CyberWire Daily - US considers how to settle accounts with Holiday Bear. International norms in cyberspace. Ransomware continues to surge against vulnerable Exchange Servers, and other criminal trends.
Episode Date: March 30, 2021The US Administration continues to prepare its response to Holiday Bear’s romp through the SolarWinds supply chain. Congress is asking for details on what was compromised in the incident, and why th...e Department of Homeland Security failed to detect the intrusion. The UN offers some recommendations on norms of conduct in cyberspace. Ben Yelin on a New Jersey Supreme Court ruling that phone passcodes are not protected by 5th amendment. Our guest is Frank Kettenstock from FoxIT on the security of PDF files. Developments in ransomware, including Exchange Server exploitation, credible extortion, and attempts to enlist customers against victims. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/60 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. administration continues to prepare its response to Holiday Bear's romp through the solar wind supply chain.
Congress is asking for details on what was compromised in the incident
and why the Department of Homeland Security failed to detect the intrusion.
The U.N. offers some recommendations on norms of conduct in cyberspace.
Ben Yellen on a New Jersey Supreme Court ruling that phone passcodes are not protected by the Fifth Amendment.
Our guest is Frank Kettenstock from Fox IT on the security of PDF files.
Developments in ransomware, including exchange server exploitation, credible extortion, and attempts to enlist customers against victims.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 30th, 2021. The AP's report that the Russian threat group behind the SolarWinds supply chain compromise
gained access to email accounts of senior U.S. Homeland Security officials,
including those of former acting DHS Secretary Chad Wolf, continues to draw attention.
As the AP puts it, quote, the intelligence value of the hacking
of then-acting Secretary Chad Wolf
and his staff is not publicly known,
but the symbolism is stark.
Their accounts were accessed
as part of what's known
as the SolarWinds intrusion,
and it throws into question
how the U.S. government
can protect individuals,
companies, and institutions
across the country
if it can't
protect itself. CNET has a particularly useful summary and timeline of the entire Holiday Bear
incident. The Washington Post says it's confirmed that Secretary Wolf's emails and those of senior
staffers were indeed accessed, but the Department of Homeland Security has declined to confirm either the compromise or the content of the emails the threat actor obtained.
Members of both the U.S. Senate and House from both major parties have asked the administration
for an explanation. The U.S. administration is believed to be entering the last stages
of deliberation over a response to the Russian operation. Delay in appointing the national cyber director
the Solarium Commission recommended
and Congress authorized is seen, according to Politico,
as hindering the execution of whatever response
the administration ultimately decides upon.
It ascribes the delay to a wrangling over agency equities,
executive branch reluctance
to introduce another Senate-approved position into the White
House, and at some level personal friction among present and prospective senior cyber officials.
Microsoft expresses its approval in a blog post of the United Nations' evolution of proposed
international norms for conduct in cyberspace. Redmond sees three particularly noteworthy aspects of the
report by the General Assembly's open-ended working group. First, it elevates and affirms
the authority of international law in cyberspace and the set of norms for responsible behavior
that were adopted as voluntary standards in 2015. Second, it recognizes the need to protect
healthcare from cyberattacks, including medical services and facilities
Third, it calls on states to protect the Information Communications Technology, or ICT, supply chain
As the Open-Ended Working Group's report has it, the development of international communications technology
have become central to the UN's core goals of promoting peace and security, human rights and sustainable development.
The global connectivity such technology has fostered has become a catalyst for human progress and development,
transforming societies and economies, and expanding opportunities for cooperation.
The states who contributed to the working group expressed concern over the extent to which I to the public,
could pose a threat not only to security but also to state sovereignty,
as well as economic development and livelihoods, and ultimately the safety and well-being of individuals.
End quote.
The recommendations represent the application of familiar just war principles to cyberspace,
particularly discrimination, proportionality,
the protection of non-combatants,
and the services essential to their well-being.
The report recommended a mix of voluntary restraint and cooperation,
further development of international law,
and an effective array of confidence-building measures.
Checkpoint adds its conclusions concerning a trend remarked by Security Week and
others. Ransomware attacks are surging against still vulnerable instances of Microsoft Exchange
Server. Checkpoint says, in the last week alone, the number of attacks involving Exchange Server
vulnerabilities has tripled. Security Week's partial list of the criminal groups who've entered via the zero-day that Hafnium, a Chinese government actor, exposed includes ransomware
operators DeerCry, also known as DojoCrypt, and Black Kingdom, also known as PyDumer,
with the lemon-duck cryptojacking botnet in for good measure.
