CyberWire Daily - Zerologon: hey, patch already. CISA describes China’s cyberespionage techniques (and, hey, patch already). A data breach at the US Department of Veterans Affairs.
Episode Date: September 15, 2020Details of the Zerologon vulnerability are published, and it seems a serious one indeed. CISA describes Chinese cyberespionage practices--they’re not exotic, but they’re effective. What’s the di...fference between highly targeted market research and intelligence collection against individuals? Better commercials? Ben Yelin explains a 9th circuit court opinion with 4th amendment implications. Our guest is Exabeam’s Richard Cassidy on why when it comes to insider risk, context is everything. And there’s been a data breach at the VA. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/179 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash n2k, code n2k. Details of the zero logon vulnerability are published, and it seems a serious one indeed.
CISA describes Chinese cyber espionage practices.
They're not exotic, but they're effective.
What's the difference between highly targeted market research and intelligence collection against individuals?
Better commercials?
Ben Yellen explains a Ninth Circuit court opinion with Fourth Amendment implications.
Our guest is Exabeam's Richard Cassidy on why, when it comes to insider risk, context is everything. And there's been a data
breach at the VA. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 15th, 2020.
have published details of a proof-of-concept exploit,
Zero Logon, a Windows vulnerability that Microsoft patched last month as CVE-2020-1472
without much fanfare.
The lack of fanfare is understandable.
The problem is potentially a serious one.
As Microsoft put it,
An elevation of privilege vulnerability exists
when an attacker establishes a vulnerable NetL logon secure channel connection to a domain controller using the Net Logon Remote Protocol, MSNRPC.
An attacker who successfully exploited the vulnerability could run a speciallyenticated attacker would be required to use MSNRPC to connect to a domain controller to obtain domain administrator access.
The vulnerability was rated critical with the maximum numerical score of 10,
but as the industry press has been saying yesterday and today, few realized how serious the problem was.
saying, yesterday and today, few realized how serious the problem was.
ZDNet gives three actions an attacker who exploited zero logon could take against the victim network.
First, impersonate the identity of any computer on a network when trying to authenticate against the domain controller.
Second, disable security features in the net logon authentication process.
And finally, change a computer's password on the domain controller's Active Directory, a database of all computers joined to a domain and their
passwords. An attacker would need access to the network before exploiting ZeroLogon, but then a
lot of attackers succeed in obtaining that sort of access. Microsoft's August patch is regarded as a preliminary fix,
but organizations are urged to apply it as quickly as possible.
A more comprehensive solution is expected to be out in February.
The U.S. Cybersecurity and Infrastructure Security Agency
has released an advisory on the activities of China's Ministry of State Security,
commonly referred to as the MSS,
and its associated agencies and contractors.
These operations are characterized by collection of open-source intelligence
and by the use of readily available exploits.
There's nothing particularly exotic about the tactics and techniques,
but they've been proven effective nonetheless.
The MSS has tended to concentrate on recently identified vulnerabilities,
hoping to catch organizations that have been laggard in patching.
Some of the issues exploited include Microsoft Exchange Server, CVE-2020-0688,
F5's BigIP remote takeover vulnerability, that's CVE-2020-5902,
remote takeover vulnerability, that's CVE-2020-5902,
Pulse Secure VPN's remote code flaw, CVE-2019-11510,
and Citrix VPN's directory traversal problem, CVE-2019-19781.
None of this should be particularly surprising.
There are no style points in intelligence.
If people aren't patching, why bother with expensive zero days?
If people are freely oversharing on social media for all the world to see,
like a deer waggling its antlers at a hunter,
then don't be surprised if the intelligence service takes their shot, deer.
The gap between a vulnerability's disclosure and patching and its exploitation has dropped to a matter of days.
The agency said, quote,
CISA analysts consistently observe targeting, scanning,
and probing of significant vulnerabilities
within days of their emergence and disclosure.
This targeting, scanning, and probing
frequently leads to compromises
at the hands of sophisticated cyber threat actors.
In some cases, cyber threat actors have used the same vulnerabilities
to compromise multiple organizations across many sectors.
But the knowledge that people are watching and probing and trying
should at least lend some additional urgency to applying available patches.
That's part of CISA's point.
