Virginia’s governor gets into a regional spat over Metro and the Silver Line. The D.C. Council advances one of the nation’s most generous paid leave policies. And a longtime Maryland state senator decides he won't retire amid a fight for his seat.
Two serious Internet breaches over the weekend highlighted the ongoing issue of securing online information. The website of PBS was hijacked by a group of “hacktivists” aiming to critique PBS’s news coverage. Meanwhile, defense contractor Lockheed Martin revealed a massive breach of potentially sensitive national security information. We explore whether piecemeal efforts to secure individual sites are an effective way to secure information.
- Alan Paller WAMU Guest Analyst; and Director of Research, SANS Institute
The PBS NewsHour’s Kwame Holman reports on the cyber attack on the organization’s Website and other PBS sites (from 20:34):
MR. KOJO NNAMDIFrom WAMU 88.5 at American University in Washington, welcome to "The Kojo Nnamdi Show," connecting your neighborhood with the world. It's Tech Tuesday. Later in the broadcast, we will be looking at new brain mapping technology that could help diagnose disorders, but, first, over the weekend, two high-profile Internet security breaches were revealed.
MR. KOJO NNAMDIOne was at PBS in which hackers posted a fake news report that rap artist Tupac Shakur was alive and living in New Zealand. And Lockheed Martin, the country's largest defense contractor, acknowledged a massive security breach earlier this month. The ongoing issue of high-profile breaches raises disturbing questions about the vulnerability of big organizations and companies whose business is security.
MR. KOJO NNAMDIJoining us to talk about this is Alan Paller. He is the director of research at the SANS Institute, an information security company. Alan, good to see you again.
MR. ALAN PALLERAnd you as well, Kojo.
NNAMDIThe fake news report at CBS about Tupac Shakur being alive could almost be seen as a joke. Here's what aired on PBS "NewsHour" last night.
UNIDENTIFIED WOMANAnd now to Kwame Holman for what it turns out is not on the "NewsHour" online. Kwame?
MR. KWAME HOLMANHackers struck PBS overnight, posting a fake story on the "NewsHour" website. The posting claimed rapper Tupac Shakur, who died in 1996, actually was alive and in New Zealand. The story was taken down this morning. The hackers said it was in retaliation for a documentary about WikiLeaks that aired on the PBS program "Frontline" last week. And late today, both the "Frontline" website and the "NewsHour's" were attacked. The executive producer of "Frontline" called it a disappointing and irresponsible act.
NNAMDIAlan Paller, as I said, it could almost be seen as a joke, except that the hackers here did want to make a point. What happened here?
PALLERThey were making the point that they didn't like one of the stories that PBS had done, and that -- we call that hacktivism. You did a wonderful show on that before. What's happening, though, is it seems to be more acceptable for them do it. It used to be a rare event, and, now, you're seeing every few weeks a new attack against somebody because someone is angry at them.
NNAMDILess of a joke was that the hackers also posted passwords and e-mail addresses from a wide range of news organizations.
PALLERThe old days was change the website and embarrass the people. The new day, the new mode is change the website, embarrass people and then do some damage that's going to hurt the people that you're trying to attack.
NNAMDIWell, at least, embarrassed them. It's an embarrassment for any organization. PBS did acknowledge the problem because it does have a policy of airing corrections, but you make a distinction between or among three types of information breaches. What are they?
PALLERThey're the espionage, the nation-state and large corporate espionage attacks, like the ones against Lockheed, but also another one against Lockheed a few years ago that stole data about our $300 billion new fighter program. Then there's the organized crime attacks which are the ones that steal the credit cards and other identity theft kinds of attacks. And then the third one are these acts of hacktivism.
PALLERIt used to be the hacktivists weren't very sophisticated in their attacks, but over the last six months, they've become much more sophisticated.
NNAMDI800-433-8850 is our telephone number if you have questions or comments about hacker attacks on security. Do you think we need a more comprehensive approach to cyber security? You can call us, 800-433-8850, or go to our website, kojoshow.org. We're talking with Alan Paller. He is director of research at the SANS Institute, which is an information security agency.
NNAMDILockheed Martin, Alan, was, obviously, a potential national security breach. Apparently, Lockheed Martin said it caught the attack almost immediately. How serious was it?
PALLERWe don't know what damage was done. We know that a couple of years ago massive damage was done, that they may, in fact, have caught it before any data was stolen, that -- corporations tend to hide all the details because, partly, it's an embarrassment and partly they call it a national security issue.
NNAMDIYeah, they described the attack as significant and tenacious, whatever that means. In more specific terms, the hackers exploited the remote login system that's used by Lockheed employees. What kinds of failures were necessary in order to allow that to happen?
PALLERSo the scuttlebutt is that an attack had happened about a month ago against RSA -- that's a division of EMC, a big company. They make the little one-time password tags that you get, tokens. They were attacked, and certain keys were stolen from them. Those keys weren't very useful unless you could steal some other information from the victim.
