CyberWire Daily - Cyberattack suspected in Israeli false alarms. Risk surface assessments. Fitness app geolocation as a security risk. Cyber phases of Russia’ hybrid war. A conviction in the Capital One hacking case.
Episode Date: June 21, 2022A Cyberattack is suspected of causing false alarms in Israel. Risk surface assessments. Renewed warning of the potential security risks of fitness apps. Cyber options may grow more attractive to Russ...ia as kinetic operations stall. DDoS in St. Petersburg. Ben Yeling details a Senate bill restricting the sale of location data. Our guest is Jon Check from Raytheon's Intelligence and Space Division discussing the National Collegiate Cyber Defense Competition. A conviction in the Capital One hacking case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/118 Selected reading. Suspected cyberattack triggers sirens in Jerusalem, Eilat (Israel Hayom) Suspected Iranian Cyberattack on Israel Triggers Sirens (Haaretz) Iranian cyberattack may be behind false rocket warning sirens in Jerusalem (Jerusalem Post) Israel suspects Iranian cyber-attack behind false siren alerts (Middle East Monitor) Strava fitness app used to spy on Israeli military officials (Computing) Treasury's Adeyemo sees elevated cyber threats in wake of Russia's war in Ukraine (Reuters) More cyber warfare with Russia lies on the horizon (Interesting Engineering) Prolonged war may make Russia more cyber aggressive, US official says (C4ISRNet) What the Russia-Ukraine war means for the future of cyber warfare (The Hill) Complex Russian cyber threat requires we go back to basics (ComputerWeekly.com) Vladimir Putin speech delayed 'because of cyber-attack' as he hits out at 'economic blitzkrieg' against Russia (Scotsman) UPDATE 1-Putin's St Petersburg speech postponed by an hour after cyberattack (Yahoo) Think of the Russia-Ukraine conflict as a microcosm of the cyber war (SC Magazine) The link between cyberattacks and war: Gartner (CRN Australia) Ex-Amazon Worker Convicted in Capital One Hacking (New York Times) Jury Convicts Seattle Woman in Massive Capital One Hack (SecurityWeek) Former Seattle tech worker convicted of wire fraud and computer intrusions (US Attorney’s Office, Western District of Washington) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A cyber attack is suspected of causing false alarms in Israel.
Risk service assessments?
Renewed warnings on the potential security risks of fitness apps.
Cyber options may grow more attractive to Russia as kinetic operations stall.
DDoS in St. Petersburg?
Ben Yellen details a Senate bill restricting the sale of location data. Our guest is John Chek from Raytheon's Intelligence and Space Division
discussing the National Collegiate Cyber Defense Competition
and a conviction in the Capital One hacking case.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 21st, 2022.
Sirens used to warn Israelis of rocket attacks sounded a false alarm in Israel over the weekend.
Haaretz reports that sirens sounded in a lot and parts of Jerusalem Sunday night
due to a cyber attack on local public address systems
in what is being investigated as a possible Iranian attack.
Citing diplomatic sources, the Jerusalem Post emphasizes that the attribution is preliminary
and that the incident remains under investigation.
Israel Hayom notes that some of the evidence of cyber attack remains circumstantial.
The systems apparently compromised were civilian warning systems,
not presumably better protected military ones.
Risk Recon and Scientia have published a report on risk surface assessment,
finding that organizations that are cloud-first are 85% more likely to be a top performer in risk management.
The researchers say, when we take a look at the cloud adoption rates of the top
and bottom performers, we start to see some very clear separation. Every 10% increase in host cloud
concentration results in a 2.5% increase in the probability of being a top performer.
The researchers add that choosing to go majority cloud with one of the big three cloud providers, namely AWS, Azure, or GCP, has inconsequential effects rather than being simply cloud-first.
Computing reports that the fitness app Strava may constitute a risk to users' privacy and to operational security when those users are military service members.
That risk may be an active threat. Computing writes, unidentified operatives have been
exploiting a security weakness in the popular fitness tracking app Strava to track the movements
of Israeli defense personnel, according to Israeli open source investigative group Fake Reporter.
This isn't the first time fitness trackers in general, and Strava in particular, have
been flagged as a potential OPSEC problem.
The U.S. Department of Defense expressed its concerns about Strava in January 2018.
Russia's offensive in the Donbass continues its pattern of heavy bombardment from relatively static positions, the Wall Street Journal reports.
But there's still considerable speculation that the cyber phase of the war may intensify if a decisive victory on the ground continues to elude Moscow.
