CyberWire Daily - SolarWinds compromise scope grows clearer. DPRK’s Earth Kitsune. Google’s authentication issue. A look at the near future of cybersecurity.
Episode Date: December 15, 2020SolarWinds’ 8-K suggests the possible scope of the Sunburst incident. CISA leads the US Federal post-attack mopping up as more agencies are known to have been affected. How FireEye found the SolarWi...nds backdoor. GCHQ is looking for possible signs of Sunburst in the UK. Operation Earth Kitsune is attributed to North Korea. Google explains yesterday’s outage. Ben Yelin looks at retail privacy issues. Our guest is Jasson Casey from Beyond Identity on going passwordless. And if you have trouble getting things done while working from home, maybe blame it on the dogs. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/240 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
SolarWinds 8K suggests the possible scope of the sunburst incident.
CISA leads the U.S. federal post-attack mopping up as more agencies are known to have been affected.
How FireEye found the solar winds backdoor.
GCHQ is looking for possible signs of sunburst in the U.K.
Operation Earth Kitsune is attributed to North Korea.
Google explains yesterday's outage.
Ben Yellen looks at retail privacy issues.
Our guest is Jason Casey from Beyond Identity, ongoing passwordless.
And if you have trouble getting things done while working from home, maybe blame it on the dogs.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, December 15, 2020.
SolarWinds, in a Form 8K the company filed with the U.S. Securities and Exchange Commission yesterday,
said that some 33,000 customers had potentially been exposed by vulnerabilities in its Orion platform
and that it's notifying them of the risk.
The company added, however, that it believed, quote,
the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000, end quote, the actual number of customers that may have had an installation of the Orion
products that contained this vulnerability to be fewer than 18,000, end quote, which is still a
disturbingly large number. The company expects to make a patch available sometime today.
CISA issued Emergency Directive 21-01 late Sunday. Lawfare has a quick account of what the directive meant for U.S.
federal organizations and many of their contractors. In many cases, it meant a lot of
time with dodgy network availability. CISA required all agencies covered by the emergency
directive to report completion of required detection and remediation activities by noon
yesterday, which itself is an index of how
serious the agency regards the threat. The Washington Post reports that five major U.S.
agencies, the Departments of State, Homeland Security, Commerce and the Treasury, and the
National Institute of Health, are now known to have been affected. It's worth noting that a
supply chain attack can be notoriously difficult to contain.
It's not entirely clear how the spies, presumably Russia's SVR, familiarly known as Cozy Bear,
obtained access to SolarWinds and thus to the software supply chain. But ZDNet reports that
a compromise of the company's Microsoft Office 365 email and Office productivity accounts may have provided a point of entry.
Bloomberg reports that FireEye found the SolarWinds compromise
in the course of investigating the breach of its own red-teaming tools.
They found Cozy Bear's sunburst backdoor
and disclosed its existence to both SolarWinds and law enforcement.
The security company Valexity says this incident is connected to a 2019 campaign
against think tanks that continued into 2020.
Valexity writes, quote,
The primary goal of the Dark Halo threat actor was to obtain the emails of specific individuals at the think tank.
This included a handful of select executives, policy experts, and the IT
staff at the organization. Vilexity notes its investigations are directly related to the FireEye
report based on overlap between command and control domains and other related indicators,
such as a backdoored server running SolarWinds Orion. Dark Halo sounds a lot more sinister than Cozy Bear.
We prefer Cozy Bear, if only,
because the word on the street is that the Russian organs,
however focused, sophisticated, and determined they may be,
hate being thought of as cuddly and inoffensive.
So stay cozy, comrades.
Consensus holds that the effects of the cyber espionage will continue to spread.
The Telegraph reports that GCHQ is investigating the potential impact of the incident on the UK.
The risk is complex.
There is, of course, the risk that sensitive information British agencies may have shared with their US counterparts could have been compromised.
Or that Cozy Bear might have succeeded in executing a transatlantic pivot.
But the principal risk is more immediate and direct.
SolarWinds customers in the U.K. include the Ministry of Defense,
the Cabinet Office, GCHQ, and other government organizations.
As we say, GCHQ and its National Cyber Security Center have the incident under investigation.
An NCSC representative told Mail Online,
quote,
The NCSC is working closely with FireEye and international partners on this incident.
Investigations are ongoing and we are working extensively with partners and stakeholders
to assess any UK impact.
The NCSC recommends that organizations read FireEye's update on their investigation
and follow the company's suggested security mitigations.
End quote.
Turning to another cyber espionage campaign,
Trend Micro this morning published an update to its research
into what it's calling Operation Earth Kitsune.
While the name may be drawn from the Japanese word for
fox, one with strong folkloric associations, Trend Micro has concluded that it's a North
Korean unit, APT-37, also known as Reaper or Group 123. Their evidence is circumstantial but
compelling, depending upon such things as insights into the malware deployed and the development environment in which that malware was built.
