CyberWire Daily - The US House of Representatives wants to know more about DNS-hijacking. Huawei skepticism. Anonymous dunnit, say the Russians. Financial data exposed. Family spooked by hackers.
Episode Date: January 24, 2019In today’s podcast, we hear that the US House would like some more information from DHS about what prompted its emergency directive about DNS hijacking. More skepticism about Huawei from various gov...ernments. A British think tank has been hacked—observers think Russia’s GRU is good for it, but Russia says no, hey, it was Anonymous, and they did a good job. Exposed database leaves financial information out for the taking. Creeps take over a family’s Nest. Ben Yelin from UMD CHHS with a 4th amendment personal privacy case out of Alaska. Guest is Kathleen Smith from CybersecJobs.com and ClearedJobs.net on the career benefits of volunteering. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/January/CyberWire_2019_01_24.html  Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The U.S. House would like some more information from DHS
about what prompted its emergency directive about DNS hijacking,
more skepticism about Huawei from various governments.
A British think tank has been hacked.
Observers think Russia's GRU is good for it, but Russia says, no, hey, it was anonymous
and they did a good job.
Exposed databases leave financial information out for the taking.
And creeps take over a family's nest.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 24, 2019.
It's now believed, CyberScoop reports,
that six U.S. federal civilian agencies have been affected by the DNS hijacking campaign
that prompted the Department of Homeland Security to issue Emergency Directive 19-01 this week.
Representative James Langevin, Democrat of Rhode Island,
has asked the department to brief the House Homeland Security Committee on the matter.
Private security firms, FireEye prominent among them,
have said they see signs of Iranian sponsorship of recent DNS hijacking campaigns.
As FireEye puts it, they
Assess with moderate confidence that this activity is conducted by persons based in Iran
and that the activity aligns with Iranian government interests.
Security firm CrowdStrike agrees that there appears to be an Iranian connection.
We received an emailed statement in which their Vice President of Intelligence, Adam Myers,
noted that the DNS hijacking has been global in scope and has affected several different sectors.
He said, quote,
CrowdStrike Intelligence assesses that there is some basis to believe that the DNS hijacking campaign
is attributed to Iran-based adversaries,
given that the targets of the DNS hijacking campaign align with Iranian interests in the region.
As always, remember that attribution is usually, especially in its early stages,
based largely on circumstantial evidence.
More governments express official skepticism of Huawei as a potential security
threat, with recent animated versions from France, the UK, and Taiwan. The Russians apparently
haven't been idle either. BuzzFeed reports that the Integrity Initiative, a project of the
Institute for Statecraft, a British think tank, has apparently been hacked, with stolen material
appearing in Russian outlets Sputnik and RT, framed in stories alleging the initiative's role
in fomenting anti-Russian sentiment. As RT puts it, quote, by all means smear an attack, but be
honest about it, end quote. RT adds that honesty would consist in admitting that they represent
a conspiracy of mainstream media and Her Majesty's Foreign Office.
The Russian outlets disclaim any role whatsoever in the hack, which Sputnik says revealed that the Integrity Initiative is, quote,
an international anti-Russian information warfare effort funded by NATO and British state organs, the Foreign Office and Ministry of
Defense.
Instead, they credit Anonymous, which they say has been posting files taken from the
initiative's servers since November 5th.
A lot of the stuff has been posted to the Cyber Guerrilla site, along with disclaimers
that it comes from Anonymous, that they warned the British government, and so on and so on.
The Integrity Initiative has devoted considerable attention to exposing Russian information
operations. The UK's National Cyber Security Centre and others are examining the initiative's
servers and its employees' devices for evidence of compromise. Suspicion on grounds of motive
and a priori probability has turned toward Moscow, despite all the woofing about Anonymous, It's also worth pointing out that it takes more than syncing your posts FancyBear, has been known to devote some attention to think tanks in the past.
It's also worth pointing out that it takes more than syncing your posts to begin on Guy Fox Night to establish your identity as a member of Anonymous, so we're reluctantly
moved by skepticism by RT's and Sputnik's pious claims that Anonymous did it.
Could we see some ID?
Maybe a Guy Fox mask?
That wouldn't be dispositive either, but at least it would be fun.
Sputnik says the Integrity Initiative is running scared.
