CyberWire Daily - Hybrid war warnings over Russian designs on Ukraine. Senators ask about CIA bulk surveillance. No charges against reporter who inspected a website. Hacktivists or vigilantes?
Episode Date: February 14, 2022The US and the UK warn of the possibility of false-flag provocations as Russia keeps the pressure on Ukraine. NATO members and others issue warnings of the threat of Russian cyber operations spilling ...over the Ukrainian border. Two US Senators want an accounting from the CIA over an alleged bulk collection operation. No charges filed in the case of a reporter who viewed a website source. Hacktivism and vigilantism. 49ers hacked. Daniel Prince from Lancaster University on improving security in agile health IoT development. Rick Howard targets supply chain issues with the hash table. And have a careful Valentine’s Day. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/30 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The U.S. and U.K. warn of the possibility of false flag provocations
as Russia keeps the pressure on Ukraine.
NATO members and others issue warnings of the threat of Russian cyber operations spilling over the Ukrainian border.
Two U.S. senators want an accounting from the CIA over an alleged bulk collection operation.
No charges filed in the case of a reporter who viewed a website source.
The 49ers were hacked.
Daniel Prince from Lancaster University
on improving security and agile health IoT development,
Rick Howard targets supply chain issues with the hash table,
and have a careful Valentine's Day.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, December 14th, 2022.
President Biden and Putin spoke Saturday in negotiations aimed at reducing tensions over Ukraine,
but without result, the Washington Post wrote,
and U.S. sources subsequently said the risk of a Russian invasion remained high.
The Wall Street Journal reports that Russian influence operations, ranging from disinformation to bomb threats, have continued unabated,
and that many Ukrainians feel themselves already fully on the receiving end of a hybrid war.
The Ukrainian armed forces have also warned that Russia deployments amount to encirclement, the Telegraph reports.
An analysis in the New Atlanticist looks at Russian exercises in Belarus and assesses that an invasion of Ukraine would concentrate on air superiority, close air support, long-range fires, intelligence collection, and combat sustainment.
The Organization for Security and Cooperation in Europe, OSCE, has told its members that a number of countries were withdrawing their staff from the OSCE ceasefire monitoring mission in Ukraine.
The OSCE has for some time been a burr under the Kremlin's saddle, and the Russian Foreign Ministry was quick to denounce the announcement as a ploy intended to inflame tension in the region. The Washington Post quoted Foreign Ministry spokeswoman Maria Zakharov
that various states were seeking to manipulate the monitoring mission through filthy political games.
Japan, Australia, New Zealand, and the Netherlands have all asked their citizens to leave Ukraine,
apparently as a reaction to the U.S. warning
that a Russian invasion might come as early as this week.
Some international airlines have suspended flights to Ukraine, and Kiev has, according
to The Guardian, allocated $592 million to pay for measures to secure Ukrainian airspace
in the hope of encouraging the resumption of flights.
The U.S. grew newly concerned about a Russian false flag provocation
designed to provide Moscow with a casus belli against Ukraine,
bogus but minimally plausible.
The Washington Post says that the U.S. intelligence community's warning of that possibility
prompted the U.S. to withdraw diplomatic personnel and urge Americans to leave Ukraine. The provocation is believed to be
different from the one the U.S. warned against last week. Those earlier reports suggested that
Russia was preparing a staged atrocity film showing fictitious Ukrainian outrages against
ethnic Russians in the eastern part of the country. The GRU was identified as the operator of a website, DonbassTragedy.info, that represented
itself as a portal run by human rights advocates working in eastern Ukraine.
The portal retailed atrocity stories and a disinformation campaign directed against Ukraine.
Both the British and U.S. governments hope that disclosure
of intelligence with an unusual degree of public transparency will serve to dissuade Russia from
renewing an invasion of Ukraine. The warnings have been explicit. The U.S. CIA is said to have
assessed that Russian forces are prepared to move into Ukraine this Wednesday. A White House official
said on background Saturday,
Shields up, or so the U.S. Cybersecurity and Infrastructure Security Agency
put in an advisory published Friday evening.
Despite the Trekkie-themed framing of the alert,
it's a serious advisory. CISA cites a Russian threat and says the warning represents a shift
toward a proactive defensive policy. The agency explains the warning's motivation as follows,
quote, Notably, the Russian government has used cyber as a key component of their force projection
over the last decade, including previously in
Ukraine in the 2015 time frame. The Russian government understands that disabling or
destroying critical infrastructure, including power and communications, can augment pressure
on a country's government, military, and population and accelerate their acceding to Russian objectives.