As the agency puts it,
maintaining a rigorous patching cycle continues to be the best defense That's part of CISA's point. As the agency puts it, End quote.
While CISA is concerned with countering the activities of an unfriendly intelligence service,
the advice goes equally well as far as hardening an organization against criminal attack is concerned.
Proofpoint researchers this morning reported vulnerabilities that could enable attackers to bypass two-factor authentication in Microsoft Office 365.
Two-factor authentication remains a valuable security measure,
but this news is a useful reminder that it's not a panacea.
Digital Shadows today warned that companies' access keys are being inadvertently exposed
during software development, turning up on GitHub, GitLab, and Pastebin.
Almost half are for database stores.
And finally, the U.S. Department of Veterans Affairs has disclosed that unauthorized parties
accessed one of its applications, and in doing so, obtained personal information belonging to
some 46,000 veterans. The VA's Financial Services Center was the organization affected, and the department
says the breach has now been closed. The motivation was apparently straightforwardly criminal. The
hackers were apparently interested in diverting payments for veterans' medical treatment from the
community health care providers who should have received those payments. The VA is offering the
customary free credit monitoring to those whose social
security numbers may have been compromised. too sweaty. We could go skating. Too icy. We could book a vacation. Like somewhere hot?
Yeah, with pools. And a spa.
And endless snacks. Yes! Yes!
Yes! With savings of up to
40% on Transat South packages,
it's easy to say, so long
to winter. Visit Transat.com or
contact your Marlin travel professional for details.
Conditions apply. Air Transat.
Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Insider Risk Summit is coming up this week on September 17th,
and the Cyber Wire is a media partner for the event.
During this session, Richard Cassidy and Sam Humphreys will discuss why, in their view,
the standard practice of focusing purely on security alerts won't give you anywhere near the full picture,
and how context will help you understand and tackle the true risk faced by your organization.
Richard Cassidy joins us with a preview.
Well, if we think about kind of the biggest challenges that we're certainly seeing the
world over for any organization, it's all context.
So what better way to start a context-based story with a little bit of a tongue twister
that makes you think, what on earth is that all about?
And you'd be writing, asking the question, you need more context to figure out what's actually going on.
So we thought, what an apt start to a context-based discussion.
Well, so we are talking about insider risk management,
and as you mentioned, context.
Can you connect those dots for us there?
I mean, what is the importance of context in this context?
Yeah, absolutely.
So as it pertains to insider risk, we really are in an
industry where data is at an all-time high. It's no longer a commodity. It's something that we're
seeing a hyper proliferation of. So with so much data and so many data points to investigate and
understand, actually what we're missing is the context of what multiple different data points
mean. We talk about insider risk, really talking about when something happens,
if you see an alert of whatever kind, what does it actually mean and why should you care about it?
And that's kind of where context becomes super important.
And how is that context realized?
Well, it's the age-old challenge of the data that you have at your fingertips,
or maybe the data that you do have but haven't quite realized and brought into effect.
So essentially, if you have the right data points and you are able to connect those dots
and build a story that allows you to understand context as it pertains to risk,
whether that risk is security, that's okay.
It may not be security.
It could be audit.
It could be compliance.
That's what's important.
It's making sure that you have the right data points
and that you're actually connecting the dots in the fashion
that gives you the answers you need.
Well, give us a preview of your presentation here.
You've got some interesting topics that you're going to cover.
Absolutely. So we're going to start by really looking at kind of what does context mean. And if you have an understanding
of context and a security perspective, we're going to really augment and enhance that. We're going to
talk about the data points that make context more interesting and how you kind of gather them and
the pitfalls to avoid, and then how you evolve from that kind of single track context-based investigation discovery into multi-track and what that means is how do you
get all this data that's sitting everywhere that's coming in from all these different points
and actually converge it so you can make sense of it and actually more importantly and on the
final point how does automation help you get there almost instantaneously because at the end of the
day it's how quick
we can pivot on these risk events that really defines how quickly we can protect the business.
What are you hoping that people come away with after seeing your presentation?
That the challenge that they may be facing from an insider risk perspective is not insurmountable,
and that even though we're seeing cyber criminals and nation-state groups getting far more automated
and even sophisticated, you could argue,
in their breach tactics,
that actually you can start to weaponize
and go on the offensive in terms of your own data capability
to really stay one step ahead
of the insider risk management game.
