CyberWire Daily - IoT supply chain vulnerabilities described. Spyware in the hands of drug cartels. National security and telecom equipment. US NDAA includes many cyber provisions. Fraud as a side hustle.
Episode Date: December 8, 2020AMNESIA:33 vulnerabilities infest the IoT supply chain. Lawful intercept spyware allegedly finds its way from Mexican police into the hands of drug cartels. Finland’s parliament approves exclusion o...f telecom equipment on security grounds. The US National Defense Authorization Act’s cyber provisions. Online fraud seems to have become a side hustle. Ben Yelin responds to Supreme Court arguments in a Computer Fraud and Abuse Act case. Our guest is Darren Mar-Elia from Semperis on group policy security. And Moscow police are looking for the crooks who hacked secure delivery lockers. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/235 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Amnesia 33 vulnerabilities infest the IoT supply chain.
Lawful intercept spyware allegedly finds its way from Mexican police into the hands of drug cartels.
Finland's parliament approves exclusion of telecom equipment on security grounds.
The U.S. National Defense Authorization Act cyber provisions.
Online fraud seems to become a side hustle.
Ben Yellen responds to Supreme Court arguments in a Computer Fraud and Abuse Act case. Our guest is Darren Mar-Elia
from Sempris on group policy security. And Moscow police are looking for the crooks who hacked From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, December 8th, 2020.
Researchers at Forescout this morning released a report on a set of TCPIP vulnerabilities they're calling Amnesia 33,
the 33 referring to the number of vulnerabilities they've found.
Four, they consider critical, and in general, the issues are believed to broadly and deeply affect Internet of Things devices. SC Magazine says that the U.S. Department of Homeland Security is expected to
release a report on the vulnerabilities soon, perhaps as early as today. The problems are
believed to pervade the IoT supply chain. Many manufacturers may well be unaware that their
products are affected. The Amnesia 33 vulnerabilities are propagated through third-party software
that's used in components of all manner of smart devices from, as SC Magazine puts it,
printers to Pico satellites, from the home office to low-Earth orbit.
Both Haaretz and The Guardian are reporting on Forbidden Stories' cartel project,
which describes the ways in which Mexican police, users of NSO Group's lawful intercept products,
have allegedly been reselling that technology to drug cartels,
which in turn have used the spyware to monitor journalists and other third parties.
Some of the allegations are attributed to sources in the U.S. Drug Enforcement Agency.
The story is dismaying, but ought not to be entirely surprising.
If weapons can find their way from police lockers to criminal gangs,
why should tech tools be any different?
The reports stress the threat to journalists
and the chilling effect that can be expected to have on news coverage of the cartels.
Reuters reports another setback for Chinese telecom hardware providers like Huawei.
Finland's parliament yesterday passed legislation that permits the authorities to exclude
telecommunications equipment from the country's networks if such equipment is determined to
represent a security threat.
According to the Washington Post, despite the prospect of a presidential veto,
the U.S. House appears ready to pass the National Defense Authorization Act.
CyberScoop summarizes the significant cybersecurity measures the NDAA includes.
They call it the biggest cyber bill ever.
While much of the attention the bill has received surrounds its reestablishment of a White House cyber coordinator position,
the Cybersecurity and Infrastructure Security Agency is, as CyberScoop says, a major beneficiary.
CISA gains authority to issue administrative subpoenas to ISPs when the agency detects security vulnerabilities but can't track the owner down.
The law also gives CISA authority for excessive threat hunting within the federal government's networks.
The Department of Homeland Security has long held responsibility for the.gov top-level domain.
CISA will get a joint cyber planning office,
and the agency's director is told to appoint a Cybersecurity Director for each state. This last provision is intended to improve coordination between state and federal
agencies. The law leaves some matters, including some of the recommendations of the Cyberspace
Solarium Commission, untouched. It won't address, for example, the proliferation of congressional
committees with competing oversight responsibilities for cyber,
nor did it take up the solarium advice to amend Sarbanes-Oxley to make it more explicit with respect to cybersecurity risk assessment.
But of course, not all things are best dealt with in what is, after all, a defense authorization bill.
On balance, the act is noteworthy for what it sought to address.
bill. On balance, the act is noteworthy for what it sought to address.
