it has become harder to stay safe online in the past five years (63 percent) than in the “real” world (52 percent).”  Yet, there is an obvious disconnect between what we think and what we do. The Norton report says, “Despite the growing threat and awareness of cyber-crime, consumers remain complacent about protecting their personal information…Even past victims of cybercrime sometimes fall back into old habits.”

There are many things one could say about the lax way in which we collectively approach cybersecurity. With regard to your next IOT purchase I offer the following…“caveat emptor.”

By Tom Davis, SDI Cyber Practice

November 22, 2016

Do You, Yahoo?

yahoo-2One of my sisters, when particularly vexed by someone, is given to referring to that person as a “yahoo.”  A yahoo is an unrefined, noisy, rude individual. The word was invented by Jonathan Swift in his book Gulliver’s Travels, first published in 1726.  He used the term to refer to a race of creatures who were bestial, uncultivated, violent, and loutish brutes. Yahoos represented Swift’s view of mankind in its lowest form. At first blush, the yahoos of Swift’s creation would seem to have little in common with the company founded by David Filo and Jerry Yang.  The system they created to keep track of their personal interests on the internet became known as Yet Another Hierarchical Officious Oracle—YAHOO.

We just learned that in their latest regulatory filing with the Securities and Exchange Commission (SEC), YAHOO admitted that they knew of the security breach they announced in September, a breach that put at risk customer passwords, phone numbers, and email addresses from 500 million accounts, as early as the latter part of 2014. Think about it. It appears YAHOO may have waited two years to disclose the largest security breach in the history of the internet.

The timing of the disclosure will certainly spur new inquiries. Remember that in July, Verizon agreed to pay $4.8 billion for Yahoo’s core business. Senator Mark Warner has asked the Securities and Exchange Commission to investigate whether Yahoo’s senior executives improperly failed to disclose the 500-million-customer breach in timely fashion. The issue may become a test case for the SEC, which way back in 2011 issued a “guidance” to companies mandating that they notify the agency if a breach occurred that could have a “material adverse effect on the business.” According to critics, the SEC has not followed up on the guidance, having failed to act against a single company for non-disclosure of a cyber incident. Read more here.

YAHOO has other headaches stemming from the breach. At last count the company was facing 23 breach related lawsuits, and that number is expected to rise. In addition, it’s been reported that Verizon is seeking a $1 billion discount on the purchase price agreed to in July.  The prospect of regulatory fines, legal fees, and dramatically reduced asset values certainly calls into question the decision-making at senior levels inside YAHOO.  People outside the company increasingly must ask, “Do you, YAHOO?”

By Tom Davis, SDI Cyber Risk Practice

November 15, 2016


Political Hacks…Then and Now

download-1On this day, it would be hard to write about anything other than the wildest, craziest election the country has ever experienced. And no, it’s not this one, despite what you might think.

In 1876, Republican nominee and former governor of Ohio, Rutherford B. Hayes, ran against former governor of New York, Samuel Tilden. Shockingly, the campaign degenerated into a series of personal attacks on the character of both candidates. In the end, Tilden won the popular vote by more than 250,000 votes, garnering roughly 51%.

However, raise your hand if you remember President Tilden. Rutherford B. Hayes had the good fortune to have Daniel Sickles on his side. Sickles was best known for having shot the son of Francis Scott Key in Lafayette Park in broad daylight and getting off scott free after claiming temporary insanity, although his subsequent exploits in the Civil War, during which he lost a leg as well as most of the Corps he commanded at Gettysburg, also won him renown. Sickles refused to accept Hayes’ defeat, forged the signature of the apparently drunk Chairman of the Republic National Committee to ask Republicans in Georgia, South Carolina and Florida whether they could hold their states for Hayes, and set in motion a chain of events that led to the creation of a commission that ultimately handed the election to Hayes by one electoral vote.

Now that we’ve put this year’s election in historical context, it’s interesting to look at one of the underlying story lines of the 2016 election, which features Russia hacking the election to disrupt American democracy. It seems apparent that Russia is taking great delight in the commonly held belief that it has both the ability and intention to interfere with the presidential election. Last month, the U.S. intelligence community said the Russian government was responsible for stealing and leaking tens of thousands of emails from accounts used by Democratic National Committee staff and John Podesta. In a joint statement, intelligence agencies declared “These thefts and disclosures are intended to interfere with the U.S. election process,” and said “We believe, based on the scope and sensitivity of these efforts, that only Russia’s senior-most officials could have authorized these activities.”