That's Richard Cassidy from Exabeam.
You can check out his presentation
at this week's Insider Risk Summit.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Ben, always great to have you back.
Good to be with you again, Dave.
So you are following some interesting rulings from the Ninth Circuit Court.
This has some Fourth Amendment implications.
Give us the background here.
What's going on?
So we've talked about this on this show and on our Caveat podcast as well.
This relates to the Call Detail Records Program, one of the programs uncovered in the Edward
Stoughton leaks in 2013, where we found out that the government was collecting nearly
all domestic phone metadata
from the major phone carriers in this country. I should note that the program was actually
largely discontinued in 2015, but this case concerned the program as it existed prior to
that point. It concerned an individual who was a Somali immigrant living in the United States,
so he was a U.S. person. Some of the evidence used to obtain
this person's conviction for giving material support to a designated terrorist group was
obtained using called metadata records. So they had a record of his cell phone number calling a
suspected terrorist overseas, and that was part of the evidence used against Mr. Molan was the name
of the criminal suspect. He was convicted and appealed his conviction. And the Ninth Circuit
came down with a ruling that said that the collection of bulk metadata under Section 215
of the USA Patriot Act is very likely to be unconstitutional. They didn't come out with a definitive ruling
because they also said that even without this evidence, this metadata, they likely would have
been able to sustain the conviction regardless. But they did go on at length about why they thought
this program was unconstitutional. So I know we've talked about this extensively, but generally these
types of cases are governed by what's called the third-party doctrine, where you lose your reasonable expectation of privacy a bunch of other courts, is that the nature of metadata or these types of records now is so fundamentally different than it was 40 years ago that the laws really have to change.
Whereas in 1979, we're talking about putting a pen register on one phone, tracking which phone number an individual dials in one circumstance,
that's very different from what we have now,
where you could get a pretty encompassing record of a person's life
just by perusing that metadata.
And not only does it apply to the person that you intended to surveil,
but also the individuals communicating with that person.
So it potentially has a broader reach as well.
So the tangible impact of this decision, you know, it's not that significant because the program has already been discontinued.
But I do think this is sort of the final death knell for the call detail records program.
The best evidence yet that it really was, it did represent an unconstitutional search and seizure
under the Fourth Amendment.
Now, there's another element to this as well in terms of notifications.
Yeah, so there's a very interesting part of this case that dealt with giving notice to criminal defendants when the government uses these types of surveillance techniques.
So the way the law exists now is that the government is required to give criminal defendants notice when a warrant has been issued against them, either in the criminal context or even a warrant through the Foreign Intelligence Surveillance Court.
That notice requirement has, until this case, not applied to situations where no warrant has been issued.
Here, they just simply obtained an administrative subpoena.
There was no warrant. And still, the court here says that
law enforcement is required to give notice to the criminal defendant that they used call detail
records to obtain evidence. And this could be a potentially game-changing, groundbreaking movement
in Fourth Amendment jurisprudence, just because we haven't seen this. It opens the door to cases in both the foreign intelligence and criminal context, where even if there's been something that's not
necessarily a Fourth Amendment search, even if it's just a perfectly valid legal inquiry under
a congressionally authorized program, notice is still going to be required to be given to
criminal defendants. And that's something that we're really seeing for the first time.
And worth noting, I suppose, that over on Twitter,
Mr. Snowden himself has been crowing about this decision.
Yeah, he did a little bit of chest thumping.
And you know what?
I think from his perspective, it's merit in the circumstance.
Whatever you think about Edward Snowden,
we're about 50-50 in this country, hero versus traitor. In this circumstance, he really did
effectuate change. I mean, we would not have reformed this program in Congress, nor would we
have had these judicial decisions if it were not for Snowden's decision to reveal the existence of
this program in 2013. Obviously, he has his own motives.
He wants a presidential pardon. I think he wants to move back to the United States.
But, you know, in a narrow sense, he was successful in bringing public attention to
something that he thought was violating our civil liberties. And he can certainly claim
some vindication. All right. Well, Ben Yellen, thanks for joining us. Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time, keep you informed, and it won't fade in the sun.
Listen for us on your Alexa smart speaker, too. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com