CyberWire Daily - India investigates the possibility of cybersabotage. Walls are opaque to defenders, too. Recommendations for cyber nonproliferation. SolarWinds updates (with an SEC appearance).
Episode Date: March 2, 2021Indian authorities continue to investigate the possibility that Mumbai’s power grid was hacked last October. Apple’s walled garden’s security can inhibit detection of threats that manage to get ...inside. An Atlantic Council report recommends international action against access-as-a-service brokers to stall proliferation of cyber offensive tools. Ben Yelin has the story of legislators asking the military why they’re so interested in apps serving Muslims. Our guest is John Grange from OppsCompass with insights on the top cloud security mistakes organizations make. Updates on the SolarWinds incident (including an SEC probe into who knew what when). For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/40 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Indian authorities continue to investigate the possibility
that Mumbai's power grid was hacked last October.
Apple's walled gardens security can inhibit detection of threats that manage to get inside.
An Atlantic Council report recommends international action against access as a service brokers to stall proliferation of cyber offensive tools.
Ben Yellen has the story of legislators asking the military why they're so interested in apps serving Muslims.
Our guest is John Grange from OpsCompass with insights on the top cloud security mistakes organizations make
and updates on the SolarWinds incident, including an SEC probe into who knew what when.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, March 2, 2021. Indian authorities are investigating the possibility that October's electrical outages in Mumbai were deliberately induced cyber attacks, presumably attacks originating in China,
the Wall Street Journal reports.
An ambiguous form of confirmation appears in the India Times,
which writes that Maharashtra Energy Minister Nitin Rao on Monday said
that a New York Times report claiming that the massive power outage in Mumbai last year
might have been due to a cyber attack from China was true.
So, there was an outage, and it may have been due to a cyber attack,
and that attack might have been mounted by China.
Recorded Futures' report on the Red Echo threat actor is interesting and suggestive,
and it's worth repeating two of their findings,
clearly the ones that have energized Maharashtra authorities.
Quote,
The targeting of Indian critical infrastructure offers limited economic espionage opportunities.
However, we assess they pose significant concerns over potential pre-positioning of network access to support Chinese strategic objectives.
End quote.
Recorded Futures' Insicht Group continues,
Quote,
Pre-positioning on energy assets may support several potential outcomes,
including geostrategic signaling during heightened bilateral tensions,
supporting influence operations, or as a precursor to kinetic escalation, end quote.
Chinese government representatives have denied any involvement in cyber operations against
India's grid, saying that China disapproves of hacking in all its forms.
Technology Review reports that Apple's well-known lockdown walled garden
offers clear security advantages, but that once a threat actor gets in,
those very walls serve to protect their malicious activity from detection and expulsion.
those very walls serve to protect their malicious activity from detection and expulsion.
The walls are opaque, and security tools can't see through them any better than anything else.
Apple acknowledges that there are trade-offs and that no lockdown is perfect,
but the company remains confident it's made the right trades.
An Atlantic Council report discusses one aspect of cyber proliferation, the growth of access as a service brokers.
These vendors offer vulnerability research and exploitation, malware payload development, technical command and control, operational management, specifically by the U.S. and its allies, to first understand and partner with like-minded governments,
elevating the issue and enacting appropriate controls.
Next, shape by developing lists of troublesome vendors,
standardizing risk assessment, incentivizing corporate ethics moves, and controlling sales and assistance to states that deal with banned vendors.
moves and controlling sales and assistance to states that deal with banned vendors.
And finally, limit by widening the scope of vulnerability disclosure, restricting post-employment activities for former government cyber operators, taking legal action against access as a service
business, and encouraging technical limits on malware payload jurisdiction.
The Atlantic Council's proposals don't amount to a call for a ban on corporate development
as contractors of tools useful for cyber-offensive operations.
Rather, the Council argues for an approach that would bring such companies' activities
under the sort of regulation now exercised over traditional conventional kinetic weapons.
Existing approaches to cyber non-proliferation, the study's authors argue,
lack the granularity they would need to be effective,
and the report's recommendations are intended to outline how such granularity might be developed.
Investigation into the SolarWinds incident continues,
and as Recorded Future points out, the name SolarWinds seems increasingly inadequate,
since nearly a third of the campaign's known victims were not SolarWinds customers
and didn't use the company's Orion platform.
