In a return trip to Capitol Hill on Tuesday, the same hackers offered a similarly bleak assessment: Digital security is hardly any better.
Four members of the collective known as L0pht reunited on the 20th anniversary of what is now referred to as the first congressional cybersecurity hearing to talk about what has changed since then. Yet in a wide-ranging panel discussion hosted by the Congressional Internet Caucus, they lamented how the technology is vastly different but many of the underlying vulnerabilities still exist.
“At L0pht we tried to be the voice of reason in raising awareness for problems,” said Joe Grand, who went by the hacker name Kingpin in his L0pht days. “Nearly all of what we said 20 years ago still holds true. Yes, there have been improvements, but the general class of problems are the same.”
Here are a few of them:
- The same exploit the L0pht hackers could have used to take down the Internet in 1998 is still around today.
It's called Border Gateway Protocol hijacking, and it takes advantage of a fundamental weakness in the Internet's infrastructure -- essentially preventing routers from being able to talk to each other and get Web traffic where it needs to go.
Just a few weeks ago, hackers used this to steal more than $150,000 in cryptocurrency, said Chris Wysopal, who goes by the hacker name Weld Pond. “We’re still building new technology like cryptocurrency and blockchain, with all its promise of being secure, on old network foundations,” he said. “We keep building new things on old infrastructure that never seems to get fixed.”
- People are often unwilling to take better security precautions even when they know they are available.
If a security measure is too complicated, people won’t use it, Grand said, “and that’s just human nature.”
A prime example, he said, is President Trump. Politico reported this week that Trump has refused to ditch the phone he uses for Twitter, even though it doesn’t have sophisticated security features to protect his communications — a departure from his predecessors — or turn in his phone regularly to security pros to look for possible compromises.
“He’s basically choosing to live with the risk of having a hacked phone because he feels the convenience is more important than security,” Grand said. “The fact that the president, who’s possibly the most targeted person in the world, doesn’t want to trade his phone, makes you really think about, ‘Is anybody else going to do that, and why should they?’ ”
- The landscape of digital threats is much more diverse, with all kinds of bad actors trying to take advantage of the Internet.
State-sponsored hackers and international criminal organizations, once just a hypothetical menace, have emerged as a top digital threat to governments and companies around the world.
“Back then the threat was the teenage hacker,” Wysopal said. “It was like, ‘Yeah, they’re kind of ankle-biters’... Now it’s nation-states. So every vulnerability got a lot more risky.”
Wysopal recalled a question the L0pht members fielded during their 1998 testimony from Fred D. Thompson, then a Republican senator from Tennessee. Thompson asked them how much damage a foreign government could do if it assembled “a group of gentlemen such as yourself” and paid them to “wreak as much havoc on this government as they could.”
At the time, “it all seemed so theoretical,” Wysopal said Tuesday. “But we all know that 20 years later this is happening constantly.”
- The federal government still isn't setting security standards.
Standards and certifications created by industry groups are "largely based on what feels right, rather than data showing what makes something strong in a security sense," said Peiter Zatko, who went by the name Mudge.
He asked: “Where’s the equivalent of the National Transportation Safety Board crash test results” for software? Cybersecurity is a public safety issue, “so why has this been almost entirely left to the free market to secure and make safe?”
The hackers raised similar concerns in their 1998 hearing, telling lawmakers that companies couldn't be trusted to police themselves. "At this point it's time for the government to step in and step up," Zatko said Tuesday.
L0pht was founded in 1992 in a loft above a carpentry shop in Boston’s South End, as my colleague Craig Timberg wrote in a lengthy profile of the group a few years ago.
L0pht members would experiment on computer hardware and software, probing for vulnerabilities. If they found a flaw in a product, they would let the manufacturer know and post a security update explaining the bug, much to the chagrin of companies that were embarrassed by the disclosures.
L0pht earned media fame on their trip to Washington decades ago. The seven members who attended the hearing helped put a public face on well-meaning hackers who were trying to sound the alarm about companies’ failures to provide users security. The Post once called the group “rock stars of the nation’s computer hacking elite.” They went on to found security companies, conduct research for government agencies, and join security teams at major tech firms.
Tuesday's discussion was as much an update on the state of Internet security as it was a reunion for the group and fans of L0pht. The hackers signed autographs and passed out L0pht stickers featuring the group's original logo, and Zatko at one point posed for pictures in a blond wig that looked like the wavy, chest-length locks he sported in the late '90s.
But the message was serious. “Our problem is not that we don't know how to make things more secure, it's that we're not applying that knowledge evenly,” said Cris Thomas, who goes by the name Space Rogue. “For every organization that's properly encrypting all its data, there's another that isn't.”