The security predictions emerging this week continue to emphasize the ways in which the continuing trend toward remote work and migration to the cloud will open new opportunities for
criminals. Trend Micro, for example, in addition to predicting more criminal attention to APIs,
also forecasts that enterprise software and cloud applications
used for remote work will be hounded by critical class bugs. And while many are remarking on the
growing sophistication of attackers, Onfido notes a contrary or perhaps complementary trend.
A lot more skids getting into the criminal game as low-skill amateurs find that the barriers to online fraud have dropped.
Fraud, Onfido says, has become the new side hustle,
where once you might have, for example, tutored or sold cupcakes or babysat
or done a little freelance writing.
Now you may find yourself tempted over to the dark side,
and you try ways of winkling people out of a little cash.
You don't have to know very
much, and maybe, we speculate, the curious disinhibition that leads people to disport
themselves in cyberspace in ways they'd never even consider in kinetic space. So you take up fraud.
How hard can it be? Not very. And so broad is the path that leads to perdition. Don't go there.
One of the things the researchers point out is that the time during which the fraud attempts occur
no longer approximates the nine to five hours that a lot of professional criminals have kept,
and that too is consistent with a side hustle.
It used to be called moonlighting for a reason.
Another point Unfido makes is that consumer online behavior has shifted enough
during this time of widespread lockdown, isolation, and distancing
that we're finding it more difficult to recognize suspicious behavior.
Some of the older markers aren't seeming quite so reliable anymore.
Our behavioral assessments need to catch up with this unfortunate new normal
And finally, ZDNet reports that
2,732 Pickpoint package delivery lockers across Moscow
were opened by a criminal who hacked the Pickpoint app
Landlords and guards responded quickly to keep an eye on obviously malfunctioning lockers
Pickpoint is a purveyor of secure lockers users can lock and unlock with an app.
Russian security organizations, and by implication law enforcement organizations,
take a lot of grief, and often rightfully so.
But this is one case where we're happy to wish the Moscow Militsiya good hunting.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
A popular feature on Microsoft Windows systems is Group Policy, which enables centralized
management and configuration of operating systems, applications, and user settings in an active directory environment.
But of course, anything that provides centralized control over multiple user accounts and settings has the potential for abuse.
Darren Maralia is vice president of products at Sempris, a company that provides directory threat monitoring, detection, and response services. Darren, welcome to the show. Thanks. It's great to be here. Can you give us a
little explanation of what exactly group policy is and how it leads to potential problems?
Yeah, for sure. So many, many, many organizations out in the world have deployed Microsoft's Active
Directory. And with Active Directory came free and in the box, so to speak, group policy.
Group policy is the ability to deploy configuration to Windows desktops and servers.
And it's been out there for as long as AD has been out there.
It is broadly used to do things like locking down users' desktops, configuring their browser.
But most importantly, it's also used for security hardening of Windows servers and desktops.
So in other words, setting security settings to reduce the Windows desktop or server from an attack surface perspective.
And so what's the potential problem there?
perspective. And so what's the potential problem there? So the potential problem is actually not dissimilar to the problems that we're seeing with Active Directory today. So group policy,
because it defines, in a lot of organizations, it defines the security hardening, you know,
who has administrative access to which machines and is also world readable to anyone who is a valid user
in Active Directory, it provides a roadmap for sort of seeing where the interesting stuff is
from an attacker's perspective. You know, I'm imagining in larger organizations that merely
the process of auditing this can be, you know be quite something to contend with.
Is this something that you can come at with a certain level of automation?
Yeah, there's definitely some steps you can take for monitoring against this.
What's interesting is that Microsoft doesn't make this easy out of the box.
So by default, the Windows security event logs will tell you
that something has changed in a group policy object, but it won't tell you what has changed.
So you need extra software to determine that.
And to make it even more challenging, when an attacker gets access to this environment, the tooling has gotten sophisticated enough so that they're not using normal Microsoft APIs to make changes to these
group policy objects. They're just writing settings directly into the setting storage
in what's called sysval in the file system on the domain controller. And this will bypass
most auditing solutions that are just looking for changes to the group policy objects being
made using normal tools. So you have to look for that kind of change in addition to the group policy objects being made using normal tools. So you have to look for that kind of change
in addition to the typical normal AD-based change
to group policy.
So I've been working with group policy for many, many years
and it was actually surprising to me
to see group policy being abused in the wild.
I always considered it to be a theoretical possibility,
but to see it actually being done
really kind of woke me up around this problem. And I encourage everyone to not take this for
granted that their group policy environment is safe. It is happening. And I encourage people
to take the problem as seriously as they take the problem of hardening their Active Directory itself.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant. And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security.