Reuters reports that U.S. Deputy Treasury Secretary Wally Adeyemo warned the Bank Policy Institute last week that the threat of
Russian cyber attack remained high. The Treasury Department reiterated its commitment to intelligence
sharing during a period of heightened threat. Tanium's Tedra Burgess argues in an essay
published Friday by SC Media that Russia's war against Ukraine represents a template for future broader cyber operations and
other hybrid wars. She stresses the threat of both supply chain attacks and the disruption of
critical infrastructure. She also argues that assessing that threat requires an understanding
of the role criminal groups play in a hybrid war. She says, These most recent developments point to a concerning trend
because of the escalation and atypical behavior
displayed by established hacker groups.
There's potentially a power struggle in play
after Russia's invasion of Ukraine.
This might explain the change in extortion patterns
in an attempt to accumulate larger amounts of ill-gotten gain.
As a result, we can expect to see this activity at the very least continue
as we work to keep pace with the evolving attack surface.
Whatever course the present war takes,
the Hill cites a range of cybersecurity experts
who think one lesson of the war is already clear.
Cyber operations have become a routine part of combat,
as much to be expected, we would add, as electronic warfare came to be in the 20th century.
The Hill's essay is also striking for the way in which it presents influence operations
as a prominent and routine part of belligerent's larger cyber campaigns.
Mr. Putin's keynote address before the St. Petersburg International Economic Forum
took as its theme optimism founded on the historic record and destiny of the Russian people. The view
he expressed was that the present difficult time comes from the doomed American attempt to maintain
a unipolar world under its own direction after declaring victory in the Cold War.
In summary, here's his view of the world situation.
This is the nature of the current round of Russophobia in the West and the insane sanctions
against Russia. They are crazy and, I would say, thoughtless. They are unprecedented in
the number of them or the pace the West churns them out at.
unprecedented in the number of them or the pace the West churns them out at.
Friday's proceedings at the St. Petersburg International Economic Forum were delayed for about an hour and a half, Reuters reports, by a distributed denial-of-service attack.
The now-familiar Kremlin spokesman Dmitry Peskov put the delay down to a cyberattack
that began on Thursday and affected the conference's admissions and
accreditation systems, but he offered no attribution. Others, of course, speculate
that the DDoS attack was organized by actors operating in the Ukrainian interest,
if not under the actual direction of Ukrainian services.
And finally, Paige Thompson, formerly an engineer with Amazon, was found guilty on Friday, the U.S. Justice Department said, of wire fraud, five counts of unauthorized access to a protected computer, and damaging a protected computer.
The department added that the jury found her not guilty of access device fraud and aggravated identity theft.
access device fraud and aggravated identity theft. The New York Times reports that in 2019,
Thompson was responsible for gaining access to the data of more than 100 million Capital One banking customers. The Justice Department explained how the prosecution went. They said,
using Thompson's own words in texts and online chats, prosecutors showed how Thompson used a
tool she built to scan Amazon Web Services accounts to look for misconfigured accounts.
She then used those misconfigured accounts to hack in and download the data of more than 30 entities, including Capital One Bank.
With some of her illegal access, she planted cryptocurrency mining software on new servers with the income from the mining going to her online wallet.
Thompson spent hundreds of hours advancing her scheme and bragged about her illegal conduct to others via text or online forums.
Thompson's defense team argued, in effect, that their client was acting as a white-hat hacker, a good-faith bug hunter,
finding vulnerabilities with
the intention of disclosing them to the organizations affected. The prosecutors weren't
buying it and didn't see this case as one in which a legitimate vulnerability researcher
had inadvertently run afoul of the Computer Fraud and Abuse Act, whose use against such
researchers is now regarded as an improper expansion of the law's intent.
The jury didn't buy it either.
Thompson used the online handle Erratic, and the story is a sad one.
Security Week summarizes,
In interviews with the Associated Press following her arrest,
friends and associates described Thompson as a skilled programmer and software architect
whose career
and behavior, oversharing in chat groups, frequent profanity, expressions of gender identity distress,
and emotional up and downs, mirrored her online handle. At one point, two former roommates obtained
a protection order against her, saying she had been stalking and harassing them. Thompson joined Amazon in 2015 to work at Amazon Web Services,
a division that hosted the Capital One data she accessed.
She left that job the next year.
Some friends said they believe the unemployed Thompson,
destitute and by her own account grappling with serious depression,
believe the hack could bring her attention, respect, and a new job.
Thompson is scheduled to be sentenced in September.
The Justice Department says wire fraud is punishable by up to 20 years in prison.
Illegally accessing a protected computer and damaging a protected computer are punishable
by up to five years in prison.
They note that the sentence imposed will be up to the judge.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
John Cech is from Raytheon's Intelligence and Space Division, who are major sponsors of the National Collegiate Cyber Defense Competition.