So they think it might be time for a new name.
They mention Holiday Bear as one possibility.
Representative Peter Meyer, Republican from
Michigan's 3rd District, suggested it during hearings on the incident. Bear because it's
clearly a Russian group and Holiday because it kept everybody busy over the holidays.
The attack is known to have been a Russian operation, although the operator's precise
place in Moscow's organization charts remains up for debate.
It's also unclear how they got into SolarWinds in the first place.
Interns and bad passwords seem unlikely to represent a sufficient explanation.
What the threat actors were after is also up for debate.
It's been suggested that it was direct espionage, theft of sensitive files and documents.
There may have also been a counterintelligence dimension
to Holiday Bear's activities.
There you go, Representative Meyer, we've used your name.
They appear to have paid attention to security firms.
It was FireEye that noticed them, after all,
and they may have wanted to learn how U.S. organizations
detected and tracked Russian cyber activity.
And, of course, it could have been battlespace preparation,
staging a persistent presence in networks where it could be used at some future point.
And finally, at least two of SolarWinds' largest investors have fallen into some legal water that,
if it's not yet hot, is at least uncomfortably warm. The Washington Post reports
that the U.S. Securities and Exchange Commission is investigating the possibility of insider trading.
The Post says that private equity firms Silver Lake and Tomabravo led the sale of $315 million
in SolarWinds shares days before the hack was revealed. The firms hadn't commented
to the Post by the time the story ran, and SolarWinds itself says it's cooperating fully
with the SEC.
John Grange is co-founder and CTO of OpsCompass,
a provider of software-as-a-service cloud compliance and security products.
He shares some of the top mistakes his team sees when it comes to cloud security.
We're far enough into the cloud adoption phase in enterprises and in most businesses that we're kind of at, we're at the place where it really depends on maturity.
Maturity matters a lot because you have some companies, even in traditional industries,
large organizations that are incredibly cloud mature.
You have other companies that might even be in the same industry, the same space, be really
just getting started.
that might even be in the same industry, the same space,
be really just getting started.
So the way I like to think about cloud security and the state of things today is
this spectrum of maturity and this hybrid nature
where companies are still struggling with
how do they have one foot in the data center
and one foot in the cloud,
and a lot of the mistakes they make draw from that phenomenon.
The companies who are doing it right, who are successful at this,
are there any commonalities that you see from them?
You know, going to cloud is a difficult thing. And I think that as companies scale and grow and become more cloud mature, there's a little bit of a false sense of security that with all of
their security controls
and everything happening in the pipeline.
And the idea that it's going to end up
going into the cloud perfect
and it's just this everything works scenario,
that just really doesn't happen in real life.
Companies buy other companies,
new teams start firing up new projects.
The clouds are always adding more services,
so there's a desire within lots of organizations
to try these things out, to innovate more quickly. So what I actually see are these
cloud mature organizations starting to overcorrect and starting to rely too much on really complex
and advanced controls in the development stage of things. And they start to really ignore what's
happening in the actual runtime environments in the cloud platforms themselves.
And how can they protect themselves against that?
What sort of things can they put in place
to keep them from going down that path?
I think a lot of it is planning for error,
planning for problems, planning for things changing.
So what the really smart teams do
after they've been beaten around a little bit,
they start to have a more holistic approach to security.
Making sure that they have a robust ability
to secure code and secure changes
before they hit the cloud platforms,
that's a big deal.
But also having that kind of deep visibility
into what's really happening in your cloud,
what's really out there,
ends up proving just invaluable.
One of the things I always like to remind people what's really out there, ends up proving just invaluable.
One of the things I always like to remind people is that you're not going to get dinged on an audit.
You're not going to accidentally spend too much money.
You're not going to get breached in a place that's not even live in the cloud.
It's something that doesn't exist.
So you still really have to pay attention to what you have.
That's John Grange from OpsCompass.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it
comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Ben, it's always great to have you back.
Good to be with you again, Dave.
Article from Joseph Cox on Motherboard.
This is Tech by Vice.
And the title is Lawmakers Demand Answers from Military on Muslim App Data.
What's going on here, Ben?
So it seems like a lot of data, particularly from Muslim-related apps,
so things like a Quran app
called Muslim Pro, which has
98 million downloads. That's a lot
of downloads.
