We want to introduce to you Robert Oharrow who is an investigator reporter at the Washington Post and has been writing an occasional series on cybersecurity threats for that newspaper. Mr. Oharrow welcome to the communicators. Guest thank you for having me. Host what is a zero day . Guest a zero day is the name that hackers give to a gap or vulnerability in the software that lets a bad guy into computer system. These gaps take a lot of forms. They have not been previously discovered and so there is no way to block them. When a hacker has zero day with the right tools and skills, that hacker can break into a system and take control. Is zero day also known as an oh day. Host how would you describe the series you have been writing for the post . Guest its really the mission i should probably describe. We were looking into cyberin cybersecurity and cyberwar. The pentagon had declared cyberspace the environment of people and machines and networks as the new domain of war and yet, we realized that maybe one in 1000 people really understood what cyberspace was and the degree and depth of the vulnerabilities. So what we are trying to do in the zero day series is to take pieces of it and explain the fundamentals and the platonic idea is that everybody from my mom and dad to congress and people around the country can understand, and so maybe start the process of coming up with ways to defend cyberspace better. Host mr. Oharrow if you look at cyberspace in the United States right now, how would you describe security overall . Lets just describe maybe breakins in the neighborhood. Guest in the spirit of explanatory mission we have to cant really talk about cyberspace and the United States. A computer user in washington d. C. Or in wichita or San Francisco is effectively working shouldertoshoulder with a computer worker in beijing or in moscow. There there is literally milliseconds of difference in space and time in cyberspace. So i thought i would point that out. As for the security, the reality is that its almost remarkable how vulnerable Computer Systems are. Cyberspace is not what most people think it is. Most people now a quite cyberspace with the internet, but if they want to be clear about what cyberspace is i think its important to note that its the gps system on the new cars. Its the iphone and the droid. Its jet fighters and jet planes. And anything anything that is driven by computers excuse me, by computer code and is linked to networks can be a part of cyberspace. The vulnerabilities are almost stunningly pervasive. Host can you give an example of . Guest well, sure. Charlie Miller Charlie miller who is a former government hacker who worked on the good side is now a security specialist. The great hackers of the world. He last year decided to explore vulnerabilities and he found a vulnerability in the iphone thats when he deployed it the right way, this was for a contest, enabled him to take over a portion of that iphone. Industrial control computers run Water Systems and electric grids and so on. Last year, a disgruntled hacker of broad went into a water system and in south houston, in texas and got control of those computers. The list goes on and on. There are hacks of google and rsa. There are millions of attacks, literally millions of attacks around the world and intrusions on Computer Systems every day in the world. Probably the most phenomenal attack involved a warm called stuxnet and in that case, the United States government i think working with israel that the United States government developed a computer worm that went into the nuclear process facilities in iran and disrupted the centrifuges. Host so it was developed by the u. S. Government . Guest yes according to the reporting. Host what was its purpose . Was at a defense mechanism by the Defense Department . Guest no, it was a purely preemptive effort to slow the Nuclear Weapons processing capability of iran. Host you mention Charlie Miller and mr. Miller is in st. Louis and he joins us today on the communicators. Mr. Miller, what was your goal in breaking into the iphone . Guest in that particular case it was for a concept like robert mentioned. They had hackers across the world and they had various devices. If you break into a device you can wind some cash in the device also. I won the contest a few times. Earlier my career was more about showing things like iphones or you know, Apple Software were vulnerable because it really was an believe that it was but now its just i have shown vulnerabilities in the iphone and attacks where i can send a text message to the iphone and taken over. All these are fixed now. Part of the contest is all these vulnerabilities being fixed. A fun way to show off your skills and so everyone gets protected by the attacks it. Host how long did it take you to break into this iphone and from where did you do at . An office or where . Guest okay, so the iphone i mean at the time it only took a few seconds but the preparation took time so it probably took me you know maybe a month of preparation with an accountant of mind. A few weeks of looking for a vulnerability in a few weeks of taking a vulnerability in making it into an exploit to attack the phone. The actual attack, the security conference in vancouver so i was actually physically in vancouver and they had an iphone bear and i attacked it and stole a bunch of data off of it and that was the proof. Host Charlie Miller could you do this from your living room . Could you break into a bank, break into other devices from your living room . Guest thats the amazing thing about cybersecurity. We are all connected, mostly so any device on your phone, your computer. In the future your refrigerator anything thats on the internet you can get people basically anywhere. That is one of the things that makes defense difficult. You dont just have to defense [inaudible] host Robert Oharrow described you as a