In this, our final episode of 2017, we look back at our most popular segments from the past year – many of which touched on issues that (surprise, surprise) crossed the boundary between information security and politics. Among the most popular segments were discussions of hacking the U.S. election systems, a primer on the cyber capabilities of North Korea with Crowd Strike, a conversation of the case against the Russian firm Kaspersky Lab and an interview with the guy who helps make the hacking scenes in the USA Network’s Mr. Robot look so real.
It has been an exciting year for our signature podcast: we’ve delved into critical infrastructure hacks, the growing role of artificial intelligence in cyber security and major hacks at Equifax. We also had the honor of interviewing some of leading minds and news makers in the information security industry.
In this, our final episode of 2017, we take a look back at our most popular segments from the past year, based on listens and downloads. And what does the data tell us? Perhaps its a reflection of the charged and politicized times we’re living in, but many of our most listened-to episodes touched on issues that crossed the boundary between information security and politics.
They include our first segment, from Episode #58, which aired in August. In that episode, we spoke with Bev Harris of the non-profit organization Black Box Voting about the recently passed DEFCON hacking conference, at which a Voting Village let some of the world’s best hackers square off against commonly used voting machines, with predictable results. Bev noted that graft, not espionage, poses the most likely motive for election system hacks.
Part 1: election hacking – follow the money
“It’s money,” Harris told me. “There’s one federal election every four years, but there are about 100,000 local elections which control hundreds of billions of dollars in contract signings.” Those range from waste disposal and sanitation to transportation. The most vulnerable positions she found those with the biggest corruption problems re sheriff which control drugs, contraband and guns, City council and commissioner type positions because they have contracting authority and judge-ships, which are susceptible to bribes for delivering certain verdicts or to direct criminals to certain (for profit) correctional systems.
Part 2: North Korea’s growing threat
Following the 2016 Presidential Election there has been tremendous attention to the risks posed by nation-state hackers to US critical infrastructure – whether that be our country’s voting systems or its electric grid. While Russia and China have long been among the US’s top cyber adversaries, 2017 saw the emergence of North Korea as a potent force driving cyber espionage and cyber criminal operations like the WannaCry wiper malware and financially motivated attacks on cryptocurrency exchanges. One of our most listened do podcast episodes from 2017, Episode #71 from November, saw Security Ledger digging deep into the actions and capabilities of the North Koreans with Adam Meyers, the VP of intelligence at the firm CrowdStrike, a top cyber threat intelligence firm. Meyers tells us that it is only in the last two years that DPRK has begun targeting organizations outside of South Korea, but that the nation’s exact intentions are still unclear.
Part 3: from Russian software with love
The actions of Russian hackers have been a topic of intense interest in 2017, as more details have emerged about the influence campaign that is believed to have been carried out by the government of Russian President Vladimir Putin against the campaign of Democratic Presidential candidate Hillary Clinton and other Democratic candidates in 2016, as well as in favor of the Brexit vote in the UK. The Russian campaign is generally regarded as one of the most effective in the long history of spyycraft between the governments of Russia and the U.S. – and that’s saying something.
But it hasn’t come without cost to Russia and its interests. Kaspersky Lab, a Moscow based anti-virus software maker and Russia’s most prominent technology firm, has been the subject of intense scrutiny in 2017. Its software has been linked to the theft of classified cyber offensive weapons from the computer of an NSA contractor, which ended Kaspersky’s software on a Department of Homeland security black list that bans federal agencies from using it. In our next segment from Episode #66, which aired in October, we speak with Dave Aitel of the firm Immunity Inc. about the charges leveled against Kaspersky Lab and whether they are just sour grapes by the US government, or (as Aitel believes) a legitimate and serious warning about the potential for Kaspersky’s software -and other software like it – to be used for spying.
Part 4: hacking the small screen with Mr. Robot
Depictions of hacking and hackers on television and in the movies are generally forgettable: pasty, awkward men with thick glasses who magically break even the strongest security protections with a flurry of keystrokes. But as the profile of the hacker has moved closer to the center of our culture, Hollywood is getting smarter.
Witness the USA Network’s Mr. Robot, a serial thriller centered on the activities of a gifted, young hacker who belongs to an anarchic hacktivist collective bent on social transformation. The show has been a hit not just with the public, but also with cyber security professionals who marvel at its accurate depictions of breaking into sensitive systems, right down to the software packages used, the commands typed on-screen and the myriad “soft skills” hackers must draw on to work their way onto sensitive networks.
How does Mr. Robot get it right? Simple: they hire real hackers like our next guest, Ryan Kazanciyan, the chief security architect at the firm Tanium. Kazanciyan has served as a consultant to the show’s writers for the past two seasons. In our next segment, from Episode #68, which aired in October, he talked to us about how he came to be a consultant on the show and the challenges of making hacking look real on the small screen.
Part 5: What’s in a degree? The debate over CSO qualifications
And finally: What makes a good Chief Security Officer? That was a question we found ourselves asking in the wake of the Equifax hack, when that company’s CSO, Susan Malden, who was forced to retire from Equifax shortly after news of the breach broke, and whose undergraduate music major became proof – for some – that Equifax wasn’t serious about security. In our final segment, from Episode #63, which aired in September, we invited two experts in to debate the fraught issue of “qualifications” in the infosec field: noted hacker Chris Roberts of the firm Acalvio and Deidre Diamond of CyberSN, an information security staffing firm. I started out by asking Roberts and Diamond about the criticism of Malden and whether they thought it was fair to attack her choice of major as a reflection of her security expertise.