CyberWire Daily - International cyberespionage: China and Russia versus the Five Eyes and others. Google faces an anti-trust suit. Abandonware.
Episode Date: October 20, 2020America’s NSA reviews twenty-five vulnerabilities under active exploitation by Chinese intelligence services. The UK’s NCSC accuses the GRU of more international cyberattacks. The US Justice Depar...tment brings its long-expected anti-trust suit against Google. Ben Yelin examines overly invasive company Zoom policies. Our guest is Jessica Gulick from Katczy with a visit to the Cyber Carnival Games. And a warning on “abandonware.” For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/203 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
America's NSA reviews 25 vulnerabilities under active exploitation by Chinese intelligence services.
The UK's NCSC accuses the GRU of more international cyber attacks.
The U.S. Justice Department brings its long-expected antitrust suit against Google.
Ben Yellen examines overly invasive company Zoom policies.
Our guest is Jessica Gulick from Cat's Eye with a visit to the cyber carnival games. And a warning on abandonware. Thank you. studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 20th, 2020.
The US NSA has just released an advisory warning that 25 vulnerabilities are under active
exploitation by Chinese government cyber operators. All 25 vulnerabilities are under active exploitation by Chinese government
cyber operators. All 25 vulnerabilities are well known and have available patches and mitigations.
You can find the discussions as the top entry today in the news section of NSA.gov.
The Guardian reports that the UK's National Cyber Security Center has disclosed that
working with its Five Eyes partners in the US NSA,
NCSC discovered and tracked Russian plans to interfere with the postponed 2020 Tokyo Olympics.
Foreign Secretary Dominic Raab said,
The GRU's actions against the Olympic and Paralympic Games are cynical and reckless.
We condemn them in the strongest possible terms.
The UK will continue to work with our allies to call out and counter future malicious cyber
attacks. End quote. The U.S. Justice Department didn't include any operations against the Tokyo
Olympics in the indictment it unsealed yesterday and declined in its press conference to comment
on the matter. But it seems of a piece with the Olympic destroyer attacks mentioned in the Pittsburgh indictment,
which Justice sneered, with some justice,
combined the emotional maturity of a petulant child with the resources of a nation-state,
adding,
no country has weaponized its cyber capabilities as maliciously and irresponsibly as Russia,
wantonly causing unprecedented collateral damage to pursue small tactical advantages and fits of spite.
End quote.
A second Guardian piece argues that if you want to see what unrestrained cyber warfare looks like,
the content of the U.S. indictment and the U.K. denunciation give you a pretty good idea.
And while the activities the GRU stands accused of were damaging, they weren't particularly subtle.
Fancy Bear has the reputation of being the noisiest of the Bear sisters, a reputation first earned after Fancy showed up in Leroy Jenkins' fine fettle among the Democratic Party's emails back in 2016.
Gadfly Bellingcat has an interesting observation,
quote,
An example of how bumbling the Russian state is.
Of the six indicted hackers,
three registered their cars to their military unit's address in Moscow.
If you search for all of the people registering their cars to this address,
you get 47 results,
all probably GRU hackers, end quote. Well, Bellingcat's on a bit of a high horse here,
but they do have a point. As they point out farther down in their Twitter thread, quote,
NSA workers don't register their vehicles to 9800 Savage Road, Fort Meade. They register it to their That they do.
Any Department of Motor Vehicles is probably challenging enough,
but imagining what it's like at the Moscow DMV would drive even the stiffest disciple of Jim Angleton into an OPSEC lapse or two.
The Maryland DMV, we expect, is a lot better at customer service
than the one in the Moscow Oblast.
Our editorial staff has had good luck with the office up on Satter Hill just off Joppa Road.
You're welcome, NSA.
But again, as we saw with Chinese operators yesterday,
it's worth remembering that the opposition isn't really always three meters tall.
A bit of follow-up to the U.S. Justice Department's announcement yesterday
that six Russian GRU officers belonging to Unit 74-455,
the group commonly known as Sandworm,
have been indicted for cyberattacks that had global impact.
The indictment alleges a wide-ranging conspiracy
that wanders from Ukraine's power grid through NotPetya
and all of its collateral damage to the Winter Olympics in South Korea and all the way to elections in France and other countries.
Some of the reaction has been interesting. Johns Hopkins professor of strategic studies
Thomas Ridd commented that since the report's incredible intel is apparently expendable,
the Five Eyes, quote, must have stunning visibility into Russia's
military intelligence operations, end quote. Ridd highlighted revelations that the group used a
Pyongyang false flag, along with exploits allegedly developed by the U.S. National Security Agency,
exploits that were eventually compromised. Although Moscow predictably downplayed the
indictment as a poorly sourced smear,
as the Washington Post reports, and the accused, of course, remain at large, they're in Russia,
after all, where the American writ doesn't run, the charges serve as both a show of force and,
effectively, a public service announcement to people considering enlisting in Russian
military intelligence. The indictment
also restricts hackers' access to Western markets and their ability to travel to countries that
have extradition treaties with the U.S. This morning, the U.S. Justice Department also brought
its long-expected antitrust suit against Google. Reuters reports that 11 states have joined in the
suit, which it compares to the 1974 case against what we used to call simply the phone company that led to the breakup of AT&T's Bell system.