The online paper congratulates itself by crowing,
the drastic measure, that is, taking its content offline,
may have been spurred by Sputnik's dogged investigations.
Connoisseurs of information operations will recognize the rhetorical technique.
It's unlikely insistence, like saying over and over again,
New York is a fun city, or protecting your privacy is our number one priority,
or happiness is being a Cleveland Browns fan.
Anyway, we hope there are some British, NATO, and dare we say U.S. information operations afoot.
It's about time.
The folks at CyberSecJobs.com recently published results from a survey on volunteerism in the cybersecurity industry
and the benefits that can be realized for both the volunteers and their employees who support their activities.
Kathleen Smith is Chief Marketing Officer at CyberSecJobs.com.
When people hear the word volunteering, I think they believe that it's bake sales or marathons
or doing something locally at their family or church community center.
Yet when we look at the breadth of conferences and events and
organizations that are in the cybersecurity community, the lion's share of them are
volunteer run. I mean, when we look at DEF CON over 25 years, very much volunteer run.
Many of the organizations that are, or events that are in the cybersecurity community are really
volunteer run. And when I see volunteers working, they're just doing that because of their passion
and that they love coming together and doing something and feeling that sense of accomplishment.
And it's also interesting that many employers are not aware of how many of their employees are involved in the community and how that is important in employee retention, but also in building their talent pipeline for recruiting.
When an employer is looking at their overall recruiting and retention strategy, they need to really look at how is the company positioned within the community and how is it that they are supporting volunteering.
This is a separate budget from your marketing and your business development.
This is not the booth that's at the trade show.
This is not the logo being on the website.
This is investing in the employees that are on the ground, being your brand ambassadors
to say, this is a great company. They believe in the community and they believe in me and believe
in me giving back to the community. What is great about this community is there are so many different
online and offline organizations to be part of. So one, if you are currently employed and volunteering,
really look at it as what are you getting out of the role? And is there a new role you can be moved
into? Because this is a really great opportunity to plan out your career development. I have seen
many people within the community start out as just registration and they move on to being their own conference organizer or founder.
So really looking at the way that you can map your career.
Are you always security?
Are you going to move over to a different part of the conference?
So one, looking at your map of your career development. If you're not volunteering and you want to get into the
community, really check out the websites of organizations that are of interest to you.
There are many that are solely online. There are many that are solely offline. And really see if
the mission of the organization matches your personal passion. There's nothing worse than
going in and working at an organization
and you're not passionate about it. Everyone who works in volunteering, they're driven by the fact
that they want to make the community better, but they also feel that this is a great thing that
they're doing. If you don't have that love, you're not going to be happy in volunteering.
It's going to take about a year or so of volunteering
with a variety of different groups before you start to feel comfortable that this is the place
that you want to be. So start with some of the local meetups. Start with maybe a local B-side.
Check out some of the online organizations. There are many large professional organizations, but there are also several smaller ones that focus on certification and training or, you know, putting on online CTFs.
There are many organizations out there that are needing volunteers to help out.
But realize that you have to make the decision how much of your time you're going to commit to this.
And what are the
questions? Similar to interviewing for a new job, you need to interview an organization.
What do they need from you? How much of a time commitment is it? What are the stress times? What
is the timeline? Being very diligent because this is an investment of your personal resources
and you want to make sure that you're going to get back
that kind of fulfillment that you're looking for.
That's Kathleen Smith from CyberSecJobs.com.
You can find the complete results on their volunteerism survey on their website.
Researcher Bob Dychenko has provided details on the exposure
of more than 24 million financial and banking
documents in an unsecured Elastasearch database. The documents, mostly pertaining to loans and
mortgages from large U.S. banks, were exposed, TechCrunch says, by a third-party document
management vendor widely used by the financial industry. And finally, as if there weren't enough
jerks in the world, there seemed to be an
inexhaustible supply of people willing to step up and fill the ecological niche they so misperceive.
For your consideration, a couple, and this couple and their children, we hasten to say,
are not the jerks you're looking for in this story. A couple, we say, who've recently moved
to the town of Auburn in the state of Washington, reported to police that someone was not only watching them through their networked home security cameras
and their networked doorbell, but was talking to them as well, even swearing at them.