Ransomware gangs are showing some evolutionary trends as well.
Their long move from simply rendering victims' data inaccessible by encrypting it and on to
adding data theft with the attendant possibility of either doxing or compromise of sensitive
information is now well known. The BBC reports a shift toward more of what it calls extortionware, that is, the
location of discreditable material, often pornographic, whose public disclosure would
embarrass both the individual victim and the victim's organization. Sextortion has been going
on for some time, but it's most often represented an empty threat. The extortionist typically had
nothing on the victim and could be safely dealt
with simply by ignoring it. In recent incidents, however, the criminals unfortunately may well have
the goods. And the ransomware gangs are also calling in victims' customers to help induce
the victims to pay up. Sleeping Computer wrote Friday that the Klopp gang has begun to threaten
those customers with data exposure in the Friday that the Klopp gang has begun to threaten those customers with data exposure
in the expectation that the customers will pressure the victims to pay.
This was first seen, Bleeping Computer says, when Flagstar Bank was hit
and then when the University of Colorado was affected by the Accelion incident.
More recently, Bleeping Computer says it's seen an email sent to customers of an unnamed online maternity store
– the publication won't on principle name the retailer – urging them to push the store to pay the ransom.
The email's subject line says,
Your personal data has been stolen and will be published.
The body goes on to say,
Perhaps you bought something there and left your personal data,
such as phone, email, address, credit card information, and social security number.
It closes with creepy urgency,
Call or write this store and ask to protect your privacy.
There is, of course, no particular reason for anyone, customer or not,
to assume that the Klopp gang will keep its word.
Forbes points out that this tactic
seems to make the victim out to be the bad guy.
Their article also urges people not to fall for it
and to avoid becoming complicit in the crime.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
The trusty PDF file format dates back to 1993,
a portable document format developed by Adobe,
standardized in 2008 and fairly ubiquitous today.
It's one of those file formats that's been around so long and is in such common use that for a lot of folks it's essentially benign.
The thought that PDF files could carry security issues doesn't really cross their minds.
Frank Kettenstock is CMO of Foxit Software, a provider of PDF tools,
and he joins us with a few security reminders about the format.
So we look at security for PDF, we look at it as three different ways.
The first one is security of vulnerabilities.
That's to protect you against malicious software.
The second is document security.
That's really to protect the confidential information within a document.
And then the third one is service security, right?
Because we do a lot of things over the cloud now. And if you're dealing with a cloud service that goes outside your firewall,
you want to make sure that your documents are secure as well as your privacy is protected.
And so we look at those three separate things.
Now, for security vulnerabilities, this has been happening for, you know,
since the Internet had started, right?
We download software onto our computer, and sometimes there's unwanted software that comes with it, right?
And a lot of times that's malicious software that we don't want.
And so we install virus protection, right, to guard against that.
Also, our browsers now also have capabilities built into it to warn us against suspicious websites or other types of things.
And so our PDF software that reads and displays and allows you to manipulate or edit PDF documents
really does the same thing as well.
And so one of the great things about PDF is it's very powerful,
but it allows you to do things like JavaScripting and so forth.
That's where someone can put in some malicious software.
What we want to do is protect you and your computer against that.
We have something called a safe mode, which will basically turn a lot of things off.
You're very secure with that,
but sometimes your PDF might not operate correctly, right?
So we have ways, things like whitelisting,
to be able to provide you the capability to say,
this is what I want to protect myself against,
and this is what I don't.
We also look at things when you try to,
when a PDF tries to access areas of memory that it shouldn't be or does some external commands that's not very typical, we would stop those and say, hey, your PDF is trying to do this.
Do you really want it to do that?
So we're trying to protect the user when they download documents off the Internet to make sure that both their data as well as their system doesn't get negatively
affected.
So Bright Day is still ahead for PDFs.
I mean, it's a format that's been around for a while, but still provides us with the service
we need for many, many useful functions to come.
So yes, that's correct.
And what we see now is more and more people are using PDF on cloud-based
services, whether it's cloud storage or PDF creators or editors like ours also augment
the desktop with cloud-based services or just have standalone cloud-based services. Now
there's security in that as well, different type of security, right?
So a lot of these cloud based services, some of your information or data might get moved to a cloud based server outside of your firewall. And you want to ensure that your documents,
your information, as well as your personal information are secure and are private.
You also want to make sure that the IT folks of your cloud service provider
or internally, that they also have restrictions and so forth,
and so people within the company can steal the data as well.
And these are all kinds of things that you want to look at for a PDF document
or obviously even if it's a non-PDF document.