“While we can't ever make something 100 percent secure, hopefully over the next 20 years we can use the knowledge that we already have and the knowledge that we will gain to make a more secure world for everyone.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: With just a few words yesterday, Homeland Security Secretary Kirstjen Nielsen briefly revived the controversy over the intelligence community's conclusion last year that Russia sought to help elect Donald Trump when it interfered in the 2016 election.
“I do not believe that I've seen that conclusion that the specific intent was to help President Trump win,” Nielsen said. “I'm not aware of that. But I do generally have no reason to doubt any intelligence assessment.”
Hours later, the Department of Homeland Security issued a lengthy statement saying Nielsen "previously reviewed" the intelligence community's assessment and agrees with it.
From CBS News's Olivia Gazis:
Nielsen's initial comments didn't go over well with House Democrats. "Several top members of the party said they are unsure whether Nielsen was being serious or simply playing politics when she said she was unaware of the intelligence community’s conclusions," The Washington Post's Karoun Demirjian reports. "They surmised she might have been trying to avoid upsetting Trump, who — along with House Republicans — has sought to discredit the idea that Russia favored his candidacy over that of former secretary of state Hillary Clinton."
Rep. Bennie Thompson (Miss.), the ranking Democrat on the House Homeland Security Committee, said in a statement that he "was shocked to hear that Secretary Nielsen has apparently not bothered to read" the intelligence community's conclusion that Russia's meddling aimed to help elect Trump.
Nielsen was on Capitol Hill with FBI Director Christopher A. Wray and Director of National Intelligence Daniel Coats to brief House lawmakers about threats to election systems. The three officials said in a joint statement that they "sought to enlist Congress’ help in working with state and local election officials back home to raise awareness of the potential threats and urge them to continue to use available resources, either from DHS, the FBI or a private, third party."
— Here are some reactions on Twitter to Nielsen's comments:
From Rep. Adam B. Schiff (D-Calif.):
PATCHED: Two Democratic senators want the National Guard to help protect the country from cyberattacks. Sens. Maria Cantwell (Wash.) and Joe Manchin III (W.Va.) have introduced a bill to give the National Guard new resources to help protect U.S. infrastructure such as dams and election systems, CyberScoop's Sean Lyngaas reports. A statement from Cantwell's office said the legislation would institute “National Guard Cyber Civil Support Teams” in all U.S. states and territories.
“The bill would put $50 million toward the National Guard teams, which would be tasked with preventing and mitigating the impact of cyber incidents, training critical infrastructure operators, and relaying classified threat information from U.S. Cyber Command to the states and private companies,” according to Lyngaas. “States would have until September 30, 2022 to make their National Guard cyber teams operational.”
“With cyber-attacks on the rise, we need to strengthen our defenses and protect critical infrastructure,” Cantwell said. “Establishing National Guard cyber teams in each state will make sure the resources and expertise are in place to respond to the growing threats.”
PWNED: The FBI repeatedly inflated the number of encrypted devices it was unable to unlock, The Washington Post’s Devlin Barrett reports, making the scope of the problem look much bigger than it actually is. While Wray, the FBI’s director, has said investigators were unable to access almost 7,800 cellphones because of encryption, Barrett reports that the real figure probably stands between 1,000 and 2,000.
“Over a period of seven months, FBI Director Christopher A. Wray cited the inflated figure as the most compelling evidence for the need to address what the FBI calls ‘Going Dark’ — the spread of encrypted software that can block investigators’ access to digital data even with a court order,” Barrett writes. The FBI said it believes that the wrong figures stemmed from “programming errors.” Here are some other takeaways from Barrett’s story:
- “The FBI first became aware of the miscount about a month ago and still does not have an accurate count of how many encrypted phones they received as part of criminal investigations last year, officials said.”
- “Last week, one internal estimate put the correct number of locked phones at 1,200, though officials expect that number to change as they launch a new audit, which could take weeks to complete, according to people familiar with the work.”
— More cybersecurity news from around the Web:
— The Senate Banking Committee on Tuesday approved a measure that would hinder the Trump administration’s ability to ease sanctions on Chinese tech giant ZTE, Reuters's Jeff Mason and Patricia Zengerle report. The move came as Trump floated a plan to fine ZTE and shake up its management rather than go ahead with tougher penalties. "According to sources familiar with the discussions, a proposed trade deal with China would lift a seven-year ban that prevents U.S. chipmakers and other companies from selling components to ZTE, which makes smartphones and telecommunications networking gear," Mason and Zengerle write.
Lawmakers have long expressed concerns about the security risks ZTE's devices can pose to Americans, and sounded the alarm about the easing of penalties on Tuesday.
