CyberWire Daily - FSB got NSA with an assist (witting or unwitting) from Kaspersky? Germany calls off mass surveillance investigation. Reality Winner stays in jail.
Episode Date: October 6, 2017In today's podcast, we hear more on what happened with NSA material at (allegedly) Russian hands. Kaspersky security software alleged to have been exploited for intelligence service reconnaissance of ...contractor machine. Germany cancels post-Snowden surveillance investigation. Reality Winner will not be released on bail. Awais Rashid from Lancaster University on securing the supply chain. Guest is Timothy H. Edgar, author of “Beyond Snowden: Privacy, Mass Surveillance, and the Struggle to Reform the NSA.” Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
More on what happened with NSA material and allegedly Russian hands.
Kaspersky security software is alleged to have been exploited
for intelligence service reconnaissance of a contractor machine. Germany cancels a post-Snowden surveillance
investigation. A conversation with Timothy H. Edgar about his book, Beyond Snowden,
Privacy, Mass Surveillance, and the Struggle to Reform the NSA.
And reality winner will not be released on bail.
will not be released on bail.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, October 6, 2017.
On Thursday, the Wall Street Journal reported that Russian hackers obtained highly sensitive material from the U.S. National Security Agency.
The material is said to be related to both network attack and network defense.
It was obtained from a machine belonging to a contractor
on which the sensitive information had been placed.
It's not known who the contractor was or for which company he or she worked.
As we saw yesterday, the story as it's known so far
indicates that the contractor's machine had Kaspersky security products installed. Kaspersky Software has the reputation of conducting very thorough scans of
the machines it protects. The company touts this as a feature, not a bug, something that enables
its products to provide better protection against novel threats. Eugene Kaspersky put it this way
in a recent blog, we aggressively protect our users, and we're proud of it.
The breach is said to have occurred in 2015, but wasn't discovered until spring of 2016.
NSA veterans say off the record that they're not surprised by the latest incident,
and some researchers are beginning tentatively to connect the dots,
perhaps seeing early signs of an explanation of the shadow broker's leaks,
which began a few weeks after NSA discovered the compromise. Late last year, the Washington Post
reported that there was another unknown leaker, a third man after Snowden the first and Martin
the alleged second, and the Post has indicated that this latest revelation is that third man.
Kaspersky's been under a cloud within the U.S. government for the better part of
the year. The cloud appeared this spring with FBI discussions about the possible risks the Russian
software maker posed, and it boiled up into a storm when the Department of Homeland Security
issued Binding Operational Directive 17-01 on the 13th of September. That directive, as DHS
described it in their announcement,
calls on departments and agencies to identify any use or presence of Kaspersky products on
their information systems in the next 30 days, to develop detailed plans to remove and discontinue
present and future use of the products in the next 60 days, and at 90 days from the date of
this directive, unless directed otherwise by DHS based on new information,
to begin to implement the agency plans to discontinue use and remove the products from information systems. Kaspersky and the company's defenders have asked for evidence, and the
Kaspersky line has been that the company is an innocent victim caught in the ongoing diplomatic
crossfire between Washington and Moscow. But even such open-source grounds have seemed to the
government and to many observers sufficient grounds for prudent suspicion. The latest
development suggests there are indeed other very specific grounds for suspicion of Kaspersky Lab
and its products. Kaspersky researchers, coincidentally or not, delivered a major
paper on the difficulties of attribution this week. It focused on the way false flag operations are carried out by intelligence services.
Russian semi-official media see the outcry against Kaspersky as a case of Western security
services carrying water for Kaspersky's non-Russian competitors.
Ars Technica wrote today that whatever the outcome of the investigation may be,
the accusations most certainly mean the end of Kaspersky as we know it, end quote.
Kaspersky has long maintained its innocence of nefarious cooperation with the Russians,
and Eugene Kaspersky blogged his outrage at the U.S. Congress having canceled his opportunity
to clear his company's name by testifying on Capitol Hill.