good guy hacker. What does that mean and what is the motive of some of the lack hat hackers . Guest okay, so the white hat, the good guy hackers was explained so we we are the guys who you know, we develop the skills to do the same things that the bad guys can do so we can break into computers but instead of actually breaking into and stealing information and causing problems, we tell everyone what we did and try to work with vendors to make their products more secure and give talks about security and how to make it better so while we can break in and do harm we dealt. We show how you can break in to improve security. On the other hand there is the actual bad guys and they have motives from just teenagers goofing off and trying to impress their friends to actual organized crime, trying to steal money and credit card information to governments trying to commit espionage and cyberwarfare so theres a whole range of hackers on the black hat side. Host we didnt get a whole lot of your bio, but we understand he worked at the National Security agency for a while and are now with twitter. What did you do with nsa . Guest i worked there for five years. I worked in their Computer Security group and i cant say a whole lot more than that. Host and you are with twitter now, correct . Guest yes, so between that time basically for the last seven years before twitter i just started a couple of months ago i was as as a candidate the consultants of the company i work for we become men and basically take the role of the bad guy and breakin and show how they can do better where the real bad guy can do that. Host Robert Oharrow were you able to get in contact with any bad guy hackers and learn why they were doing this and what their motives were . Guest i have talked to that hackers and the motives are as charlie said, all over the place. I have watch details about that hackers and we know for example that some of them are prepping, infiltrating systems with longlasting threats in the event that there is ever a cyberconflict or a cyberwar about power grids and National Labs in corporate systems all over United States the United States have already been intruded on and it is believed that there are present lots of espionage is occurring. We know that groups in russia and china for example that work regular hours breaking into systems and stealing information. So the motives are the same motives that you might find with any array of bad people, money, manipulation, intelligence and prepping for cyberwar. Host Charlie Miller, for casual users or regular users of the internet that may use them for on line banking, surfing the internet and sending emails, what kind of protection would you recommend to those people . Guest well, the regular are in a pretty good place. We have, by we i mean the security industry, has been working for quite a few years in trying to make that sort of thing secure and its pretty good so if you just use your browser and you have an antivirus, you can go to random sites and download things, youre in pretty good shape. The biggest risk of say like your phone, we talked about the phone iphone attack earlier. You arm way more likely to lose your phone in a bar and have a bad guy attack your phone. The one side is if your attackers are in organized crime, you can play it halfway safe and youre not a big target you will probably be okay. More interesting i think is when you are the u. S. Government or google or the white house and no matter what you do do you are still a target and your attackers are going to be teenagers, whole branches of government, military and other countries and there we dont really know. There are a lot of open questions there. Host we are going to follow up on charlies remarks. One of the things that is really interesting is cyberspace is a collection of machines and people. People are part of the network. The very very worst bad guys have taken on something called social engineering is a way of attacking and you may not be as inherently interesting target but you may be vulnerable to social engineering because essentially what they are doing is trying to pretend to be your friend, family member. After doing homework they may send you an email or direct you to a web site that is loaded with the attack code and a few if you are related to someone, that they are targeting or if you work at a company that the bad guys want to target, you may fall prey to this social engineering and theres almost no way to stop it because of the clever nature of it. Recently, we did a story about chinese hackers who were going after gas pipeline companies, intelligence, contractors here in washington, Security Consultants and others and it was all part of the same campaign and it looked like part of an espionage effort. It was based on social engineering messages that look like they were coming from in house but they were really coming from hackers. Host Charlie Miller we talk about chinese hackers or iranian hackers. Who are these people . Are they employed by the government . Where . Guest we dont really know. We can trace it somewhat but its difficult. If a computer here in washington d. C. Is attack, we can trace back, oh that came from a computer in china but that is not to say there is a person sitting at the computer in china. Maybe the attack came from the computer which came from mike computer in korea which came from a computer in germany which came from a computer in moscow so we dont really know. Is difficult to trace those attacks in its one of the major differences between cyberwar in conventional war. If someone drives a tank across your you know they did but if you get attacked you may think its a chinese but youre not really sure and you dont know was this a teenager, was this the chinese army and its difficult to ascertain where the attacks are coming from and who is doing it. We have guesses but we dont know for sure. Host . Guest charlie is alluding to the sort of core nature of what cyberspace is. Its networks of networks and because of the fundamental architecture of these networks, data bounces from computer to computer all the time and when he describes somebody in germany who might be sending something through a computer in south korea that might be going through china, that is hop skip and jump data for cyberspace. It brings up a really interesting issue not just the cybersecurity but with cyberwar because if you dont know precisely who is attacking you, what they are calling attribution, then how do you respond in kind to prevent hackers and that is one of the great dilemmas that our military has. How you hold do you hold them accountable for stealing, damaging and what not . One belief and hope that the nsa and i do actually has cracked this problem to some degree but the attribution problem, corporations, and many Government Agencies is a difficult problem in this digital age of ours. Host Robert Oharrow in your serious you write about a Company Called tritium. What is that . Guest tritium is a company in richmond that came up with a really interesting idea not long after the web browsers were released and the use of the world wide web, which lays over the top of the internet makes it real easy and we all take it for granted now. It was becoming common. What they did was they realize the web browser could be like the universal control that could direct devices anywhere in the world that were connected to the network so for example the Security Camera. You could use your mouth to have the Security Camera look left or look right. Sitting in washington and controlling the camera. Heating systems all over the place. You might be controlling five buildings, high rises, elevators, medical devices to some degree and also Access Control for security. Lets say the pentagon facility which is a real example but it turns out that tritium became so popular and moves so quickly host is a profitable . Guest one assumes they were acquired by honeywell several years ago but they are very popular and they grew very quickly and it is used in 52 countries now. But it turns out that it was vulnerable to a very wellknown, rather old, vulnerability that the hackers knew about and everybody knew about for years. So i thought the story was valuable and instructive because it showed that the gee whiz component had sometimes blinded Software Makers and manufacturers that lay within reach and sometimes crowded their view of risk so that they rushed forward with Tech Knowledge he secure as it probably should be. Charlie has given some terrific talks about the infected structures for Software Makers and whether or not they are properly probably in balance to make sure that they are secure with their software before they release it. I will let him speak for himself. Host mr. Miller if he would speak to that. Guest sure. We are in a situation where we all run codes that was written by a vendor like microsoft or apple or whoever and the problem is very difficult to write secure code, secure code that is from vulnerabilities and its hard to measure so even an expert like myself, its difficult for me to tell you what given to programs which one is more secure than the other. So its hard to measure and people dont want to necessarily pay for that so we all want to buy the latest gadget when the iphone comes out or whatever and we dont really think to ourselves that, how secure is this and maybe i shouldnt buy this. Companies, they are out to make money and that is what they are therefore, so they want to push products out the door and they want to beat their competitors and have the newest features but they dont necessarily want to take the time to make sure their products are written securely. Consumers so far havent really demanded it. So we all use the software and we are all vulnerable because software is written in a way that was intended to process features and not maximize security. Guest consumers, people have not asked for more secure products for the most part. That is related in part to the fact that very few people really understand cyberspace and how it all works. We all love the benefit. Its miraculous. I would venture to say that charlie is among those who are thrilled with the miracle of the internet and all the networks and the Computing Power in the benefits to all of us in society, but the fact is, many people are afraid to actually confront the tradeoff that comes with all these benefits and one of the things we are trying to do today is not to screen the sky falling because its not to try to make clear those tradeoffs so that people can start making better decisions. And can start asking about security and in some ways maybe eventually asked the companies that are making technology and writing the code to shoulder the full cost, which i would argue involves creating a secure product. Host Charlie Miller what about when it comes to social media and the sharing of information that we as consumers do with google, facebook etc. Etc. . Does that lend itself to less secure networks . Guest it doesnt affect the network per se but what it does is, it puts a lot of our information and some of that prior information out there so if you never connected to the internet no one would know what you would do doing, if you are dating someone but with Facebook Information is there. Its still out there on a server somewhere so some back i could get to it if you wanted so i think if you consider that you know it well ago, no one would ever agree to carry around a tracking device, but now we all carry around cell phones and no one would have ever let anyone read your email but right now a lot of us use email and all of our emails are stored on it server at google so its interesting we as a society of given our information out and whether we wanted to be for everyone or just a