Thursday, January 18, 2018
Home Tags King’s College London

Tag: King’s College London

One laptop does not a blackout make Russian hackers have not penetrated America's electricity grid, in spite of an end-of-year media flurry saying they did. The story was triggered because an anonymous source told the Washington Post had penetrated the grid, when in fact – as the story was later amended to read – one Burlington Electric Department laptop was infected with Russian-attributed malware. Burlington Electric flat-out denied that its control systems were compromised. Rather, the company says in a home page statement, a single laptop was infected with malware “used in Grizzly Steppe”, and that machine was not connected to its grid systems. The infection was discovered in a scan after the Department of Homeland Security (DHS) distributed the signatures it associates with Grizzly Steppe, the operation that caused the late-December sensation in the outgoing Obama administration and led to 35 Russian spies getting their marching orders from the USA. Burlington Electric Department says someone in the company gave the Washington Post the incorrect information which led to the sensational but withdrawn claim that Russians hacked the Vermont grid. +Comment: Schadenfreude is all too easy at times like this, but the Washington Post's dilemma is faced by any journalist offered an infosec scoop. Last week, when the Obama administration expelled the Russian spies over interfering with the 2016 election process, it provided much more supporting documentation than is usually the case. Even so, there were plenty of infosec people and national security experts critical that more information should have been provided.

Take this, for example, from respected King's College London professor of war studies Thomas Rid: The USIC erred on the side of caution today and did *not* release the best evidence they have—spelling out this limitation would have helped — Thomas Rid (@RidT) December 29, 2016 Mostly, accusations of hacks are accompanied by little or no supporting evidence of any kind.

Even technical journalists are expected to work in an information vacuum, and all journalists, technical or generalist, are surrounded by a fog of vendor/consultant/analyst exaggeration. However, the speed with which Burlington Electric posted its rebuttal suggests it already knew the extent of the attack – so the Washington Post had the chance to verify. There is one more point to make. While the USA has a well-integrated electricity grid – the final steps to complete its interconnection were taken in 2010 – Burlington Electric isn't even remotely “the US grid”.
It's a local generation and distribution utility with fewer than 20,000 customers.

A hacker – even a Russian hacker – would have a long way to travel from Vermont to the interconnects that constitute the national grid. ® Sponsored: Customer Identity and Access Management
Security through obscurity has been trumped. Let's hear it for security through "clunky." In an attempt to assuage concerns that Russian hackers might succeed in hijacking U.S. presidential election results, FBI Director James Comey said recently that "the beauty of the American voting system is that it is dispersed among the 50 states, and it is clunky as heck." Comey has proven himself a master of clunky statements and often appears baffled by technology. One story about his misinformed campaign against encryption was summed up in the URL slug: "FBI Dude Dumb Dumb." In addition to his incessant rants about terrorists "going dark," Comey infamously dismissed constitutional protections against illegal searches, calling them a "typo" in the law.

Then there was his over-the-top bluster about how only Apple was capable of breaking into a terrorist's iPhone -- right up until the moment the phone was cracked without Apple's help. In other words, Comey's credibility on technology-related matters has "dispersed" in a puff of smoke. Bruce Schneier and other security experts have been sounding the drumbeat about the insecurity of our election system for years. "We need to return to election systems that are secure from manipulation.

This means voting machines with voter-verified paper audit trails, and no internet voting," Schneier writes. "I know it's slower and less convenient to stick to the old-fashioned way, but the security risks are simply too great."  Or as a report from the Institute for Critical Infrastructure Technology puts it: "Voter machines, technically, are so riddled with vulnerabilities that even an upstart script kiddie could wreak havoc." The insecurity of our voting machines is real, but it isn't news. What is new -- and more serious for the long term -- is the prospect of a foreign government waging a cybercampaign to disrupt and influence the upcoming election. Russia is believed to be behind the recent hack of the DNC and leak of Colin Powell's emails, as well as the hacks of voter registration systems in Illinois and Arizona. "The pattern we see [of hacks and leaks] is intended to call things into question, to sow doubt, to create uncertainty. … You can't patch this psychological vulnerability," Thomas Rid, a professor at King's College London, told Wired. As media outlets jump on any election news they can find, hackers are able to manipulate coverage. "The media is certainly being used as a battlefield here," Rich Barger, CIO with security firm ThreatConnect, told the IDG News Service. Hw do we defend against hackers manipulating the media to influence the election? "Folks have to say, ‘where is this information coming from?' and not just focus only on the information," Barger said. "If the hackers have 100 documents, they can choose only to give [the press] 25 of them, because the rest don't fit their narrative." It would also help if candidates refrain from actively inviting foreign attacks against political opponents and making repeated, baseless claims about rigged elections. "After everyone has voted, it is essential that both sides believe the election was fair and the results accurate. Otherwise, the election has no legitimacy," Schneier says.  This kind of campaign of disinformation is one of the vulnerabilities of democracies, said John Bambenek, a threat intelligence researcher with Fidelis Cybersecurity. "They can be more susceptible to this kind of mass influence of the public." As it turns out, democracy itself is "clunky."