The plaintiff says at one point,
Absent a court order, Google will continue executing its anti-competitive strategy, crippling the competitive process, reducing consumer choice, and stifling innovation.
the competitive process, reducing consumer choice, and stifling innovation. The action seems to have bipartisan support, with progressives like Senator Warren, Democrat of Massachusetts,
cheering from the sidelines along with other colleagues, both Democrat and Republican.
Reuters does note that the 11 states that joined the lawsuit all have Republican attorneys general.
And finally, lest any media group hasten to consider
deploying libinal controls over its editorial conferences,
Avast picks up last week's story on the malfunctioning of
intimacy device safeguard aid, the Quisellmate,
and they draw a lesson.
Avoid abandonware,
software that goes unmaintained
because the vendors are unable to handle it,
something the Internet of Things
seems more predisposed to spawn
than other tech regions.
Anywho, ask yourself this question.
Does this particular thing
really need connectivity?
really need connectivity.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges
faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility
is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. Among the many things we missed out on in the summer of COVID-19 was the annual family trip
to the county fair. The sights, the sounds, the smells of local 4-H'ers with their livestock,
the midway rides, the fried and barbecued food,
and of course, the Carnival Midway, full of games of skill and chance.
Jessica Gulick is CEO at Cat's Eye, a tech marketing and events company.
All this month, they are running a virtual cyber carnival games.
The Cyber Wire is a media partner for the event. Here's Cat's Eyes' Jessica Gulick.
We are big believers in utilizing games in order to stay motivated and keep your skills sharp as well as learn new skills.
And with everybody at home and, you know, all the webinars that are going on, we wanted to do something different this October to bring a little bit of fun into everybody's lives.
So we reached out to our contacts at the various different game platforms and said,
hey, why don't we come together and have a carnival, kind of a virtual carnival that would allow anybody and everybody to partake in some of the games throughout October.
And we got a lot of excitement back from those game platforms.
And so it made a lot of sense to see if we can't do this
for the first time. Yeah, you know, it struck me as I was considering this that I think everybody
has their favorite carnival game. That's one of the things that I think people like about carnivals
is you make your way down the midway, pretty much everybody can find something that's for them.
And I think you've set up something similar here. Can you take us through the creation of having a variety of things that people can engage with?
Certainly. So we tried to make sure that we had enough games that would give variety, as you said, but also speak to different levels of skill.
Everybody from a normal employee who is just looking for some security awareness. What do I need to know? Right. So I can be a better employee when it comes to cybersecurity, as well as to the hacker amongst
us that is more expert skilled and they want to just win. Right. They just want to play. They just
want to have fun kind of thing. And so when you look at the different games that we have available to us, we have some like Packet Wars.
Packet Wars is known in the community if you are in cybersecurity and you are a hacker.
They do invitationals.
They have a variety of games from very simple to very complex and more team versus team kind of battle royale style.
and more team versus team kind of battle royale style.
So when we were talking to Angus Blitter,
who is the packet master,
he said, why don't we have a staged event so that we can do kind of stage one,
which is more puzzle cracking,
almost like an Easter egg hunt, if you will.
And then we'll go to the second stage,
which is more like find the flags.
And we'll go to a third stage,
which is more battle royale. And then any'll go to the second stage, which is more like find the flags. And we'll go to a third stage, which is more battle royale.
And then any level can start, but you've got to have expert level to make it to the end.
And we love that idea, right?
Because that really allows us to tap into the most audience that we could.
So what do you hope to take away from this?
Is this something that perhaps could turn into an annual event?
Oh, definitely. We are expecting this to be an annual event.
We've already gotten such a great response from the community.
As of last night, we're over 400 players and each player is playing an average of three games.
playing an average of three games.
So it's definitely tapped into a need in the market,
if you will, a desire to play and have fun.
And it's all walks of life, which is great.
So we're looking forward to 2021 being a wonderful second year for the Cyber Carnival Games.
That's Jessica Gulick from CatSci.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a
default-deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Ben, great to have you back.
Good to be with you, Dave.
This article from the folks over at ZDNet caught my eye.
The title is,
This Company's Zoom Policy May Be the Worst I've Ever Heard.
It's written by Chris Mazitzik. He writes the technically incorrect column over there.
Ben, we talk a lot about policy stuff. This is a work policy issue here. What's going on?
So I certainly agree with the headline here, and this is what nightmares are made of.
Basically, there's a workplace advice columnist in a New York publication called The Cut.
And somebody wrote in to her, an anonymous employee from an anonymous employer, that this company's policy is that every employee has to be on Zoom literally for the entire workday. And the rationale is that the boss
can foster a collaborative effort. It's like being in a physical office. People don't have
to send an email or a Slack message to ask questions of their coworkers, etc., etc.
There are a couple problems I have with that right off the bat.
First of all, working from home, even if you are working seven and a half out of the eight hours in a day,
is going to capture some things that wouldn't be captured otherwise in a workplace.
People have spouses, people have kids, people have pets.
So that would bother me.
I would not want people to see what's going on in this work-from-home situation for all eight hours of the day, even if I am actually working for those eight hours.
So that's problematic. by your boss when it seems like this employer didn't actually have all of its employees in the same physical workspace pre-COVID just seems to me to be an excessive policy.
I don't know how you feel about this, but it seemed excessive to me.
Yeah, I agree.
And I think this goes to, there's a philosophy that I tend to think is outdated, which is
that, you know, if you work for me, if you work for me,
you know, I own you from nine to five. And it's one thing if you're an hourly employee and I'm
paying you for your time, right? Right. But if you are a salaried employee,
my philosophy is, you know, am I paying you for your time or for your talent?
And I would say for a salaried employee, I'm paying you for your time or for your talent. And I would say for a salaried employee,
I'm paying you for your talent
more than the number of hours that you put in.
So this notion that,
and I think having an office enabled employers,
whether intentionally or not,
to know where their employees were.
They can keep an eye on them.
They can walk by, you know,
is Bob or Jane at their cubicle? Where are they? What are they doing? You know, and so
I can see from a boss's point of view how that would be a desirable thing to be able to keep
track of employees. But I think one of the things that all this work from home stuff has sort of
laid bare is that maybe that wasn't necessary, that we're
not seeing drops in productivity. We're not seeing, you know, giving people more freedom to
choose their own hours and even choose where they work and how they work and, you know.
Whether they're wearing underwear.
Right. I was going to say pajamas, but yeah, underwear is good too.
Yours is a little more G-rated. But yeah, so this, I guess the bottom line for me is that this strikes me as an old school
and I think potentially outdated notion, particularly given what we've learned from this pandemic
situation where everybody's working from home.
And I think the thing that many bosses feared, which is that if I couldn't keep close eye on my employees, you know, they're just going to be running around and not getting any work done.
Well, that hasn't come to pass that we haven't really seen that. I think the evidence doesn't
support that notion. Yeah, I think that's absolutely right. Another thing they mentioned
here is if you are a boss that wants to know what your employees are doing at all times, there are less intrusive tools you could use.
I mean, people who are on Office 365, Microsoft Teams,
you could monitor who's logged in at any given time.
I guess if you wanted to record keystrokes
or something severe like that,
there's probably a way you could do that.
If we're talking about a law firm,
they're always billing a client,
so you can look at how many hours in a given day
a client was billed.
This just seems like an unfair extension
of that type of logic,
where you're peering into somebody's home,
which is just such a sacred space
from both a policy perspective and a legal perspective
that I do think it's overly intrusive,
even if you grant
that bosses have the right to know what their employees are doing at all times.
Yeah. And I think about, you know, for example, my son, Jack, you know, he's doing school from
home right now. They're doing remote learning and the teachers are not allowed to require that the
students have their cameras on because of privacy issues.
Yeah, and I think that's extremely wise.
We have the same policy at the University of Maryland School of Law.
I think it's a very wise policy.
You never know what a person's home situation is.
And that home situation could be very personal.
They could be taking care of kids or elderly relatives.
There could just be something in a room that you don't
want your boss to see. And I think that's completely justified. So yeah, I mean, I think I
completely agree with that critique. Maybe if the company wanted to pay to have an addition put on
my house or a little workspace. Yeah, exactly. Create your own room at my house. That maybe
you can, yeah. Right, exactly. build a little home office in the backyard,
a little outbuilding or something like that.
Then maybe we can have a conversation.
But if I'm
working from home, you're a guest in my house
and I don't think you have
the right to have unlimited access
to me even during work hours.
It just seems to me, it just seems like
a bad management policy.
It's just a bad boss in my opinion.
Yeah, it's a way to get your employees to strongly dislike you.
Let's put it that way.
Right, exactly, exactly.
All right, well, again, the article is titled,
This Company's Zoom Policy May Be the Worst I've Ever Heard.
It's over at ZDNet.
Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time, keep you informed, and it's magically delicious.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Guru Prakash,
Stefan Faziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Ivan,
Rick Howard,
Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you. channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.