Google has an explanation for yesterday morning's outage that affected services worldwide.
It looked at the time like a glitch and not a hack,
and that's been borne out by what Mountain View discovered during troubleshooting.
Google tweeted an explanation yesterday.
discovered during troubleshooting. Google tweeted an explanation yesterday. At 3.47 a.m. Pacific time, Google experienced an authentication system outage for approximately 45 minutes
due to an internal storage quota issue. This was resolved at 4.32 a.m. Pacific time,
and all services are now restored. By consensus, remote work will remain the norm in 2021, and it will probably remain widespread even after the pandemic eases.
But a CyberArk study suggests that companies have their work cut out for them, dealing with unfortunate remote worker security habits.
The personal and professional seem harder to keep apart while working online,
seem harder to keep apart while working online,
and poor personal security practices,
like sharing passwords and devices with family members,
make that blurred boundary risky territory.
Distracted minds make security mistakes,
and there are plenty of distractions at home.
CyberArk says, for example,
45% of remote employees cite disruption from family and pets as the biggest challenge of remote work,
followed by balancing work and personal life at 43% and Zoom fatigue, which came in at 34%.
Our staff can confirm that dogs are affecting working conditions. Some, at least, of our local
dogs have been unusually frisky under conditions of social isolation. Maybe it's because they're not wearing masks.
An ImmunoWeb study finds other security issues with working from home.
The company thinks remote work with reduced face-to-face contact
and fewer opportunities for quick, responsive, even serendipitous collaboration
will raise problems for DevSecOps.
With respect to law and policy,
J.D. Supra predicts that the U.S. Cyberspace Solarium Commission's report
will serve as a reliable guide to their evolution.
As CSO points out,
the commission's report has already influenced
the U.S. National Defense Authorization Act.
It's likely to do more than that.
to do more than that.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility
is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. years old or so. That was a long time ago. And yet, here we are still using passwords on a regular basis. Yes, we've got things like Touch ID and Face ID and password managers and multi-factor
authentication. But that passwordless world remains frustratingly elusive. Jason Casey is
Chief Technology Officer at Beyond Identity. And he joins us to explain what passwordless actually means.
Jason, thanks for joining us here at the Cyber Wire.
Thanks for having me.
Passwords are by design end-user friction.
And they haven't changed much in the last 20 years
other than just saying things like they need to be longer,
they need to always be high entropy,
and you need to rotate them on a regular
basis. And so sure, you can pull a password manager to manage some of that complexity.
But when we think about who uses passwords in the world, or essentially everyone, we're not
really making it possible for the rest of the world to be successful. Another way of looking
at it is design, user interaction, ease of use from a person perspective has never really been considered in terms of passwords.
And then you flip the coin over and you realize passwords are the front door for bad things to walk through. Ultimately, these knowledge factors create pools of risk called password databases that regularly get harvested, that get sold and bartered and leveraged to maybe not break back into the company that they were stole from, but exploiting human behavior, which is it's really hard to remember lots of high entropy random strings.
So I'm going to reuse things and I'm going to reuse things across different sites.
Rather than patch the problem, why don't we fix the root cause?
Does this really require a shift in the way that people think about this, about their online
identities and how they protect the information that's out there?
It does actually provide a different perspective, but we think people are already moving in that direction.
And so if you look at the business world in COVID, you have these highly disparate workforces where most of them were not before.
And all of these enterprise organizations that had built security infrastructure that baked knowledge in about infrastructure,
where people are coming from, what they're working on.
These are the organizations that had been scrambling during COVID to try and shift and change their mindset.
Whereas the organizations that had really kind of embraced this digital transformation journey,
as well as a more zero trust or beyond court style of thinking
about security, basically they were in a mindset that was better able to handle this big shift
in how workers behave. I suppose also having that, the ability, as you say, to escalate things,
to have some granularity that, you know, not everything needs to have the same degree of scrutiny as other things.
Are you moving $10,000 between bank accounts?
Maybe friction's okay in that scenario.
Right.
Or are you moving, maybe you're paying a $5 bill, but you're paying a $5 bill and you're operating from a device that you haven't really
used in a while and you're in a part of the country that we've never seen you travel to.
Maybe that deserves a little bit more friction. But if I'm at my corner grocery store, you know,
buying a tank of gas or a candy bar, I want that to happen as quickly as possible.
If the risk is low, the friction should be as well.
That's Jason Casey from Beyond Identity.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security.
But more important than any of that, he is my co-host on the Caveat podcast.
Hi, Ben. How are you doing?
Pretty good, Dave. How are you?
Not bad, not bad. Interesting article.
This is from Vox on their recode section.
And, you know, we are deep in the holiday season here,
getting our Christmas shopping done
and taking care of our friends and family for Hanukkah
or whatever it is we celebrate.
And this article is titled,
How Retailers Track Your Every Move
in Exchange for Coupons and Convenience.
The subtitle is,
Attention shoppers,
Your Data Has Never Been More Valuable, article written by Sarah Morrison. What's going on here,
Ben? So this article is sort of an all-encompassing summary of what retailers are doing with our data.
I think one of the interesting elements of this is it's very timely for the end of 2020. The hook in this article is that
not so long ago, i.e. last February, many of us used to go to brick and mortar stores.
You could browse things, you could try on shirts and dresses before you decided to buy them.
You could, you know, be relatively anonymous, maybe even pay in cash where it's untraceable.
be relatively anonymous, maybe even pay in cash where it's untraceable.
Now, more of us are online shopping.
It's not as safe to go into brick-and-mortar stores,
even the ones that are open and are not restricted.
And because more of us are shopping online, we are trading convenience and potential coupons for what amounts
to a pretty big invasion of personal
privacy because these companies collect a lot of data on us. We have extreme examples like Nordstrom,
which was collecting data about us while we were in their store by tricking our cell phones into
transmitting real-time data. But more typically, it's that these stores will lure us into their applications by offering
us coupons.
You get 10% off Target by downloading the application or whatever, not to pick on any
individual company.
So they lure us in that way, and then they have us opt in to a bunch of EULAs that allow our information to be shared pretty broadly.
And we know that that information is purchased by data brokers. In some cases, it's sold by
the cell phone companies itself. And it's a lot of information. I mean, it's not just our purchasing
habits. It's using GPS tracking to figuring out our personal habits,
what kind of lives we lead.
It's getting information from applications
that we'd never suspect would be sharing
personally identifiable information.
I always talk about when I order a sandwich
from Jimmy John's,
they're learning a lot more about me
than you'd think.
Just by sharing my location,
just by agreeing to their terms of service,
by allowing them to connect to my other social media profiles.
So I think in some ways,
this is sort of something that we already knew,
but I think it's kind of bringing into focus
that there is no free lunch here.
You are paying for something with those coupons. Most of us don't think about them because most of
us will never face the consequences of, you know, data brokers purchasing information on us
or selling information on us and, you know, companies knowing the intimate details of our
lives. But I think, you know, that's something that should be on every person's mind
before they sign those terms and conditions.
Yeah, I think about the grocery store loyalty programs.
And I have a friend of mine, a dear friend of mine,
who is very bitter at the fact that in order to get the various discounts and sales
that are around the grocery store,
well, in the old days when we used to browse through the grocery store.
Seems so long ago now.
I know.
You have to, in exchange for giving them your information,
in exchange for allowing them to track your purchases,
you get these discounts.
He wants the discounts without the tracking.
And I feel differently about it.
In this case, I feel as long as it's all above board and this is a deal you're willing to
make to say, okay, it's optional.
You can track me in exchange for these discounts.
And that's the arrangement we've made here.
And either I'm okay with it or I'm not.
Right. I mean, in contract law, we talk about these bargained-for exchanges,
where as long as the terms and conditions are clear,
if somebody really values something and you really value something else,
those are legal grounds to make a trade, right?
And I think that's what's happening here.
As long as consumers are aware
that this is what's happening, that by getting these, you know, 10 cent discounts on cereal boxes,
you're potentially providing your local grocery store a lot of private information about yourself.
As long as that information is widely understood, I think your perspective is right.
It is, you know, it is a bargained for exchange.
It's fair.
The problem we run into is that just most people aren't aware
that that's what they're bargaining for.
And I don't think we've properly answered,
just from a policy perspective,
this problem of the fact that most people don't read terms and conditions
and are just blissfully unaware of what they're giving up
when they agree to use an application in exchange for a coupon.
So I think in the long term, it's going to be about education around these things,
just alerting people and giving people meaningful information
before they agree to these terms and conditions.
Well, let me add, for those of you who are interested in a certain degree of anonymity at
the grocery store, I have yet to experience a grocery store where if I put in the phone number
8 6 7 5 3 0 9, it's not already in the system. Oh, I'm not surprised. Jenny, they got your number. Just put your area code and 867-5309.
Jenny is in the system and you get all the discounts you want.
And boy, Jenny buys a lot of stuff.
Dave, I resent you for the fact that that song is going to be in my head the rest of the day.
So thank you for that.
Yeah, my gift to you.
All right, well, Ben Yellen, thanks for joining us.
Thank you. All right, well, Ben Yellen, thanks for joining us. Thank you.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
Save you time and keep you informed.
We floor the competition.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios
of Data Tribe,
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing Cyber Wire team
is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Vilecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Ivan,
Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.