I spoke with John Cech about the competition
and why he and his colleagues at Raytheon believe it's a project worth supporting.
The CCDC holds eight different regional competitions with schools that are assigned
to a region, and they participate to become a regional champion. There's also an at-large
school, as well as a wildcard school, which gets in based on schools that placed second place
within their regional, and go through a wildcard round to get in as well.
within their regional and go through a wildcard round to get in as well.
So it's quite a long event that culminates in the final competition,
which is the national competition.
Well, let's go to that final competition here. Can you give us a little description of what the contestants faced?
Happy to.
So the competition really, they create a fictional real world scenario, if that makes sense. So this year, the students services of a company so that the web presence
the financial presence the e-commerce sites the email for the corporation the
help desk and call-in areas for people that need support and you have so they're the blue team and
then the red team is the ethical hacking team tries to knock those services offline periodically, and the students really work to maintain that business resilience while they're being attacked by the red team hackers.
So how did the competition go, and which team eventually came out on top?
The competition is really, it's really a great competition. So first, I'd say it went really
well. The students, I mean, this competition has been happening for a while so over time the competition has escalated right the students
have learned as well as the red teamers have learned how to anticipate certain attacks or
defend against those attacks so it's constantly evolving on both sides on the defensive side and
on the offensive side and so it's really the teams that do really well have participated for quite a few years and understand the different scenarios,
as well as the techniques, tactics and protocols that the offensive side uses to attack the students networks.
So this year, the champion was the University of Central Florida, and they've won the championship five times out of the 17 years.
And they were the runner-up three other times. So that's a team that has a history, right? They
practice very hard. They understand what's happened year over year and pass that knowledge
down to the teams and actually have team members that were formerly on the team come in to practice
with the team during the year from former students to come back and help them prepare for the year's competition. So it's really quite a great tradition
they have there and really take it very seriously and put in the hours, which is what it takes
of practice to be as good as they are. Yeah, I was going to ask you, I mean,
what is the winning formula for a team like University of Central Florida? Is it putting together the
right variety of folks on the team? Is it institutional knowledge? What seems to work for
them? I'd say that if I had to put to one thing, it's that the team can communicate well.
Cybersecurity is a team sport. And when you see the University of Central Florida in the thick of battle in one of these competitions, they're communicating very well. Each of the team members knows exactly what their role is. And nobody's panicking. Everybody understands what to do. It's really that preparedness. They know what to do. They've practiced. Everybody understands what their role and responsibilities are. And it just, it really works extremely well for them.
And then you layer on to that, of course, the history they have and the institutional
knowledge they've built up through these competitions.
It really makes a very strong team, a very powerful formula for success.
Why are competitions like this important?
What are they contributing to the overall cybersecurity community?
The number one thing, and what this competition really highlights, and you don't see this in all
competitions, but when you have someone else actively working against you, like the red
teamers actively working to take the students' networks offline, degrade the services, and really
impact their ability to defend.
The learning, you can't just gain that anywhere.
You learn it by doing.
And cybersecurity, you absolutely need the framework and understanding of how cyber works and the traditional learning side.
But having another team actively working against you, that really brings out some skills that
you may not have had or some things that you may not have had or some things you
might not have contemplated when you're doing more of a theoretical exercise versus a live
fire type exercise.
And how about for Raytheon?
You know, for you and your colleagues there who put in both the financial support, but
also all of the time and energy that you all put in, why is it worthwhile for all of you?
of the time and energy that you all put in. Why is it worthwhile for all of you?
Well, for me, it really comes down to, you know, we're under constant attack. And I want to make sure that, you know, as a great thing, we have a responsibility to do our part in cybersecurity.
What that means is ensuring that we're building and helping build a cyber workforce
that protects all of us. I mean, over the course of years, since we've been involved,
we've hired over 100 people from the competition. But I'd like to think that we have really helped
thousands learn skills and really increase their cyber proficiency, as well as maybe convince other
people to join the cyber community to help defend our way of lives. And so for me, it's really more
just about the typical, are we going to be able to hire people out of this group?
It's what are we doing to ensure the entire community gets raised by having competitions like the CCDC that help protect our way of life and build that next generation of cybersecurity professionals?
That's John Cech from Raytheon's Intelligence and Space Division. partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And joining me once again is Ben Yellen. He's from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Hello, Ben.
Hey, Dave. How are you?
Good, good, good.
Interesting story from Joseph Cox.
This is over on the Motherboard website and it's titled
Sweeping Legislation Aims to Ban the Sale of Location Data.
Caught my eye here.
Ben, what's going on?