The nation’s secretaries of states sent a letter to Congress meant to assure voters that the national election cannot actually be hacked in the commonly understood way a hack might occur. The letter said, in part, “Election officials are working overtime to help the public understand the components of our election process and some of the built-in safeguards that exist. Elections are largely administered by states and localities. Voting systems are spread out in a highly-decentralized structure covering more than 9,000 election jurisdictions and hundreds of thousands of polling locations. Machines are standalone and do NOT connect to the Internet. There are multiple layers of physical and technical security surrounding our systems.”

Of course, not being able to actually hack into machines to change votes does not mean a foreign power cannot influence the election. Clearly, the steady drips and drabs of information have fueled an ongoing narrative that will continue on the other side of the election. Two colleagues at the Harvard Kennedy School Belfer Center for Science and International Affairs have written an interesting paper that seeks to answer to key questions. One, how concerned should we be about election cybersecurity? Two, how vulnerable is the United States to a foreign power or other actor trying to undermine the public’s confidence in our elections? They offer a number of recommendations for improving the security of our national elections that are worth consideration.

One uplifting note, by tomorrow the election of 2016 will be history, and we can dust ourselves off and start moving on. In the meantime, remember to vote early and often.

By Tom Davis, SDI Cyber Risk Practice

November 8, 2016 

The Internet of Things (You can’t trust)


Make that can’t and shouldn’t. Turns out those “things”—products that can network and communicate with each other through the internet, are amoral.  Big surprise, right?  “Things” lack a moral code, and can be bent to the side of evil rather readily. Ten days ago a distributed denial of service (DDOS) attack took down a major part of the internet for most of the Eastern seaboard. We soon learned we were being victimized by an army of infected “things” that had been commandeered and sent off to attack a critical link in the internet infrastructure, a company named Dyn. Dyn’s ability to handle internet traffic was halted by an avalanche of requests generated by an estimated 100,000 internet devices…things. Sites that were affected included such notables as PayPal, Twitter, Reddit, GitHub, Amazon, Netflix, and Spotify.

Writing in PC Magazine, software analyst Max Eddy takes to task the appalling failure of the manufacturers of products that comprise the Internet of Things to embrace security. ”Instead of controlling access to the device, and employing best practices learned from connecting billions of computers and phones over the course of decades, manufacturers rushed cheap products to market. Ones that were designed, in some cases, to never be serviced, upgraded, or patched. And even if problems could be addressed, it is, arguably, not reasonable to expect individuals to treat labor-saving devices the same way they do computers. The vast majority of consumers assume, and rightly so, that if a device does not have a screen or some kind of input method, it is not intended to be serviced by them.

What’s the dimension of the problem? Gartner estimates that 6.4 billion connected things are being used worldwide in 2016, and forecasts that number to reach 20.8 billion by 2020. That sort of growth means millions of new “things” would get connected to the internet every day, and there are estimates from others that suggest the IOT could have 40-50 billion devices by 2020. That’s a lot of connectivity, and a heckuva pool from which to draft an army.

To the uninitiated, the internet of things seems somewhat esoteric. We may not fully appreciate precisely how we fit into the IOT. Well, one of the big thing/culprits in the DDOS attack on Dyn was cctv cameras, the kind of cameras widely used in surveillance systems. But forget about coordinated traffic lights or sensors in critical infrastructure, think smart watches, fitness trackers, garage door openers, wireless routers, tablets, cell phones, lighting systems, smart refrigerators and even next-gen toasters. The list is ever expanding, and they all add convenience at the expense of security.

Check this catch from Cory Doctorow. “The Atlantic’s Andrew McGill set up a virtual server on Amazon’s cloud that presented to the internet as a crappy, insecure Internet of Things toaster; 41 minutes later, a hacked IoT device connected to it and tried to hack it. Within a day, the “toaster” had been hacked more than 300 times.”

If we don’t get this problem under control, we may all be toast.

By Tom Davis, SDI Cyber Risk Practice

November 1, 2016