CyberWire Daily - Terror attack in Iran prompts info skirmishing, and perhaps worse to come. JET bug disclosed. ANSSI open-sources OS. Anglo-American response to Russian cyber ops. Russian elections. Scam notes.
Episode Date: September 24, 2018In today's CyberWire, we hear about a terror attack in Iran that has heightened tensions among adversaries: expect a heightened cyber optempo. A JET vulnerability in Microsoft products is publicly... disclosed as Microsoft misses the Zero Day Initiative's 120-day deadline. France will open-source its secure operating system. UK, US attitudes continue to stiffen towards Russia in cyberspace. Russian elections are surprising, by Russian standards. Notes on some current scams. Ben Yelin from UMD CHHS on a ruling on warrantless GPS tracking at the U.S. border. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/September/CyberWire_2018_09_24.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A terror attack in Iran heightens tensions among adversaries.
Expect a heightened cyber op tempo.
A jet vulnerability in Microsoft products is publicly disclosed
as Microsoft misses the zero-day initiative's 120-day deadline.
France will open source its secure operating system.
UK and US attitudes continue to stiffen towards Russia in cyberspace.
Russian elections are surprising by Russian standards.
And some notes on some current scams.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for
Monday, September 24th, 2018. Saturday's terrorist attack on a military parade in the Iranian city of Avaz killed at least 29, 12
members of the Revolutionary Guard and 17 civilian spectators, including children and the elderly.
Avaz is in Khuzestan, a province on the Iraqi border with a large ethnic Arab population.
That Arab population is to a significant extent Sunni, which is a source of religious difference with
the Shiite Islamic Republic. Responsibility for the murders has, according to various reports,
been claimed by several groups, including ISIS and the Avaaz National Resistance,
which is an Arab opposition group that operates a television station from its expatriate perch
in London. ISIS has distributed video through its Amok news outlet
that purports to show the attackers,
but there have been no reports of any of the attackers,
some of whom are thought to have been taken alive by Iranian authorities,
claiming allegiance to ISIS.
Tehran attributes the attack to the separatist patriotic Arab democratic movement in Awaz,
which on its website has denied democratic movement in Awaz, which on its
website has denied any involvement in the attacks. But the Islamic Republic places ultimate blame on
the U.S., the U.K., and the Arab Gulf states, especially Saudi Arabia, whom Tehran considers
U.S. and U.K. clients. The U.S. has dismissed all Iranian claims of involvement. Tensions have been high in any case over renewed U.S. economic sanctions,
suspicion of Iran's nuclear and missile programs,
the ongoing civil war in Syria,
and increased Iranian involvement in offensive cyber operations.
Iran has promised vengeance for the terror attack,
and it's received expressions of support from such sympathetic parties
as the Assad
regime in Syria and the Hezbollah. Renewed cyber conflict, and at a heightened operational tempo,
may be expected. The Zero Day initiative at the end of last week reported a vulnerability in the
Microsoft Jet database engine. It's said to affect all versions of Windows. Trend Micro,
which discovered the issue, disclosed it to Microsoft.
The Zero Day Initiative has gone public with the disclosure
because 120 days have elapsed since Redmond was notified.
The vulnerability, according to the Zero Day Initiative,
is an out-of-bounds right issue that could be used to, quote,
execute code under the context of the current process, end quote.
Exploitation would require user interaction.
You'd have to open a malicious file.
The JET database engine is bundled with Windows.
Several Microsoft products use it, among them Microsoft Office.
The register says that ZeroPatch has promised to offer its own fix.
ZeroPatch has been tweeting about the vulnerability.
There's no patch yet from Microsoft.
Many hope to see one on October's Patch Tuesday.
It's believed Redmond is working on one.
ANSI, France's national information security agency,
is asking outsiders to contribute to the development of ClipOS,
ANSI's Linux-based security-optimized operating system.
The decision to open-source an operating system intended to be secure by design is interesting
and will bear watching.
Tough talk about Russian cyber operations and the prospect of Western retaliation has
been emerging from both the U.S. and the U.K.
The recently published U.S. cyber strategy continues to receive both
high marks from observers and press headlines like Security Week's U.S. Takes Off the Gloves
in Global Cyber Wars or Foreign Policies, Trump Has a New Weapon to Cause the Cyber Mayhem.
It's not quite Unleash the Kraken, but the strategy is an assertive evolution of past U.S. policy.
In the U.K., The Telegraph reports that former MI5 Director General Dame Stella Remington
told a conference that Britain should respond to Russia by meeting aggression with a certain
degree of aggression. Remington led MI5, the domestic counterintelligence service, from 1992 to 1996.
Russian regional elections appear not to have gone entirely as Moscow would have wished.
The contests in the country's 85 regions are not usually expected to turn up results other than
those the Kremlin desires. In this case, several of the elections were more hotly contested than
is normal. Two incumbent regional governors lost hotly contested than is normal,
two incumbent regional governors lost, by which Russian standards is surprising to say the least.
The outcome is thought by Radio Free Europe, Radio Liberty, and others to have been sparked by widespread dissatisfaction with recent revisions to the national pension system
that would have required workers to delay retirement.