While there are not currently any specific
credible threats to the U.S. homeland, we are mindful of the potential for the Russian
government to consider escalating its destabilizing actions in ways that may impact others outside of
Ukraine. Based on this situation, CISA has been working closely with our critical infrastructure
partners over the past several months to ensure awareness of potential threats, part of a paradigm shift from being reactive to being proactive,
end quote. The advisory goes on to offer familiar advice that any organization might apply to
reduce the likelihood of a damaging cyber intrusion, taking steps to quickly detect a
potential intrusion, ensuring that the organization is prepared to respond if an intrusion occurs
and to maximize the organization's resilience to a destructive cyber incident.
CISA closes by urging organizations to study the detailed prescriptions
specific to Russian cyber operations that the agency issued last month.
Estonian authorities say their country has been on the receiving end of Russian cyber attacks,
but only at roughly the normal rate.
The crisis over Ukraine seems not to have produced an increase
in the Russian cyber op tempo against Estonia.
The Wall Street Journal and others report that U.S. Senators Ron Wyden, Democrat of Oregon,
and Martin Heinrich, Democrat of New
Mexico, both members of the Senate Intelligence Committee, have asked the CIA to declassify and
release information on a bulk collection program that may have extended to some domestic surveillance.
It's not clear from the senator's heavily redacted letter what the scope of the surveillance would
have been, including whether U.S. citizens
were directly targeted or were the inadvertent bycatch of collection against foreign targets.
The news, Fortune observes, is likely to have an unwelcome effect on U.S. tech companies
operating in Europe, as it's likely to arouse suspicion of GDPR violations.
A St. Louis Post-Dispatch reporter who found personal
information exposed on a website operated by the Missouri Department of Elementary and Secondary
Education will not, after all, be prosecuted for a computer crime. The Cole County prosecutor,
to whom the case was referred at the insistence of Missouri Governor Parsons,
has declined to file charges. To review, the reporter's offense in the of Missouri Governor Parsons, has declined to file charges.
To review, the reporter's offense in the eyes of Governor Parsons was to have viewed the page
source on the Department of Elementary and Secondary Education site, where he saw personal
information about teachers coded into the HTML. He disclosed responsibly what he'd found to the
department, which initially intended to thank him.
Until, that is, the governor heard of it, decided that the journalist must have hacked the site.
Because the reporter looked at the code, the governor apparently took this to mean that the reporter had illicitly broken the site's encryption,
as opposed to, say, hitting Control-U while he looked at the page.
The governor directed that the case be referred
to the cole county prosecutor the fbi advised the state that as far as it could tell no one had
broken any laws and the prosecutor's minimalist statements about the whole affair suggests a more
realistic understanding of the internet than apparently prevails in the governor's office
still some think that loosely worded
Missouri computer crime statutes may bear part of the blame. CISA director Easterly tweeted approval
of the Cole County prosecutor's decision. She says it makes responsible disclosure easier.
You don't have to make the Super Bowl to be a target for cybercriminals, and playing in Silicon Valley doesn't confer any immunity either.
Bleeping Computer reports that the San Francisco 49ers were affected by a ransomware attack on Saturday.
It's unclear how successful the attack was, but the 49ers are working on remediation.
The BlackBite ransomware crew has claimed responsibility.
It's Valentine's Day!
Did you notice?
The scammers have.
The U.S. Federal Trade Commission says that romance scams in general hit record highs in 2021.
We would add that you can expect them to continue.
Unlike some of you, you know who you are.
The scammers haven't waited until the last minute to make their annual
observance toward matters of the heart. They are up and at them, not waiting until the 11th hour
to buy flowers, candy, stuffed animals, or whatever the criminal equivalents of those things are.
So be appropriately on your guard for e-commerce fraud, advanced fee scams, and artful catfishing.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And it is always my pleasure to welcome back to the show the CyberWire's own Chief Security Officer and Chief Analyst, Rick Howard.
Rick, welcome back.
Hey, Dave.
So, not surprising to anyone in our audience.
First of all, you and I are both men.
I'm glad you noticed that.
Yeah, well, and more importantly than that,
neither one of us are what could be accurately described as young men. And so with both of those
categories linked together, that means that I think it's fair to say that both of us are hesitant to
admit when we were wrong. Oh, yes. It's really hard for me to do.
That's right.
But in this case, in this case, last time you and I spoke,
you actually spoke in error and you wanted to set it right today.
So what exactly did you screw up on last week's show?
Yes, indeed.