From Sen. Chris Van Hollen (D-Md.):
From Sen. Marco Rubio (R-Fla.):
— National Counterintelligence and Security Center Director William R. Evanina on Tuesday said he “absolutely” thinks countries such as Russia and China are monitoring technological developments in Silicon Valley to then take advantage of those innovations back home.
“I think anywhere where there's vibrant development of big ideas, merged with ingenuity and competitiveness to succeed, is clearly an avenue for adversaries to watch and learn, and then measure that with what our governments are buying and procuring and investing in,” he said. Evanina made the comments in Paris at Bloomberg's Sooner Than You Think conference.
— More cybersecurity news about the public sector:
See Amazon's facial recognition tools in action:
— Amazon.com is selling facial recognition technology, called Rekognition, to law enforcement agencies in Oregon and Orlando for just a handful of dollars, The Post's Elizabeth Dwoskin reports. Documents obtained by the American Civil Liberties Union of Northern California show that Amazon provides both facial recognition tools and consulting services, according to Dwoskin.
The ACLU and other civil rights groups wrote to Amazon founder and chief executive Jeffrey P. Bezos to express concern about the program and ask that the company stop selling the technology to law enforcement agencies, Dwoskin writes. (Bezos is the owner of The Post.)
“We demand that Amazon stop powering a government surveillance infrastructure that poses a grave threat to customers and communities across the country,” the letter says. “Amazon should not be in the business of providing surveillance systems like Rekognition to the government.”
European lawmakers grill Mark Zuckerberg:
— “European lawmakers pilloried Mark Zuckerberg at a hearing Tuesday for Facebook’s recent privacy and misinformation mishaps and raised the possibility of new regulation, a more realistic threat than what the social media giant faces in the United States,” The Post's Tony Romm writes. And Zuckerberg faced tougher questions in Brussels yesterday than he did on Capitol Hill last month, according to Romm.
“By design, though, Zuckerberg answered all of lawmakers' questions at once at the end of the hearing,” Romm writes. “That setup appeared to irk many lawmakers, who felt it afforded Zuckerberg an opportunity to dodge their toughest queries. In one of the more uncomfortable moments of the day, Zuckerberg avoided a question about the company's use of so-called 'shadow profiles,' or information Facebook collects about those who aren't actually users of its site.”
Guy Verhofstadt, leader of the Alliance of Liberals and Democrats for Europe group in the European Parliament, didn't quite enjoy the format of the event:
— More cybersecurity news about the private sector:
— The Committee on Foreign Investment in the United States, a public body tasked with reviewing transactions that may give control of U.S. companies to foreigners, “rarely polices the various new avenues Chinese nationals use to secure access to American technology, such as bankruptcy courts or the foreign venture capital firms that bankroll U.S. tech startups,” Politico's Cory Bennett and Bryan Bender report.
“The committee, known by its acronym CFIUS, isn't required to review any deals, relying instead on outsiders or other government agencies to raise questions about the appropriateness of a proposed merger, acquisition or investment,” according to Bennett and Bender. “And even if it had a more formal mandate, the committee lacks the resources to deal with increasingly complex cases, which revolve around lines of code and reams of personal data more than physical infrastructure.”
The situation is alarming experts, Bennett and Bender report. “National security specialists insist that such a stealth transfer of technology through China’s investment practices in the United States is a far more serious problem than the tariff dispute — and a problem hiding in plain sight,” they write.
— On Tuesday, committees in the Senate and the House passed bills to strengthen CFIUS, Reuters's Diane Bartz writes. "Congress is considering the bills to address Defense Department concerns that U.S. soldiers could some day face on a battlefield U.S. technology like robotics or drones that was acquired by foreign adversaries," Bartz writes.
— More international cybersecurity news:
- Secretary of State Mike Pompeo appears before the House Foreign Affairs Committee.
- House Homeland Security Committee hearing on the threats that the Islamic State poses following its territorial losses, including a "virtual caliphate."
- Two subcommittees of the House Oversight Committee hold a joint hearing on the implementation of the Federal Information Technology Acquisition Reform Act.
- Last day of GMU-AFCEA Symposium 2018 in Fairfax.
- Last day of Air Force Cyber Strategy Conference at Maxwell Air Force Base, Ala.
- Last day of IEEE Symposium on Security and Privacy in San Francisco.
- Ignite '18 Cybersecurity Conference in Anaheim, Calif., continues today through tomorrow.
- Enfuse 2018 conference in Las Vegas continues today through tomorrow.
Trump says meeting with North Korean leader Kim Jong Un could be postponed:
What to know about Stefan Halper, the source who assisted the FBI's Russia investigation during the 2016 campaign:
Russian agency offers fake restaurant reviews ahead of World Cup: