CyberWire Daily - Phishing plays small ball with depressing success. Chinese cyberespionage up. US IC, JCS, worries about innovation. Guilty plea in US espionage case. Ex-Knesset member suspected of spying. Supreme Court decides location privacy case.
Episode Date: June 22, 2018In today's podcast, we hear that phishing scams continue to nibble away at bank accounts and reputations: the State of Oregon is among those suffering. Avoid emails promising you leaked pictures of ...YouTube stars. Chinese espionage against US targets rises. US Intelligence officials worry that failure to play a long game puts the country at a disadvantage with respect to innovation. The Joint Chiefs mull electronic warfare issues. Reality Winner makes a plea agreement in her espionage case. And from ecstasy tablets to Iranian spying is a short sad road. Ben Yelin from UMD CHHS weighs in on the US Supreme Court decision on location data privacy. Guest is Taavi Kotka, former CIO of the Estonian government, discussing that nation’s innovative digital identity system. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. Thank you. in her espionage case, the U.S. Supreme Court decides a landmark privacy case,
and the journey from ecstasy tablets to Iranian spying
is a short, sad road.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Friday, June 22, 2018.
Phishing scammers are showing an ability to bypass natural language-based anti-phishing protections
and induce Office 365 users into compromising their credentials.
We're midway through the baseball season, and this prompts us to reflect on an analogy with information security.
If zero-day exploits are grand slams, big, damaging, spectacular, and rare,
then phishing is small ball, working the count, hitting away from the shift, pitching to contact,
hit and run, and so on. And phishing remains a perennial problem in all of its tiresome but
successful forms. And what are the fish biting on these days? To move away from our baseball metaphor and back to angling,
leaked images of YouTube star is serving as surprisingly compelling fish bait.
It's especially prevalent in South Korea, but users everywhere should avoid this come on.
There are, of course, such things as YouTube stars,
and there are, reportedly, leaked and revealing images of those stars.
Stay away. Read a good book. Take a walk. Travel. Divert yourself. But don't click.
Phishing has more victims than just the unfortunate curious ones who click.
The U.S. state of Oregon became aware Monday that an email account using its Oregon.gov domain had been
compromised and used in a massive phishing campaign. The direct damage phishing does to
those who fail to recognize and spit the hook is well known, but those whose accounts and domains
are hijacked also suffer. Oregon is still struggling to get its domain removed from
the many blacklists to which it was added after the phishing campaign.
Chinese espionage against U.S. targets increases
as trade tensions between the two countries rise.
U.S. officials seem to be experiencing two minor Sputnik moments.
Call them Sputnitsky.
Speaking at the Capitol Hill National Security Forum,
NSA Deputy Director George Barnes
says the U.S. isn't good at playing a long game, unlike adversaries like China. Richard Cardillo,
director of the National Geospatial Agency, substantially agreed, citing quantum computing
and cybersecurity as two areas in which U.S. innovation may come too late.
China, they say, thinks routinely in 20-year terms.
The Americans do not.
They forget and must reinvent, and a tradition of technological progress seems to have bred a very distinctive version of victory disease.
Too much winning can make you think winning will just go on forever.
One such victory disease hangover is being felt, apparently, in the second Sputnichka.
General Paul Selva, vice chairman of the Joint Chiefs,
told the Center for a New American Security that American complacency about encryption and precision timing
have enabled peer adversaries to steal a march in electronic warfare.
If you rely on technical virtuosity as a magic bullet, you may find yourself outclassed by
an opposition that remembers the old slow grind that you've forgotten.
NSA and Air Force alumna Reality Winner has agreed to a plea deal over charges related
to provision of highly classified documents to The Intercept.
The government said that while she was working as an NSA contractor at Fort Gordon, Georgia,
she leaked a top-secret report about Russian meddling in the 2016 presidential election.
Ms. Winner was charged under the Espionage Act and faced 10 years in prison and $250,000 in fines. Her family continues to support
her, with her mother telling the Atlanta Journal-Constitution that, quote, I do know that
she has always been ready and willing to accept responsibility for any wrongdoing and that she
will accept the consequences, end quote. Ms. Winner's mother has also tweeted that her daughter
is a hero and a true patriot,
making due allowance for maternal love and natural affection.
We suppose that is one way of looking at it.
Gonan Segev, a former member of Israel's Nesset and once the country's energy minister,
has been arrested on suspicion of spying for Iran.
The arrest caps a post-government career that, since the mid-90s,
has earned him a serious ne'er-do-wells reputation.
He was involved in fraud, claiming his bank account had been looted from an ATM.
A security camera showed that he himself had withdrawn the cash.
Later, in 2004, he tried to smuggle 32,000 tablets of ecstasy into Israel.
He did a couple of years in prison when the authorities and the court didn't buy his explanation
that in fact the tablets were just a big consignment of M&M candies.
Segev, who's also a medical doctor, had established a practice in Nigeria.
That's where he was recruited by Iranian intelligence services.
If you run through the traditional acronym of motives for becoming an agent,
MICE, that is, money, ideology, compromise, or ego,
Zegev seems to have been driven by the big M, money.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, a big day today.
The U.S. Supreme Court came down with an important privacy ruling here.
Fill us in.
What do we have going on?
Sure.
So the decision is Carpenter v. the United States.
And this is a decision about cell site location information.
So Mr. Carpenter was part of a crime syndicate, a ring of people who were robbing, ironically, cell phone stores. And as part of a federal investigation into this crime, the government obtained cell site location information records on the whereabouts of Mr.
Carpenter. They realized that he was at the location of some of these robberies. They used
that information to convict him, and he was sentenced to over 100 years in prison. So Carpenter
challenged his arrest on Fourth Amendment grounds, and he said that the government needs a warrant
to obtain cell site location information.
This presented a novel issue, and that's why it made it up to the Supreme Court.
Previously, we've been under what we call the third-party doctrine.
I know you and I have discussed this at length in the past.
The Supreme Court has held that if you voluntarily submit information to third parties, that the third parties keep as their business
records, then you have forfeited your reasonable expectation of practicing that information.
Therefore, you do not have any Fourth Amendment protection in that information. There hasn't been
a Fourth Amendment search. And what the Supreme Court was wrestling with here is whether to extend
the third-party doctrine to instances like this one where you're not just
revealing perhaps one phone number that you dialed or one bank record that you submitted, but rather
a wealth of comprehensive information on your whereabouts for a relatively long period of time.
And the decision that came down today from Justice Roberts, Chief Justice Roberts,
who joined the court's four more liberal members,
says that the government does in fact need a warrant to obtain your cell site location
information. And this is a massive victory for electronic privacy advocates. It's really a
groundbreaking case. The decision rests on basically two principles that distinguish
the information being collected here from the
information that has been collected in previous third-party doctrine cases. And what Justice
Roberts says is both the breadth and depth and the comprehensiveness of the information revealed
is just so fundamentally different in this case. Cell site location information reveals not only your
whereabouts, but can give any potential viewer, whether it's somebody in the public or whether
it's the government, information on your private associations, your religious or political
affiliations. I mean, imagine if somebody followed you for a full week, how much information they
could find about you. Whereas in the past, we were talking about how much information a person, somebody could find out about you
by virtue of dialing one phone number. I mean, it's just a fundamental difference in the
information that's being submitted. And that's, I think, the main justification that Justice
Roberts is using here. The other justification he talks about is the fact that in most third-party
doctrine cases, a person should have full knowledge that they are submitting or they
are transmitting information that's going into the hands of a third party. So for instance,
when I make a call on my cell phone, I know that I get a cell phone bill every month. I know that
that call is recorded. I know that's going to be part of AT&T's business records. Here, Justice Roberts says,
it's not so clear-cut. People have an idea that their information on their physical location is
being collected by cell phone companies, but we don't really, as a society, have a fundamental
understanding of how that works.
This voluntariness that's so fundamental for the third-party doctrine is just not really present
here. We're not actively pressing a button that submits information to a third party.
And even if you take out that voluntariness equation, even if you think that simply by
turning on our cell phones, we are voluntarily
conveying our information to our cell phone company and thus potentially to the government,
it's just not really fair to expect that people will go without their cell phones because
they don't want the government to know where they are at all times.
Cell phones are such a fundamental part of our lives. We use them for our familial
relations. We use them in our work life and our personal life. It wouldn't be realistic to expect
people to stop using cell phones just because they would be forfeiting a right to privacy by
pressing the on switch. And that's sort of the basis for Justice Roberts' decision.
A couple of notes, I would say. There are no bright lines in the decision. I that's sort of the basis for Justice Roberts' decision. A couple of notes, I would say.
There are no bright lines in the decision. I think a lot of scholars were looking for whether there
was some sort of determinant factor that would make the transmission of cell site location
information into a Fourth Amendment search. Perhaps there would be some sort of time requirement,
like if the information was collected
over a period of seven days or more, that would constitute a search. There was no bright line
like that in this case. And that's something that the four dissenting justices have really harped
on, that this might not be an easy decision for local law enforcement, state law enforcement,
or federal law enforcement to follow because there are no bright line standards. But I think the bottom line, it's a major victory for privacy advocates.
Not only do we have a reasonable expectation of privacy and the location information that we
submit to our cell phone companies, but we've cut against this very broad third-party doctrine.
There's now an understanding that just because we voluntarily transmit information to a third
party, that doesn't necessarily mean we have forfeited our reasonable expectation of privacy.
It has to do with the quality and the quantity of information that we submit, and whether
that submission was in fact voluntary.
So I think it's a groundbreaking decision.
Ben Yellen, thanks for explaining it to us. I'm sure
this is something you and I are going to continue to talk
about in days to come. Thanks for
joining us. Absolutely, and I
apologize for being so long-winded.
Oh, no. It's an important
one. Thanks so much, Ben. It sure is. Thanks,
Dave. Bye-bye.
Transcription by CastingWords the European Commission and is currently CEO of a company called Proud Engineers. Our conversation focuses on Estonia's digital identity system and how it affects privacy
and security.
First of all, you have to understand the Estonian ICT architecture.
So it's the fully distributed solution and to connect all those different distributed
systems in Estonia, we have, every person has a unique identifier.
And this unique identifier is used in private sector, in healthcare, in government, basically everywhere.
So if we need to get information about the person, we can actually combine different data sets between different sectors.
That's the first thing.
So we have a very strong baseline for data connectivity.
And every Estonian who is older than 15 years,
mandatory, they have to have a digital identity.
So government demands that everybody
has to have a digital identity.
And like this way, using digital identity,
we can sign documents, we can authenticate ourselves, open any kind of government portal or private sector portal.
So it's very widely used.
We actually have to say that digital identity is widely used.
The technology is actually different.
Some people use ID cards, some people use mobile IDs, some people use smart IDs.
So it's important that everybody has digital ID.
It's not so important what technology they're using.
Now, were there any privacy concerns that went along with that?
Funny, I get this question always from you as like, is there a privacy concern?
People think that if everything is digital and everything is connected,
then they have to give away their privacy.
I mean, it might be true if the government has, like, dictatorship
or, like, they want to have full control over the data,
what they own, like, let's say, China.
But the state is a democratic country,
and we believe, like other North European countries,
like Sweden or Finland, that being digital is actually more privacy protective compared with being analog.
I mean, I take an example.
Do you know who has looked at your health records in your local hospital that you're using?
Give me an honest answer.
No, I do not.
But I know.
And that's the point.
Everything is digital. Yes, every patient
record in Estonia is digital.
But also I can see who has looked at it.
Not only they changed it, but also
who has looked at it. Meaning that
I actually have more control
over my data compared with you.
And that's the point.
If you don't want to be
a control-freaking dictatorship with a democratic country, you will build a system like it has been built in Estonia, that everybody has a power to see who has access to or approach their data.
or even goes to jail.
And suddenly you become your own big brother.
I mean, like, let's say a policeman or a doctor,
yes, they have access to your data,
actually not a certain amount of data,
but they know if they don't have a reason,
they will be kicked out from the system and they will lose their jobs.
So suddenly I understand that, like,
you can build those digital systems
and you can get the benefits of those digital systems,
but still keep the privacy, or even better, you can increase the digital systems and you can get the benefits of those digital systems,
but still keep the privacy, or even better,
you can increase the privacy and data protection.
Because, for example, if there is something in my health record that I don't like, let's say I have some kind of mental problem
10 years ago, so I can actually cover that data.
So even though every doctor can see my data,
yes, they have to have a reason, But if there's something I truly want to forget and I truly want to cover,
I'm allowed to do that. So if you think about it like this way, you can get both better services,
but also increased privacy. How does it compare when it comes to things like identity theft?
I'll give an example.
If you are able to go to court and prove that somebody has stolen your digital identity, but you still own or obsess your ID card and you haven't given your pins to anybody.
If you're able to prove that in court that somebody has stolen your identity,
the government takes the liability up to 5 million euros and it has never been used. So what are your recommendations? What could the United States,
for example, do to improve our identity systems? It's actually not a question of the identity
system. It's a question, do you actually have a pain to solve? Countries think that they want
to be digital, but if you ask them why, I mean, I can ask you, why America wants to be
digital, like digital government? Why do you think you actually need that? It's a complicated task.
It's difficult. You have to make many compromises with society. And life in the US is good. Actually,
it's better than in Estonia. So why to change? Why not? Why do you actually have to do that?
I mean, please answer me. Well, I suppose there could be cost savings.
There could be security advantages.
Certainly things could be easier.
I would love to see, for example, medical records to be easier to navigate and to share from doctor to doctor.
Okay, but is it painful enough?
Is it painful enough to actually start building solutions to that?
But is it painful enough to actually start building solutions to that?
And that's the point.
I mean, the pain in your society hasn't reached the moment where it actually explains that or basically justifies that,
okay, we need to do the change now.
When you actually articulate that I have certain pain
and the only way to solve that is being digital,
then you start thinking, how can I solve this problem?
And then you find out that, oh, it seems to be that being digital
is actually more privacy protective than being analog.
But without having that pain, you never reach those questions.
So we're still in, like other Nordic and North European countries,
we actually share the same pain.
Our pain is that we have a lot of land and not too many people.
So many people live in rural areas,
and they don't have physical access to the bank office or government officer.
So they have to use IT solutions like Internet Bank or a government portal
or whatever it is like.
So we had to push people to use e-services.
So we had that pain, and that's why we are advancing this
field. But you don't have the pain. That's Tavi Kotka. He's the former chief information officer
of Estonia.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your Thank you. CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart
speaker too. The CyberWire podcast is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.