CyberWire Daily - Daily & Week in Review: Hacktivists hit Library of Congress, Stingrays and Security Clearances
Episode Date: July 22, 2016In today's podcast, Hacktivists return to DDoS—the Library of Congress is hit. AKP emails continue to receive scrutiny. A look at the jihadists' toolbox. Some quick takes on automotive cyber securit...y, as the industry moves toward fully autonomous cars. Wassenaar and the DCMA still aren't getting much industry love. And we talk to attorney Tom Coale about security clearances and Ben Yelin on the constitutionality of Stingrays. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. is hit, AKP emails continue to receive scrutiny, a look at the jihadist toolbox, some quick
takes on automotive cybersecurity as the industry moves toward fully autonomous cars.
Vossner and the DCMA still aren't getting much industry love, and we talk to the lawyers
about security clearances and the constitutionality of Stingrays.
The cell phone intercept tools, not the fish.
The fish are completely constitutional.
cell phone intercept tools, not the fish. The fish are completely constitutional.
I'm Dave Bittner in Baltimore with your CyberWire summary and week in review for Friday, July 22,
2016. Ransomware and distributed denial of service have been the principal trends in cybercrime this year, and an Akamai study of the second suggests that criminals may be preparing long-duration campaigns. Technicians who can help enterprises mitigate DDoS attacks
are in high demand, both by enterprises and by security service providers. In some cases,
the denial-of-service attacks are done with a criminal objective, often extortion of businesses
dependent upon reliable access to their sites. Other attacks are hacktivist in motivation.
The U.S. Library of Congress has acknowledged that it sustained one such DDoS attack that began Sunday.
TurkHackTeam claimed responsibility on a message board, but that attribution is unconfirmed.
TurkHackTeam is a patriotic hacktivist group.
They've previously been active against Chinese sites in protest against the maltreatment of ethnic Turkic peoples they perceive in the People's
Republic of China. The Library of Congress seems likely to be a simple high-profile target of
opportunity. The attack has been contained and is now under investigation. Observers continue to
sift through the hacked AKP emails as the Turkish government firmly reestablishes control over the country.
The pastebin dump in which they were exposed is accompanied by the hacker's explanation of his motives,
sympathy with the frustrated aspirations of some groups within Turkey.
Most agree that Phineas Fisher is indeed behind the hack.
Flashpoint has released a report detailing the technical toolkits being used online by jihadists adhering to ISIS and its competitors.
The report is interesting in the clarity of its recognition that ISIS is fundamentally, for now, engaged in information operations.
While the study acknowledges that ISIS has expansive aspirations to extensive cyber attack capabilities, the jihadist core requirement remains, quote, consistent channels through which
they can release propaganda, end quote. And that propaganda is fundamentally inspirational and
persuasive. Flashpoint sees the jihadist technologies, therefore, as falling into
these categories. Secure browsers, virtual private networks and proxy services, protected email
services, mobile security applications, encrypted messengers,
and mobile propaganda applications. So, while ISIS's aspirations to a true offensive cyber
capability cannot prudently be overlooked by the civilized world security and intelligence services,
for now the caliphate is more concerned with ensuring its ability to get its message out.
Can you keep a secret?
For many in the cybersecurity world, the answer is yes,
and that ability is, for some, put to good use through a government security clearance.
Tom Cole is an attorney with the law firm of Talkin' N.O.,
and we asked him to take us through some of the basics of getting cleared.
So the government does an evaluation to decide whether or not,
and this is the standard that they use,
it is clearly consistent with the government interest to entrust an individual with the government's secrets.
And there are different classifications from, you know, literally just personnel information,
social security numbers and dates of birth and things of that nature to the highest level, which is top secret SCI, which is a mechanism by which the government separates apart different pieces of protected information amongst different groups so that one person may know one bit of that information.
Another person may know another part, but rarely does one individual know all of the different aspects of a government program. So if you find yourself
up for a job where a clearance is required, you begin with an application, which gets submitted
to an agency for review. There will be different levels of investigation. The slightest will be an
interview with a government investigator, and then the heightened, the most heightened level of clearance, you'll have a polygraph.
And there are within that different levels of polygraph, whether it is full scope or a lifestyle.