That cancellation came before these latest revelations.
It's possible Kaspersky products may have been subverted without the company's knowledge,
and some of the initial reactions to this latest story seem to credit that explanation.
As we've noted, Kaspersky products do scan aggressively
as part of the protection they're designed to provide.
In this latest NSA case, that protection may have
been exploited as, in effect, reconnaissance for the Russian FSB, showing them where the good stuff
was to be found. German authorities have dropped their post-Snowden investigation of alleged GCHQ
and NSA surveillance of German targets, including Chancellor Merkel's phone. We've also noticed an uptick in German security firms
touting their Made in Germany credentials,
with not a few of them pointedly adding,
Unlike Kaspersky.
Turning to some other breach news,
Forbes reports that in addition to its problem
with inadvertently exposed data,
Deloitte also had some employees successfully catfished
by Iranian operators
using a bogus Facebook page. The Iranian catfishing seems to be unconnected with the data exposure.
And finally, that other accused NSA leaker, Reality Winner, is going to remain in jail as
she awaits trial. U.S. Magistrate Judge Brian K. Epps said in his ruling denying her bail, By her own words and actions, Winner has painted a disturbing self-portrait of an American with years of national service
and access to classified information who hates the United States
and desires to damage national security on the same scale as Julian Assange and Edward Snowden.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly
humorous film from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Professor Awais Rashid.
He heads up the Academic Center of Excellence in Cybersecurity Research at Lancaster University. Welcome back. We wanted to talk today about cybersecurity issues in supply chains. We often think of cybersecurity in the context of an organization that we want to protect,
but many threats actually arise from the supply chain itself.
For instance, in any organization, for example, think of an organization with critical national infrastructure.
It will have many complex supply chains with a number of other parties providing software and hardware components, third-party services,
there will be distributors involved, there will be transporters involved, engineers,
and third-party staff coming on site. And all that creates a much more complex environment
than we normally think of as cybersecurity within the confines of a single organization.
The challenge comes is that we normally focus our efforts on protecting the network and the infrastructure
and the information of the organization in question, which is, of course, very important.
But not enough attention is often paid from the threats that arise from the supply chain. And we have seen various examples where actually threats arising in the supply chain
then actually end up impacting the organization under consideration.
How do we deal with this kind of issue?
I think the key thing has to be to think of the supply chain as a sociotechnical ecosystem
that includes technologies, but a multitude of organizations
as well. And all the cybersecurity practices of the various actors within the supply chain
actually then have an impact on the overall security and resilience of the whole supply
chain itself. And in terms of an organization budgeting for these sorts of things, I guess
it's really a matter of having to look outside of your own organization and make sure that you have the resources to be able to properly
vet everyone in your supply chain. Yes? Yes, I think it's a resourcing question, but also it's
a risk thinking question. So at a strategic level, when decisions are being made about particular
organizations acting, coming as part of the
supply chain to your organization, you have to ask the question, and not only just what
kind of security certification or compliances do they have, for example, things like ISO
27001, but what are their actual security practices?
And would those security practices have an impact onto your organization?
So let's take Stuxnet as an example of this. We've actually been looking at this in collaboration with a company in the UK called
Netitude, and we've been looking at how the supply chain issues arise in critical infrastructure.
And if you look at Stuxnet as an example, the worm spread through potentially infected USBs
or machines being carried into the nuclear power plant by third-party engineers.
And that's the kind of threat that arises.
And the kind of practices at an organization in the supply chain have an impact on what happens to you.
Interesting stuff to look out for.
Awais Rashid, thanks for joining us.
Thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
My guest today is Timothy H. Edgar.
He's the academic director at Brown University's Executive Cybersecurity Program and author of the book, Beyond Snowden, Privacy, Mass Surveillance, and the Struggle to
Reform the NSA. Mr. Edgar was a civil rights lawyer with the ACLU, and then a civil liberties
protection officer for the Director of National Intelligence under Presidents Bush and Obama.