PALLERWhat the theory is that in this new attack, people got in, stole that second set of information from the victim, put the two pieces together and were able to -- and would have been able to compromise, substantially, all of the accounts at Lockheed that used those -- that remote login system from RSA.
NNAMDIYou say compromised. But do we know exactly what the hackers were after in that situation?
PALLERWe know why they tried to get into the Lockheeds and the other defense contractors. The U.S. spends billions and billions of dollars on research. Almost all that data is inside those contractor organizations. So if you can get into the contractors, you could skip billions of dollars in investment and just take the -- take advantage of the technologies that have been developed.
NNAMDILockheed Martin describes itself as a global security company. What are the odds that we'll ever know what really happened?
NNAMDIAnother incident over the weekend involved a lewd picture of U.S. Rep. Anthony Weiner sent from his Twitter account. His spokesperson says that someone hacked his account. Whether or not that is true, it raises questions about protecting and verifying your identity on the Internet, doesn't it, especially with social media?
PALLERIt's -- whenever your account is taken over and people starts sending data out over your name, you're in trouble.
PALLERAnd this one, actually, is bad on a second dimension because of the political dimension. Certain other political groups are saying his site wasn't hacked. It's real. He even -- he sent that picture on his own, and, now, he's trying to cover it with an attack. That can hurt a politician's reputation.
NNAMDIHere's Jack in Centerville, Va. Jack, you're on the air. Go ahead, please.
JACKThere seems to be a growing amount of identity theft in the health care states. What motivates people to steal identities and health care records? What do they do with that kind of information?
NNAMDIAlan Paller, do you know?
PALLERYes. It turns out the fastest way to make money as a cybercriminal is through extortion. And the attacks on the health records are not to get the health data but to threaten the hospital with the exposure of the health data. So it's not that they want the health data to do anything with it. They want to threaten the hospital with exposing all of that information on people's medical tests and medical procedures on the Internet.
PALLERAnd if -- and so they're making millions of dollars in extortion payments from medical organizations that have had their data stolen.
NNAMDIAnd that, Jack, I think, answers your question.
JACKYes, thank you.
NNAMDIJack, thank you very much for your call. You, too, can call us at 800-433-8850. Alan, you feel that the piecemeal approach most organizations take to cyber security just isn't working.
PALLERI think we have a problem in cyber security that we've been blaming the user. It's very much like automobiles. Forty, 50 years ago, we told everybody how to drive more safely, which was true. But the roads were unsafe, and the cars were unsafe. And until we built safer roads and safer cars, we couldn't actually protect most people, even if they drove safely. We're exactly in the same situation with cyberspace.
PALLERWe have completely unsafe networks. The Internet wasn't built for security. And we have unsafe programs. Those websites that are being attacked are being attacked because the programmers who wrote them had no clue about writing secure code, and the universities that taught them don't teach secure coding. So we have bad networks. We have bad systems, and we have users who are a little careless.
PALLERBut blaming it on the users is wrong. So our theory is that there needs to be a reengineering of the Internet to provide safe zones on the Internet and a strong upgrading of programmer skills, so they actually know how to write secure code.
NNAMDIThere's a lot of discussion about how to secure the Internet. The White House has a suggestion for what it calls tailored trustworthy spaces. What would that be?
PALLERThat's -- well, when they say it, they mean all the people -- and health information, for example...
PALLER...all agree to go by certain standards, to use certain standards in the way they store data. That, again, is blaming it on the user. The network on which they're putting those safe zones isn't safe enough that, even if they follow those procedures, their data will be protected. So the idea of safe zones is a good one, but it really requires a rebuilding of the infrastructure of the Internet as well.
NNAMDIAnd that's what I want to get to. You feel that we can't work with the open system we now have and expect it to be secure. You suggest a solution, a rebuilding of the Internet, a separate parallel secure Internet?
PALLERI think of them as toll roads. So you keep the system we have. Anonymity is wonderful. People need anonymity. So we keep the existing system. But when you're dealing with your bank or when you're doing a transaction with your hospital or when you're doing a transaction with the government, where both parties really need to know who is on the other end of the line, it makes sense to pay a penny or two for that transaction so that safety can be built in.
NNAMDIAlan Paller, he is director of research at the SANS Institute, an information security company. Always a pleasure, Alan. Thank you for dropping in.
PALLERThank you, Kojo.
NNAMDIWe're going to take a short break. When we come back, Tech Tuesday continues with a look at a new brain mapping technology that could help diagnose disorders. I'm Kojo Nnamdi.
Most Recent Shows
While D.C. has seen great strides in lowering the number of newly diagnosed cases, the fact remains that for every hundred Washingtonians, two are living with HIV.
Ivy City will see its 105-year-old school transformed into a community center and more than 300 rental units and retail space grow around it. But the redevelopment plan isn’t sitting well with residents.
D.C. Mayor Muriel Bowser says that homeless people come from outside the district to take advantage of a city policy that guarantees shelter on freezing nights, a cost she says the district can no longer afford.