Thus, pensions would appear
to be a third rail of Russian politics, as Social Security is said to be the third rail of American
politics. It should go without saying, but unfortunately it does not, that U.S. federal
tax, investigation, or law enforcement organizations will not telephone to ask you to pay a fine with your credit card,
which they'll be happy to take on the spot for your convenience.
The U.S. Marshals Service is warning that just such a scam is pestering residents
of the aptly named city of Marshall, Texas.
Someone is calling people up and telling them they've failed to report for jury duty
and that they face either a fine or jail time.
Of course, you should report for jury duty. It's just good citizenship.
But this call is bogus. Ignore it, and don't give the caller your credit card number.
Finally, what's the hot commodity these days in dark web markets?
Stolen frequent flyer miles, that's what.
Please, don't be a buyer.
Flyer Miles, that's what world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Ben Yellen. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. We had an
interesting article come by. This is from Ars Technica, Saroos Farivar, who's been a guest on
our show before. He wrote this article. The title is Cheese Danish Shipping, Warrantless GPS Trackers and a Border Doctrine Challenge.
What's going on here?
I cannot write a drama with a storyline this compelling.
And I don't think any of our best writers could do so.
So basically, the FBI started investigating a suspected drug trafficker and was following this tracker's vehicle when they crossed the border, the border in Southern California, the Mexican border in 2016.
And the smugglers were using the shield of a Starbucks vehicle, claiming that they were shipping cheese danishes to Starbucks locations
throughout Southern California. In fact, this was a drug smuggling operation. The FBI,
based on investigative work they had done, suspected that it was a drug smuggling operation.
So they attached a GPS device, physically attached it to this vehicle,
realized what was going on, and initiated a prosecution for drug trafficking.
And a judge recently held in this case that the attachment of a GPS device without a warrant is unconstitutional.
And it's an interesting case because there are sort of two competing legal concepts here.
On the one side, the Supreme Court has held that you generally do not need a
warrant to conduct searches at the border. That is what we call a special needs apart from the normal
criminal investigatory process we associate with law enforcement. Basically, we want to be able to
check people's stuff at the border because we want to make sure we're not letting in bad people who
are bringing in unsafe things.
Then there's the separate doctrine that comes out of the United States v. Jones case.
And in that case, the Supreme Court held that it is unconstitutional to physically attach a GPS device to a vehicle without a warrant.
And that's what happened here. And I think this judge's rationalization was this no longer became a
simple border search because the surveillance was pervasive going far beyond the border.
They were tracking this vehicle as it made its way from the Mexican border all the way through
Los Angeles. So if you have sort of two competing legal doctrines here, I think the Jones doctrine
of disallowing the warrantless attachment of a GPS
device is more compelling in this particular case. And so the FBI was, I suppose, trying to make the
case that because they attach this GPS tracker at the border, that the border exemption would
take place here. Yeah. And, you know, that's something that I think will make it up through our court
system, because I don't think this particular scenario is one the Supreme Court has directly
addressed. I think the border exception to the warrant requirement was for physical searches
at the border, doing warrantless searches of people's cellular devices. That's obviously been a controversial issue, but
checking people's suitcases. Again, this is part of a special needs exception for our national
security. But, you know, I can understand the reasoning in this case. How far is that exception
going to extend? Could you attach a GPS device, some sort of tracking device on a person and follow that person the rest of his life or her life just because that person happened to cross the border?
Or a listening device.
Or a listening device. I think that would be, I think all of us would consider that a major invasion of privacy.
So I think because this wasn't a traditional border search, I think the border search exception was not well applied
in this case. Now, in the eyes of the law, is there a fundamental difference between
a search and tracking? Are those different things, or does something like a GPS tracker
fall into the Fourth Amendment definition of searching? So it's actually a very interesting case.
Everybody sort of assumed in the last 40 years that the court had moved away from a physical
trespass standard for determining whether there was a search. So up until the 1960s,
there wasn't really a Fourth Amendment search in our legal system unless somebody
physically trespassed on your property, usually law enforcement.
That changed a decision called Katz v. United States, where the court held that it wasn't
simply a physical invasion that would cause a search, but rather a violation of a person's
reasonable expectation of privacy.
What was unique about this GPS device case, United States v. Jones in 2012, is that Justice Scalia, in his majority opinion, held that they need not decide whether this was a violation of a reasonable expectation of privacy because this was a physical trespass in the way that searches had been
understood up until the 1960s, and that was sufficient to establish a Fourth Amendment
search. So unlike other forms of surveillance that are purely electronic, we talk about cell
site location information, other types of surveillance, here you actually do have a
physical invasion of somebody's personal property.
A car is an effect.
The language of the Fourth Amendment says you can't have unreasonable searches and seizures against effects.
A car is an effect, according to our Supreme Court. So they held that you cannot have a warrantless physical attachment to the GPS device on a vehicle.
attachment, physical attachment of a GPS device on a vehicle. Now, I think five justices in that case also seem to agree that it also violated a person's reasonable expectation of privacy,
which would have broader implications for Fourth Amendment jurisprudence. But
when we're talking specifically about GPS devices, it's according to the Supreme Court,
the physical intrusion that really matters.
All right. Well, as always, Ben Yellen, thanks for explaining it to us.
Good talking to you, as always. Thanks.
Absolutely. Thanks, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatL are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
sensitive data and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow.
Thank you.