So Motherboard and Joseph Cox himself reported a couple of months ago
multiple instances in which companies
were selling location data
of people who had visited abortion clinics.
Right.
And this came in the wake of the draft opinion
that was leaked overturning Roe v. Wade.
So it was very,
I think it resonated with a lot of people
because we face this future where abortion is going to be illegal in many states in this country.
And some of these companies were making subsets of this data freely available. And they're not
just selling it to data brokers, they are, but sometimes they're selling it to purchasers that
include law enforcement, local state and law enforcement agencies.
And there's a real fear that people's private information could be given to these agencies and it could be used to justify arrests and prosecutions.
So with that in mind, there is a proposal coming out of the United States Senate called the Health and Location Data Protection Act, which would outlaw the sale of location data harvested from smartphones.
This is a blanket ban on the sale of location data.
It does not just apply in the abortion context.
It applies to any sale of location data
to a private broker.
Part of the impetus of this
is there's kind of this loophole
that if a law enforcement agency,
federal or state,
purchases data,
then they don't have to
obtain a warrant to search that data. Whereas if they had not purchased it, they have to go through
the traditional warrant process, get it approved by a judge. And who has time for that? Ain't nobody
got time for that. So I think that has motivated legislators, including the lead co-sponsor or the
lead sponsor here, Senator Elizabeth Warren, to introduce this bill.
That is the major thing this bill does.
It also does other things.
It gives a bunch of enforcement powers to the Federal Trade Commission.
There's an allegation that they've been under-resourced over the past several years in rooting out these abusive trade practices.
trade practices, and it also gives individual users a cause of action to sue in state or federal court these data brokers to assert their right to private information.
So it would be granting millions of potential users the right to sue these big companies.
It would be a brand new cause of action.
There are some exceptions in the bill. So activities that are compliant under HIPAA,
for example, things where, and I can't really think of a good example of this, but things where
if the information was not sold, there might be a violation of First Amendment rights. And then
things like national security, those are built in as exceptions, but it's a very broad piece of legislation.
What do you think its chances are?
Not good, Bob. Not great, Bob.
Okay. As if he asks rhetorically.
Yeah. So I get why these legislators are trying to do this in the wake of the draft Roe v. Wade or the draft opinion in Dobbs, which would overturn the Roe v. Wade decision.
I think that there is sort of this political groundswell to protect people who are going to live in these states where abortion is outlawed.
What they are doing is introducing the most controversial issue in politics into a debate about data location, the sale of location data.
And that might be the poison pill that kills it.
You have a very closely divided House where it potentially could pass.
And then you have a 50-50 Senate where to get anything passed that's not some sort of budget bill, you need 60 votes.
to get anything passed that's not some sort of budget bill, you need 60 votes.
And if this is motivated by the desire to protect people seeking abortion care,
that's very unlikely to obtain 10 Republican votes. I will say that there are other efforts to constrain the government's or the ability of these companies to sell location data that have a better chance of succeeding,
including Senator Wyden's bill,
which would simply require a warrant for any government agency
to access data that was purchased by one of these companies.
Take away that end around.
Exactly.
That stands a better chance of passage.
I think that has more widespread bipartisan support, and it's not closely interlocked with such a divisive issue.
But I don't see this Senator Warren legislation advancing in the near term, even though it is extremely relevant.
Do you think we're headed towards a time when we get bipartisan agreement that enough is enough with this stuff?
Yes, I do, but I just don't know exactly what form that is going to take.
I don't know if there is – I think there is bipartisan concern based on our experience in the past several years that something is foul about data brokers purchasing this very private location data and selling it to private sector entities, but also law enforcement.
I think there's widespread concern that that's happening.
Right.
I don't know if there's widespread consensus
that there needs to be a blanket ban on the purchase of location data.
And the lobbyists haven't weighed in here.
I mean, if we had a realistic effort to constrain those purchases, we'd start to see
advertisements. We'd start to see lobbying campaigns saying things that your consumers
enjoy, things that they take for granted would go away if we weren't able to sell this very valuable
data. So I just, I don't know that we've seen the full contours of this debate play out.
And I don't think we will until there's a credible threat that this type of legislation
is actually going to pass. Yeah. All right. Well, it's an interesting step along the way. I suppose
it's a little discouraging that these things have a hard time getting better traction, but
such is the way of things right now. Yeah, it sure is.
Getting any legislation is hard to pass,
but certainly something where you have this controversial element to it
makes things that much more difficult.
All right.
Well, Ben Yellen, thanks for joining us.
Thank you. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Liz Ervin,
Elliot Peltzman, Trey Hester, Brandon Karpf,
Eliana White, Puru Prakash, Justin Sabey,
Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.