Well, we were talking about supply chain attacks,
if you remember.
And I made the point that even though
we've had some high-profile attacks recently,
like SolarWinds, Acelion, and Log4j,
that these kinds of attack vectors
have been around for years.
And I mentioned that the bad guys
who attacked Home Depot in 2014
used this third-party digital supply chain technique.
And that's where I screwed up.
Okay, right there.
Okay.
It wasn't Home Depot in 2014.
It was Target in 2013.
And my only excuse is that I can't remember my children's names most days of the week.
So, you know, cut me some slack. And as one of my favorite comics, Craig Ferguson, on his late-night talk show, used to say,
I look forward to your letters.
Go.
Well, you know, the thing is, Rick, lucky for us, cybersecurity professionals,
particularly the ones who, again, are in that category like you and I, older men, are not at all pedantic.
They don't like it.
No. They're not sticklers. No, not at all pedantic. They don't light it. No.
They're not sticklers.
Not sticklers for any of those details.
So I think you're probably in the clear.
They're not important.
Why should we worry about little details like that?
Okay.
That's right.
All right.
Well, getting to this week's CSO Perspectives show, I understand you have a new expert that
you've invited to the Cyber Wire hash table. Who's the new guest? Well, you know her, Dave. In fact, you talked to her last week
on the Daily Podcast. It's Amanda Fennell, the CIO and CSO of a company called Relativity,
and she hosts the Security Sandbox Podcast, the latest addition to the CyberWire's collection of
security podcasts. And when I heard she was
joining our family, I immediately contacted her to be on our bench of security experts that help
us understand this kind of changing landscape. And she didn't hesitate. By the way, she's awesome,
right? She's very smart and highly articulate about how to explain all this stuff. And so for
this show, I asked her to walk us through how her company, Relativity,
handled the Log4J crisis over the holiday break this past year.
All right. Well, look forward to that.
That is part of CSO Perspectives on CyberWire Pro.
You can find that on our website.
Rick Howard, thanks for joining us. Thank you. fault-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Daniel Prince. He is a senior lecturer in security and protection science at
Lancaster University. Daniel, it is always great to welcome you back to the show. You and I have
spoken previously about health IoT security issues. And I know something that is on your mind
is making sure that the folks who are developing these things understand the folks that they're up
against, some of those threat actors. What exactly are you working on here? Yeah, so our research project here at Lancaster,
which is funded under the National IoT Center for Security and Privacy, PETRUS, in the UK,
we're looking at this idea of how do we help developers understand the threat actors and the ways that they operate
so that they can really try to start to enhance
the security of their products
using agile development methodology.
So we're specifically focusing on agile development approaches
for health IoT.
And so can you give us some examples of how that plays out?
So one of the key things that we're looking at here is allowing the companies that are
doing the development to understand these actors and really getting a good sense of
how they might attack their products and what they might want to seek to achieve.
I mean, one of the classic things that I talk about when I'm teaching is that computers
don't attack computers.
It's individuals performing some action via computers. And so it's about these groups and
these attackers and how they might be seeking to undermine the security and the safety, therefore,
of their products. And so by getting them to think, the developers to think about how the
threat actors might be targeting their devices and building scenarios and helping them to understand
the different types of approaches.
We can also help them to understand the potential exposures
and the risks that they've got potentially coming down the line
so that they can start to put countermeasures in much earlier.
And there's some information out there, some research out there,
that kind of says the earlier you fix these security problems,
the less it's going to cost you long term. And it's kind of almost, you know, an exponential
growth in the cost from, you know, initial product idea to out in the wild in terms of the costs
associated with fixing security issues. And so by taking this back early in the development cycle and fitting our approaches within weekly sprints and so on,
or two weekly sprints, and getting people to think about this,
has the effect that there's a continual improvement.
But also one of the other things that we're hoping to see is
because you're covering the security aspects every two weeks
and you're thinking about it in a structured way,
it remains at the forefront.
Unlike other concepts around security
where you may do a security audit every six months
or every three months at most,
you don't have to worry about it until 12 weeks down the line.
The fact that you're having to consider this security aspects
and who might be after you every couple of weeks
alongside the kind of the core features that you want to develop
really helps to embed that as part of the security culture.
So it's this constant improvement and working towards, you know,
a secure, minimal, viable product within Agile,
but also the constant raising of awareness of security issues.
We're hoping to see an overall improvement in security.
All right. Well, Daniel Prince, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security, Ha!
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sebi, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Thanks for listening. We'll see you back here tomorrow. Thank you. AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.