CyberWire Daily - Nghia Hoang Pho charged with mishandling classified NSA material. A review of other recent leaks. Kaspersky under fire in the UK. More Uber executives depart.
Episode Date: December 4, 2017In today's podcast, we hear about an NSA employee who was charged Friday with "willful retention of national defense information." This appears to be the individual whose computer was equipped with Ka...spersky security software, and scanned either by that security product or by a backdoor, depending on whom you believe. A look back at the other three alleged NSA leakers: Snowden, Martin, and Winner. Johannes Ullrich from SANS and the ISC Stormcast podcast, talking about the Kaspersky data exfiltration accusations. The UK expresses official misgivings about Kaspersky products. More Uber executives depart the company. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An NSA employee is charged with willful retention of national defense information.
A look back at the other three alleged NSA leakers,
Snowden, Martin, and Winner,
the UK expresses official misgivings about Kaspersky products,
and more Uber executives depart the company.
I'm Dave Bittner with your CyberWire summary
for Monday, December 4th, 2017.
Last Friday, it was announced that Nia Huang Fo entered a guilty plea in the U.S. District Court for the District of Maryland
to charges of willful retention of national defense information.
Between 2010 and May 2015, he took quantities of classified information home, both in hard copy and on his laptop.
quantities of classified information home, both in hard copy and on his laptop.
According to charging documents unsealed Friday,
Faux was formerly a developer with the National Security Agency's Tailored Access Operations Unit, the TAO.
He faces up to 10 years in prison.
Faux is free until his sentencing, which is scheduled for April 6, 2018.
The laptop Faux used to take classified information home to Ellicott City, Maryland,
is the one that's long been discussed in connection with the U.S. government's ban on Kaspersky software.
He is said to have had a Kaspersky security product installed,
which detected some of the sensitive files he'd placed on his machine,
which would appear to make him the long-discussed, but not until Friday publicly identified, third man.
Kaspersky acknowledges that it did detect the files,
but denies having read them or done anything with them.
Reports aren't calling Faux the source of the leaks that went to the shadow brokers,
so that particular mole hunt seems to remain an ongoing one.
Nor do any of the other notorious NSA leakers appear to be the shadow broker's source.
It's worth reviewing their stories.
The first and most famous is Edward Snowden, about whom this audience will already know a great deal.
Mr. Snowden, now a resident in Moscow, was a systems administrator employed by an NSA contractor
was a systems administrator employed by an NSA contractor who, on May 20, 2013,
fled Hawaii for Hong Kong with extensive information about U.S. electronic surveillance operations.
He had contacted journalist Glenn Greenwald, then writing for The Guardian, on December 1, 2012,
so his leaks were some months at least in preparation. The material he took was subsequently published in The Guardian and elsewhere.
On June 21, 2013, the U.S. Department of Justice charged Snowden
with two counts of violating the Espionage Act of 1917.
Two days later, Snowden arrived in Moscow, where he's enjoyed asylum since.
He represents his motivation for leaking as arising from a concern for civil liberties
and the threat mass surveillance could pose to them.
The second leaker, Harold T. Hal Martin III, was also a contractor working for NSA.
The FBI arrested him during a raid on Mr. Martin's Glen Burnie, Maryland home on August 21, 2016.
A search of the premises revealed a large quantity of highly classified material, some
of it in electronic form, some of it in hard copy.
On August 27, 2016, Martin was charged with theft of government property and unauthorized
removal or retention of classified documents or materials by government employee or contractor.
He entered a plea of not guilty in October of 2016 and remains in custody
awaiting trial. Martin's motives in taking the material remain obscure. His ex-wife, who generally
spoke well of him, characterized Martin as a patriot, a workaholic, and a bit of a pack rat.
He's said to have taken the material from his NSA workplace by simply walking out with it.
from his NSA workplace by simply walking out with it.
The third leaker, Reality Winner, was also a contractor working for NSA.
Ms. Winner was arrested on June 3, 2017,
after a relatively quick investigation prompted by a publication's attempt to authenticate what appeared to be a classified NSA document a source had passed them.
The publication was The Intercept,
and the source, identified by telltale marks on the document
that established where it had been printed,
was allegedly Ms. Winner.
She's been charged with violating the Espionage Act of 1917,
she's pled not guilty,
and she remains in jail awaiting her trial.
Her motives appear to be political disaffection,
evidenced in some fairly noisy social media posts, associating herself with the resistance to the current U.S. administration and to offering the Iranian people solidarity in the face of U.S. aggression.