And they'll ask you questions, you know, that they often start before they even hook you up to a machine saying, tell me something that you are concerned
about discussing with me today. And that is when people normally just say all of their life secrets
all at once before they even get hooked up. Little do they know that once they are hooked up,
they're going to get follow-up questions about everything that they just said.
I asked Tom Cole to describe some of the most common disqualifiers he sees.
Let me start with the one that most people don't appreciate, and that is significant debt.
Normally, if an individual has over $20,000 in delinquent debt, meaning over 90 days due,
that will trigger a denial. And that can be in a circumstance where a credit card is shared with a spouse
and they're not aware that they have this debt hanging out there. And I won't say those
are common, but they happen enough and they are more often than not a surprise to the
applicant when they happen. What also happens is a lot of people think that if they've ever
used drugs, if they have any, you know, offense in
their background, that they will disqualify themselves from a clearance. And I can tell you
that more often than not, depending on the passage of time, past indiscretions will not disqualify
someone from a clearance. So those people that tell themselves, oh, I could never have a clearance because I smoked pot in college, that is just not the case.
Now, the cases that I most often see are those who have some repeat behavior such as DUIs, DWIs, drunken disorderlies or drug offenses. And one thing you'll see over and over again is the phrase pattern of behavior, because the government, that is when the government's going to say, you might be a perfectly fine individual,
but we can't trust you with our secrets because we don't know if when you are inebriated or
when you are exercising this pattern of bad judgment, that's going to then implicate the
government's concerns.
What about things like adultery?
So adultery actually does come up, but normally only comes up in two circumstances.
One is if the adultery is committed while the individual is in the armed services,
because adultery is actually a it's not necessarily a criminal offense,
although it is identified in the military justice code,
but you can be written up and brought before a tribunal for adultery. And the government's
concern is not so much the adultery itself, but rather that you knew that this was a rule that
you had to follow, and yet you breached it anyway. And that is where the government's
concern comes in. So a tendency
not to follow the rules. The other circumstance where adultery may come into play is if the
individual is susceptible to blackmail. So the adultery itself, again, is not a concern. But
if the individual, and I've seen this before, if the individual is making payments to someone to not disclose that adultery or is under threat that that will
be disclosed, particularly if they are living a lifestyle that they're prominent in their church,
as an example, where that disclosure could have consequences outside of ruining their marriage.
The government is very concerned about those instances because, one, that is a
common area of compromise to sort of trap someone in that way and then have that information and
use that to extract information. And two, again, it goes back to that issue of judgment of what
did you do to get yourself into this circumstance and why weren't you thinking better about that
when you did it? Based on his experience, Mr. Cole offers some advice for making your way through the
process. I'd say the first thing is, is not to disqualify yourself. I think, unfortunately,
so many people are just insecure about the process and concerned about being denied that
they won't even begin the application process. The second most important piece of advice is to know yourself
and to be truthful with yourself in terms of your background
because the more you understand about the areas of concern
and the more forthright, again, without disclosing too much,
but the more forthright you are about past offenses, past troubles,
the better off you're going to be later in the process
because the government
investigator at the very least will say this person is telling me the absolute truth to the extent
that they know it. Because the worst scenario is when there's a surprise because chances are
the applicant has not disclosed it. Chances are it is much more serious than the applicant had
originally considered. And also you have the shortest amount of time to mitigate against it.
If an applicant knows that they have a DUI, before they even submit the application, they
can go into AA and complete abstinence from alcohol.
And by the time it eventually gets to an area where the clearance is at issue, they can
say, look, I've done this to mitigate the government's concern even before
my clearance was denied. That's Tom Cole. He's an attorney with the Maryland law firm of Talkin' and O.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility
is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go
to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Ben Yellen. He's a senior law and policy analyst at
the University of Maryland Center for Health and Homeland Security. Ben had an interesting
case recently in the U.S. Southern District of New York about a stingray device. Important
ruling here. Before we dig into that, explain to our audience,
what are we talking about when we're talking about a Stingray device?