Also my co-host over on the Caveat podcast.
Ben, great to have you back.
Good to be with you again, Dave.
You have done the heavy lifting for us here by sitting through the arguments in front of the Supreme Court
about the Computer Fraud and Abuse Act.
Give us the lowdown here. First, how about a
little quick background? What is this case and how did it make its way all the way up to the
Supreme Court? So yes, I did listen to oral arguments in the case of Van Buren v. United
States. It was a good couple of hours on C-SPAN on Monday. This is a case dealing with the Computer
Fraud and Abuse Act, and it's actually the first CFAA case that's made its way all the way up to the Supreme Court.
Just as a little bit of background, this act imposes civil and criminal liability for unauthorized access to computers.
It's a law that was enacted in the 1980s, originally enacted to address hacking, but it also has this provision
that prevents unauthorized access to particular materials, websites, etc., even if somebody has
authorized access to the network or the computer itself. So it prohibits individuals from exceeding
authorized access, and that's what's at issue in this case. So there was a police officer in Georgia, Nathan Van Buren, who had access to computerized records about license plates,
just because he was a law enforcement officer. But an FBI agent was interested for his own purposes
in gaining access to that database. And it appears as if he paid off Mr. Van Buren to do a search
for him. Mr. Van Buren was criminally prosecuted and he
appealed his conviction, made its way up to the Supreme Court. Oral arguments were really
interesting. The attorney for Mr. Van Buren was arguing that if we have an overbroad interpretation
of this provision about exceeding authorized access, that would lead to what the justices
referred to
as a parade of horribles.
A bunch of scenarios where we're criminalizing
behavior that pretty much all of us engage in.
So accessing Facebook or Instagram
on our employer's network
or on a work computer.
One of the things they mentioned
is somebody posting false information on a dating
website. These are the types of things, in the view of Van Buren's attorney, that would be
criminalized if we had such a broad interpretation of the Computer Fraud and Abuse Act. What the
government's attorney was saying, conversely, is if we were to not criminalize this type of behavior,
that would also set up its own slippery slope.
So, for example, we could have people who work for federal agencies who have access to personal health information.
Maybe you work for the Centers for Medicare and Medicaid Services, and you try to check out some information on your ex-girlfriend or ex-boyfriend.
on your ex-girlfriend or ex-boyfriend.
If we don't have a broad interpretation of the Computer Fraud and Abuse Act,
according to this attorney,
then that type of behavior might be legalized.
So it's always a dangerous game
to try and gleam out what the result is going to be
from oral arguments, but I'll do my best.
That's never stopped you before.
It's never stopped me before.
I will always opine.
It seemed like at least a few justices, including liberals like Justice Sotomayor and conservatives
like Justice Gorsuch, were more inclined to side with Van Buren, saying that this overbroad
interpretation of the Computer Fraud and Abuse Act would lead to an undue expansion in criminality among federal
statutes and would contribute to a trend where the federal government is just criminalizing
too much innocuous behavior. It seems to me that there are at least a couple of justices,
specifically Justice Alito, who was perhaps more amenable to the government's argument. So we could see a split
decision here. But I think overall, the justices were skeptical of having such a broad interpretation
because of, you know, even if this, the entire parade of horribles does not happen, at least,
you know, a portion of those things might happen if we had such a broad interpretation.
So that's my initial read on it.
So what sort of timeline are we on here? How does something like this typically play out?
So the end of the Supreme Court term is next June. So we'll have to be decided by then.
I don't anticipate that it's going to take that long. Generally, cases that are more controversial tend to take a little bit longer. You have to have a justice-righted opinion. If there's a dissent, you know, a justice is going to write a dissent, and then the person
who wrote the opinion has to respond to the dissent, etc. I anticipate that that process
would probably wrap up more like in the next three or four months, so maybe February or March.
And that's when perhaps we would see a decision on this. So the absolute latest, if they're really having trouble coming up with a majority one way or another,
would be the end of June.
But I anticipate that we should get a resolution probably sooner than that.
All right.
Well, we will stay tuned for sure.
Ben Yellen, thanks for joining us.
Thank you. Thanks to all of today's stories. Check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
We'll save you time and keep you informed.
Snap, crackle, pop.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe
where they're co-building the next generation of cybersecurity teams and technologies. Thanks for listening.
We'll see you back here tomorrow.
Thank you.