She's said to have told investigating FBI agents that she folded the stolen document and concealed it in her clothing.
stolen document and concealed it in her clothing. The ease with which the alleged leakers and mishandlers of classified information walked out with sensitive material is striking. The only one
who seems to have used much thought in how one steals secrets is Edward Snowden. If it's true
that Mr. Faux really did take stuff home to help him polish up his resume, this perhaps argues a
certain culture of casual disregard for security measures,
as if familiarity with the secret world breeds contempt for it. We hope not. They all certainly
knew better than to squirrel classified material away in their homes and personal devices.
Mr. Faux's case strikes observers as particularly baffling and egregious,
since, as federal charging documents state, Faux works for NSA-tailored
access operations, regarded as an especially sensitive and important part of the agency,
and not a place accustomed to employing callow or clueless rookies.
To return to Kaspersky, the security company continues to say it did nothing improper,
and that it would decline any request to participate in espionage
it might receive from the Russian government. Cooperation with the Russian government in
criminal investigations, Kaspersky says, is of course a different matter. But skepticism about
Kaspersky products has spread from the U.S. government to at least one of the other five eyes.
On Friday, Kieran Martin, director of the UK's National Cyber Security Centre, advised permanent departmental secretaries that Kaspersky software should not be used in systems holding information that would damage British national security if it were accessed by the Russian government.
Barclays Bank Saturday stopped its practice of offering free Kaspersky security products to customers as a perk,
so there are signs the private sector is following the public sector's lead.
Finally, developments in the Uber breach investigation, as well as in litigation involving Alphabet and Waymo,
coincide with three more departures by Uber executives.
The company hasn't said the departures were prompted by documents that surfaced appearing to describe discreditable competitive
and data security practices,
but of course there's widespread speculation that this was indeed the case.
The executives worked in international business operations
and physical security divisions of the ride-sharing company.
There's rising sentiment to do something about the company's knowingly
concealing data breaches. One example, a bill introduced into the U.S. Senate last week that
would provide jail time for executives found to have concealed data breaches.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times
faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com
slash cyber for $1,000
off.
In a darkly comedic look at motherhood
and society's expectations, Academy
Award-nominated Amy Adams
stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24, only on Disney+.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals
to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich. He's from the SANS Technology Institute,
and he's also the host of the ISC Stormcast podcast. Johannes, welcome back. You know,
these recent stories about Kaspersky, I think, brought to a lot of people's attention the fact that there's a lot of data that these antivirus companies can pull from your systems.
that if the anti-malware software finds some interesting binary on your system,
it will exfiltrate that to the antivirus company for further analysis.
And for the most part, that's something we really want to have happen.
There is a suspicious binary.
The antivirus software can't really put its finger on whether it's malicious or not. So in some ways, a great service for antivirus companies to actually look at this closer,
maybe run it through some more sophisticated checks, or even do manual analysis on this.
But on the other hand, you don't know what's really being exfiltrated here.
And a lot of confidential data may actually be exfiltrated that way as well.
Yeah, you're really giving them
broad permission to pull just about anything they want off of your system. Correct. And actually,
it's not just the antivirus companies. One service where I see this happen very often is
VirusTotal, where companies upload documents to VirusTotal because VirusTotal has this great
service where it runs it through 40, 50
different antivirus tools. But at the same time, you're uploading this document to this third party,
VirusTotal. And researchers have full access to all files being uploaded to VirusTotal. It's very
easy to get that access. So in some ways, you're leaking data here if you aren't sure that the document
that you're uploading is actually malicious and free of proprietary content. Because the other
issue that you have sometimes is that, yes, the document is malicious, but it is malicious because
an attacker attached, for example, malicious content to an otherwise benign and confidential document so
now by exfiltrating as you intend to this malicious content to virus total to your
antivirus vendor you're also sending that uh proprietary content which of course can be a
big problem right so you can have all you know the company's financials which happen to be
infected by someone else and uh it's being sent up to the antivirus vendor or maybe VirusTotal.
Correct. Similar also with crypto ransomware.
There are some sites that, for example, you can upload an encrypted document to identify what variety of crypto ransomware you were infected with or whether there is a way to decrypt it. Of course, if there is a way to decrypt it,
then the recipient of that document may as well do it and is now in the hand of the proprietary
content. All right. Well, it's a cautionary tale for sure. Johannes Ulrich, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you.