To say it was a culture shock would be a bit of an understatement. When I went into the government
was at the end of the George W.
Bush administration, really the middle of the second term. And at that time, there was enormous
tension between the national security establishment and the privacy and civil liberties community.
There's always some tension, but this was really a time when the government was seen as overreaching in its surveillance programs and its counterterrorism programs.
But there was an opportunity there to make a difference by going to a new office, a privacy office inside the head of the intelligence community.
That's the director of national intelligence.
And so I kind of took a big gulp and decided to make that leap and go inside.
And I still remember some of the shocked expressions on some people's faces when they
asked me where I had worked. And they were expecting to hear, oh, I was at the FBI,
or I was at the CIA, or I was at the NSA, which is what most of my colleagues would have said.
And I said, well, I was at the ACLU and we were actually fighting you guys on a
number of these programs. And now I'm here to see how they work in detail and see if I can suggest
any kinds of safeguards or improvements in these NSA surveillance programs and other
collection programs to protect privacy better. There's a point you make in the book about the
overall professionalism of people
inside the NSA, that they take their work very seriously and they take the rule of law very
seriously. I think that's a part of the story that not many people hear much about. I think that's
right. And one reason I wrote the book is to provide people with a glimpse inside both camps and to understand that it's possible
to have very dedicated intelligence professionals doing their job and largely adhering to the law
and still have a massive problem when it comes to privacy and mass surveillance. And it's because
of the law being out of date and because of the pressure that's
put on an intelligence community to always get all the data that policymakers want to stop every
terrorist attack, to get every valuable piece of intelligence from overseas. And you put people in
that position, and this is somewhat inevitable. And one of the things I give a lot of credit to Edward Snowden for in the book, and he's not a popular figure among my former colleagues in the intelligence community, but I give him a lot of credit for opening up that conversation so that we can actually reform some of these programs. And we have, in the past four years, adopted major reforms as a result of
the Snowden revelations. I don't think they go far enough. But we have had an opportunity to talk
about, you know, privacy rights for foreigners. We've never done that before. To talk about much
more transparent way of dealing with documents like opinions from the Foreign Intelligence Surveillance Court. We've
released a lot of those. And we've reformed some of our domestic bulk collection programs. Congress
had a debate about that in 2015. Transparency really helps to square that circle so that the
dedicated intelligence professionals that are working for the NSA and these other agencies can do their job under the law,
but those laws can actually protect our privacy better than they do now.
What do you hope people take away from the book?
Well, I hope they understand that although we have built these massive mass surveillance programs,
massive mass surveillance programs, we are not stuck with either throwing up our hands and accepting that loss of privacy or just dismantling them all and deciding that that's the price of a
free society, that we can have a system of surveillance that protects privacy. But in
order to do that, we really need to seriously overhaul the way in which we do oversight of these intelligence programs, the checks and balances we have for them, the laws that apply to them.
And we did this before, back in the 1970s, but now it's 2017 and we need to do it again and we need to do it in a way that reflects our mass surveillance age, our digital
age, and especially our global age. And that's going to mean doing a lot of things a little bit
differently. So I've laid out a specific set of recommendations for reform, but I think beyond
those specific changes we can make, the main point is a hopeful one. The main message is a message
that says we actually can reform these surveillance programs
in order to make them more protective of privacy.
We've done it in the past.
We've started to do it because of the Snowden revelations, but we've got a lot of more work to do.
That's author Timothy H. Edgar.
The book is Beyond Snowden, Privacy, Mass Surveillance, and the Struggle five-star luxury. Yes, you heard correctly. Budget and luxury, all in one place.
So instead of ice scraping and teeth chattering,
choose coconut sipping and pool splashing.
Oh, and book by February 16th with your local travel advisor or at...
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.