It would appear that someone had obtained the couple's passwords to their Nest system
and had decided to use it to pursue their career as a jackanapes.
Police are investigating.
Nest, which was not itself breached,
advises that you not reuse passwords and that you implement two-factor authentication.
So really, trust us.
There's tremendous oversupply in the online jerk labor market.
If you're a young person considering your career choices,
seriously, look somewhere else.
You might even try journalism.
Go someplace where you won't be led into temptation and leave the jerk gigs to the professional jerks.
Heaven knows there are enough of them out there.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times
faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to
bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's a senior law and policy analyst at the university
of maryland center for health and homeland security ben it's great to have you back uh
you sent over this interesting case this is from the court of appeals of the state of alaska and
it has to do with uh a laptop and uh personal privacy and and so on dig in here this is an
interesting one.
Yeah, it is. So a Fourth Amendment case that comes from the final frontier in Alaska,
it involved an individual, a woman named Erin Poland, who was a former assistant to AG in that
state. She was convicted for official misconduct. So the alleged crime was that she was using her
position as a legal advisor to the Labor Relations Agency in Alaska to benefit her personal friend.
Now, that personal friend was not an ordinary friend of hers.
It was a close friend, and they happened to share an apartment.
So this friend named Skye McRoberts, she owned what was essentially a large apartment, it seemed like.
owned what was essentially a large apartment, it seemed like. And Poland, the defendant in this case, rented a portion of that apartment, which wasn't really separated by any physical barrier.
So Poland was the tenant and her good friend was the landlord. Now, this good friend was suspected
of her own financial crimes. So the police, while they suspected that Poland might have participated
in some official misconduct, didn't have probable cause to get her. But they did have probable cause,
they established probable cause to get a warrant to search Skye McRoberts' house for any evidence
about her potential financial crimes. And as part of a search of their house they uncovered the computer of the defendant
aaron poland and they searched that computer and contained within stored text messages was
incriminating evidence that poland indeed abused her position of power she engaged in official
misconduct and she was convicted and the holding in this case was that the Alaska Court of Appeals
overturned her conviction on a couple of grounds. And these get into really interesting digital
privacy issues. For one, they said the computer is not like any other effects that exist in a
person's house for Fourth Amendment purposes. So there's this sort of longstanding Supreme
Court doctrine that if you get a warrant
to search somebody's house, you can search everything in that house, even if it doesn't
belong to the owner, even if it belongs to a tenant. And in the past, that's applied to things
like physical files or notes or whatever other stuff, things you can find in a given residence.
But what the court here is saying is that the
computer is fundamentally different. It is personal. It contains our private secrets,
and it shouldn't be considered just a standard effect, a thing that's lying around the house.
In no real way is that something, even though it's physically in Skye McRoberts' house,
does it belong to her? There's no evidence that Skye McRoberts' house. Does it belong to her? There's no evidence
that Skye McRoberts was using Poland's computer to hide evidence of her own crimes. And without
that sort of suspicion, the government had no right to open this computer. You know, that's
one of the profound holdings in this case that presents very significant Fourth Amendment issues.
So help me understand the implications of this.
Does this mean that if police are serving a warrant, a search warrant in someone's home,
and they happen upon a laptop, they can gather that laptop, but then do they have to go back
to the judge and say, we'd like additional permission to dig into this laptop here?
So if they have reason to believe that that laptop does not belong
to the person named in the warrant,
the implication of this decision is yes.
They would have to get a separate warrant
to access that laptop
because even though they were able
to legally enter the physical space
listed in the original warrant,
this computer, for Fourth Amendment purposes,
is not part of that physical space.
It sort of exists in the ether. It's not like going into somebody's house and searching through
their file cabinets because of how personal a laptop is and how much of an individual's
private life can be maintained on that device. And, you know, because it is presumably password
protected in a way that the landlord in this situation couldn't gain access to it.
So, yeah, that is the natural implication here is that you would need a separate warrant to access this device.
This isn't just a thing lying around the house.
This is something that's more deeply personal, that's more deeply revealing, and it merits its own Fourth Amendment protection.
deeply personal, that's more deeply revealing, and it merits its own Fourth Amendment protection.
And I think that's continuing a broad trend in digital privacy that we've seen across a number of cases over the past several years. It's fascinating. Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.