So a lot of the data from
those apps have been sold to
military contractors. When they're sold to military
contractors,
the United States
government can get access to
some of that data. So whether it's the Pentagon
or its intelligence agencies, the U.S. government is getting hands on that data. So that has raised
the ire of members of Congress because, you know, for a number of reasons. First and foremost,
these basically are suspicionless searches. If there really is a focus on Muslim-oriented applications, then we're getting a collection of data that has not been subjected to any type of – it's not a bulk pile of data in which you're collecting everything.
And it's also not specific to an individual who's suspected of committing a crime or who's a suspected
intelligence threat. It's in that in-between area where it can come off as discriminatory.
So as a result, a bunch of members of the House of Representatives, including AOC and the two
Muslim members of Congress, or two of the Muslim members of Congress, Representatives Ilhan Omar and Rashida Tlaib,
have written a letter to the Secretary of Defense and to our intelligence agencies to just kind of
get an idea of what's happening. They want to know how widespread this collection is,
and in each instance where this data has been collected by the military and the intelligence community,
has there been any warrantless surveillance using this location data? So have any FISA applications been authorized as a result of this data collection?
How many Muslim Americans have been impacted by this, etc.?
I think one of the key issues here is
this is a potential First Amendment problem.
If people of a particular religious group
think that they are being surveilled
or being singled out for potential surveillance
because of the applications that they use,
then they're going to be less likely to download those applications
and that could have a chilling effect on the practice of their religion.
So I think that adds to some of the danger here.
Is there a possible defense here, for example,
and I'm just being hypothetical,
if the defense agencies came back and they said,
oh yes, we're gathering this data from these Muslim apps,
but we're also gathering data from Catholic apps
and from Jewish apps and from a number of – in other words, yes, we're using targeted apps to investigate people of religions, but we're doing all religions.
Yeah, that's the sort of thing – this reminds me of when I was watching the confirmation hearing for the attorney general nominee Merrick Garland.
He kept talking about looking for patterns in practice when you're
trying to figure out whether something merits an investigation. So, you know, you look at things
like, is it disproportionately targeting Muslim-based applications? You know, if the
percentage of data being collected is disproportional to the number of applications that are targeted
to Muslim audiences.
That's when it would start
to be a problem. If this was
something where they were
uniformly
collecting location data from all
different types of religious-based applications
and there wasn't a specific focus
on one religion, I think they'd be on
firmer ground. I don't think these
lawmakers would have sent that letter.
But it does not appear that that's the case, and that's why you're seeing this pushback.
How much of this is about religion?
In other words, what if they were targeting apps that focused on gun owners, for example?
I think, so, gun owners is an interesting hypothetical. Religion, I think,
carries a particular importance because of its place in the First Amendment. So, you know,
things like religion and political speech, anytime that is targeted, especially when it's targeted,
you know, in a way that secular applications are not targeted, that's going to raise the ire of not only members of Congress,
but the judicial branch, because that's one of our most sacred rights.
Gun owners, if you believe that the Second Amendment grants
an affirmative right for individuals to own firearms,
potentially could have that same sort of problem.
I think you'd have perhaps a similar outcry.
that same sort of problem, I think you'd have perhaps a similar outcry.
You know, I think religion carries sort of an extra burden.
But, you know, for people who believe strongly in the Second Amendment,
perhaps gun ownership carries that special burden as well.
Interesting.
So this letter has been sent.
They're expecting an answer.
And then what happens?
So, you know, I think they have a receptive audience within the Biden administration and within the Department of Defense.
For that reason, I think it's possible these lawmakers and the agencies themselves can work on some sort of solution in a constructive manner.
But if not, you could see legislation enacted like that proposed by Senator Ron Wyden in the Senate, which would require the government more generally to obtain a warrant before
it collects any location data.
And maybe one of the impetuses for enacting such a law would be a story like this, where you see this
power used in a discriminatory fashion, and that could be what motivates lawmakers to enact more of
a broader law requiring some sort of judicial approval before any government agency collects
location data. All right. Well, interesting indeed. Again, the article is titled Lawmakers Demand Answers from Military on Muslim App Data. It's over on the Vice website written by Joseph Cox. Ben Yellen, thanks for joining us.
Thank you.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Look cracklings what's happening.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Our amazing CyberWire team is... Thanks for listening.
We'll see you back here tomorrow. AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.