That's Frank Kettenstock from Foxit Software.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
and joining me once again is ben yellen he's from the university of maryland center for health and homeland security and also my co-host over on the caveat podcast ben it's great to have you back
good to be with you dave uh interesting article from cpo magazine uh and it is titled new jersey
supreme court rules phone passcodes Are Not Protected
by Fifth Amendment. What's going on here, Ben? So this is an issue we've talked about on this
podcast and on the Caveat podcast, and there's really a large disagreement among courts in this
country as to how to address it. So the Fifth Amendment says basically you can't be forced
to testify against yourself, and that we know is the right against self-incrimination.
It's why people say they're pleading the Fifth.
They don't want to incriminate themselves.
There are situations, such as the case identified here, where the government asks you to either decrypt your device or use your passcode to unlock your phone.
decrypt your device or use your passcode to unlock your phone.
And you, the user of that device, know that if you do that,
there's going to be incriminating information and you are going to get arrested.
So the question is whether the government can force you to enter that passcode,
whether they can compel you to do that,
or whether that would violate somebody's Fifth Amendment rights.
Other courts across the country, including the Supreme Court of Indiana, I think in a case that we discussed, have said that this is a Fifth Amendment violation.
This does violate that right against self-incrimination. The New Jersey Supreme
Court, along with a lot of other courts, have come up with a different conclusion,
basically saying that because the discovery of the incriminating information
is what they call a foregone conclusion, it is actually not protected by the Fifth Amendment.
So what do they mean by foregone conclusion?
Well, in this case, they know that the individual knows his passcode, and they know that the
individual is aware of what is on his device. So in the view
of the law, it is simply a matter of time before that device is going to be unlocked and accessible
to government agents. To me, this seems like a legal fiction. I've always said that. I don't
really understand or see the value in the foregone conclusion doctrine. But that's how, that's what courts have argued,
that if you can prove that somebody knows their passcode, it's not incriminating in and of itself
to simply enter a passcode. That's not something that's, you know, in and of itself revealing
information. What happens to be on the cellular device, you know, that's the incriminating
information. It's not the passcode itself.
Is this the same as in the real world?
Could they compel me to unlock my safe?
So basically, there are a couple things there.
Basically, yes.
The Fifth Amendment only applies to testimonial evidence.
So it's evidence that's spoken.
It's not something like standing in a police lineup, for example,
being forced to stand in a police lineup
would not subject you to that Fifth Amendment protection.
And in the majority of cases,
you'd have to look at the exact circumstances,
but forcing somebody to unlock a safe deposit,
if you are convinced that that person has the key, that
could be proven, or that they know the passcode to that safe deposit box, then the foregone
conclusion doctrine would still apply. So it is something where we do have a relative agreement
between the analog and the digital world. There are a couple of interesting unanswered questions here.
What do you do if law enforcement are not sure
who owns a particular device?
And could you perhaps be getting incriminating information
on somebody else because your friend was borrowing your phone
or something like that?
So there's that question.
What if somebody has a burner phone
and, you know, it's not connected to their real name? They, you know, could make a plausible
claim that doesn't really belong to them. It belongs to somebody else. I think those questions
remain unanswered by the logic in this case. And I think because we've seen disagreement among
state courts on this, this is something I think eventually is going to make it up to the U.S. Supreme Court.
Federal courts have had their own disagreements on compelled decryption and entering passcodes
in the context of the Fifth Amendment. And I think eventually the Supreme Court is going to have to
resolve these disagreements. Any speculation for how that might go?
It is a fool's errand to try and speculate on Supreme Court jurisprudence,
especially in areas that aren't neatly politicized like this one.
But there are a couple of justices across ideologies
who have recognized a person's privacy interests, enhanced privacy interests in a cell phone.
So this case invokes Riley v. California, a 2014 case where the Supreme Court says the government needs a warrant to access your cell phone.
So that, you know, this state Supreme Court ruling would seem to kind of go against the spirit of Riley. Although here, you know, this is simply about putting, entering in
one's passcode. It's not actually gaining access to the device. But, you know, I think perhaps
Riley gives us an indication of how serious the Supreme Court takes digital devices and smartphones
and that those devices, because of the amount of information contained therein,
perhaps merit advanced privacy protections in the Constitution.
All right, well, time will tell.
We'll see how this continues to play out.
It's interesting how different it is depending on what part of the
country you're in. We've seen so many different
rulings on this. Yeah,
it's really an unanswered question and I
hope we get some resolution in the near future.
Yeah. All right. Well, Ben Yellen,
thanks for joining us. Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed. Batteries not included. Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.