So Stingrays are known as cell site simulators. And what they do is they mimic cell phone towers
and basically trick cell phones in the area to transmit identifying pings, so to speak,
back to the devices. And the consequence of this is that law enforcement are
able to track a suspect's phone, even though the suspect is unaware that they're revealing
location information. So it's a very potentially important tool for law enforcement to get location
identifying information to use as evidence in criminal trials. All right, so let's move into this case in the Southern District of New York.
What happened here?
A U.S. District judge by the name of William Pauly decided that the defendant in this case,
rights were violated when the Drug Enforcement Administration, the USDA,
was able to use this device without a warrant.
This judge, just for a little context, was the one that actually upheld the bulk phone metadata program as constitutional a couple of years ago.
So it's significant that this judge would come to such a different conclusion in this case.
He used the precedent of a case called Kylo v. United States. And in that case, law enforcement used a thermal imaging device
to figure out how much heat was being emitted from a suspect's home
to determine whether that suspect was using marijuana.
And the Supreme Court held in that case that because that technology was not widely available to the public,
a person should have a reasonable expectation of privacy
that it will not be used against them.
And as we know from our previous discussions,
that is the standard for whether there is a search
under the Fourth Amendment,
whether somebody's reasonable expectation of privacy
has been violated.
And I think Judge Pollard just went on the same path here.
This is a technology that is not widely
available the suspect would not know or should not have known that he would have been revealing
identifying information about his location in that sense it violates the reasonable expectation
of privacy and it's a search for fourth amendment purposes now I should know that this just means that from now on,
law enforcement would have to get a warrant. It's not prohibiting stingray searches, but
it does add a level of judicial oversight. Law enforcement will now have to go to a magistrate
and get a warrant for these devices. Is there a sense that they'll appeal? Is this something
that we could see go to the Supreme Court? I think it's very possible. The Department of Justice has said that they're looking into appeals.
I think this is an issue that's going to come up in other circuits. We've already seen it here in
Maryland. The Maryland Appeals Court in March was the first appellate court to review evidence
obtained using a Stingray device and was the first to suppress that evidence.
This was a state appellate court,
and the case here in New York was in the federal appellate courts.
I think if we see disagreements among federal courts themselves
and between state and federal courts,
this is definitely an issue that could make its way to the Supreme Court.
All right, Ben Yellen, thanks for joining us.
We'll keep an eye on it.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
The Cyber Wire is covering the Billington Automotive Cybersecurity Summit in Detroit today.
We'll have a full report Monday after the conference closes. But for now,
two interesting themes are the automotive industry's full-throated embrace of the
white-hat hacking community and of the white hat hacking community
and of the FBI's direct promise to treat as victims companies whose networks or products are hacked.
That promise goes surprisingly far.
A bureau speaker directly said that the FBI, quote,
would not provide opinion or commentary, end quote, to regulatory bodies.
Concerns that going to law enforcement for help when you're hacked amounts to inviting nemesises into one's business Boundary Boundary Boundary automotive industry also seems to have embraced those white hats in the form of crowdsourced bug hunting for bounties.
How this gig economy form of penetration testing and vulnerability research will play out
in terms of ancillary issues such as legal liability remains to be worked out,
but the industry as a whole seems set on the bug bounty road.
Many of the sessions have been discussing the cybersecurity best practices released yesterday by the Auto ISAC.
Its recommendations fall into seven categories.
Governance, risk assessment and management, security by design, threat detection and protection,
incident response and recovery, training and awareness,
and collaboration and engagement with appropriate third parties.
Their implementation is likely to be flexible.
Many speakers expressed
satisfaction that the automobile industry evolved these best practices before it sustained a major
successful cyber attack. Leaving Detroit and that part of the internet of things that you can ride
in, we turn to the portion that you live in, the smart home. The Tor Project has turned its
attention to ways of helping secure the devices in smart homes
by rendering them more anonymous, which is to say less accessible to the administrations of attackers.
Finally, some cyber regulatory systems still can't get much love from the security industry.
Both the Vossener Cyber Arms Control Regime and the Digital Millennium Copyright Act, the DCMA, remain unpopular.
Industry still isn't happy with how Vossner is shaping up,
and the Electronic Frontier Foundation has initiated a court challenge to the DCMA.
In both cases, people see a worrisome tendency to inhibit, if not criminalize, security research.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.