In today's podcast, we hear that phishing scams continue to nibble away at bank accounts and reputations: the State of Oregon is among those suffering. Avoid emails promising you leaked pictures of YouTube stars. Chinese espionage against US targets rises. US Intelligence officials worry that failure to play a long game puts the country at a disadvantage with respect to innovation. The Joint Chiefs mull electronic warfare issues. Reality Winner makes a plea agreement in her espionage case. And from ecstasy tablets to Iranian spying is a short sad road. Ben Yelin from UMD CHHS weighs in on the US Supreme Court decision on location data privacy. Guest is Taavi Kotka, former CIO of the Estonian government, discussing that nation’s innovative digital identity system.
Dave Bittner: [00:00:03:16] Phishing scams continue to nibble away at bank accounts and reputations. Avoid emails promising you leaked pictures of you YouTube stars. Chinese espionage against US targets rise. US Intelligence officials worry that failure to play along game puts the country at a disadvantage with respect to innovation. The Joint Chiefs mull electronic warfare issues. Reality Winner makes a plea agreement in her espionage case. The US Supreme Court decides a landmark privacy case. And the journey from ecstasy tablets to Iranian spying is a short, sad road.
Dave Bittner: [00:00:43:12] Now a moment to tell you about our sponsor ThreatConnect. With ThreatConnect's in platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk, and mitigate harm to your organization. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect Platform. The products provide adaptability as your organization changes and grows. Want to learn more? Check out their newest paper entitled, "More is Not More. Busting the myth that more threat Intel feeds lead to better security". It's a common misconception that a large quantity of threat intelligence feeds lead to more effective security. Unfortunately threat feed over indulgence can lead to confusion disorganization, and inaccurate threat reports. Instead of adding more threat Intel feeds, you should incorporate the feeds that provide the most value to your company's security operations. Find the paper, or to register for a free ThreatConnect account visit, threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:02:02:14] Major funding for the CyberWire Podcast is provided by Cylance. From the CyberWire studios at DataTribe. I'm Dave Bittner with your CyberWire Summary for Friday June 22nd, 2018.
Dave Bittner: [00:02:14:12] Phishing scammers are showing inability to bypass natural-language-based anti-phishing protections, and induce Office 365 users into compromising their credentials.
Dave Bittner: [00:02:25:01] We're midway through the baseball season, and this prompts us to reflect on an analogy within information security. If zero-day exploits are grand slams, big, damaging, spectacular, and rare, then phishing is small ball. Working the count, hitting away from the shift, pitching to contact, hit-and-run, and so on. And phishing remains a perennial problem in all of its tiresome but successful forms.
Dave Bittner: [00:02:50:05] And what are the phish biting on these days? To move away from our baseball metaphor and back to angling? Leaked images of YouTube star is serving as surprising compelling phishbait. It's especially prevalent in South Korea, but users everywhere should avoid this come-on. There are of course such things as YouTube stars, and there are reportedly leaked and revealing images of those stars. Stay away. Read a good book, take a walk, travel, divert yourself, but don't click.
Dave Bittner: [00:03:24:17] Phishing has more victims that just the unfortunate curious ones who click. The US State of Oregon became aware Monday that an email account using it's Oregon.gov domain had been compromised and used in a massive phishing campaign. The direct damage phishing does to those who fail to recognize and spit the hook is well-known, but those whose accounts and domains are hijacked also suffer. Oregon is still struggling to get its domain removed from the many blacklists to which it was added after the phishing campaign.
Dave Bittner: [00:03:57:06] Chinese espionage against US targets increases as trade tensions between the two countries rise. US officials seem to be experiencing two minor Sputnik-moments, call them Sputnishki. Speaking at the Capitol Hill National Security forum, NSA Deputy Director George Barnes says the US isn't good at playing a long game, unlike adversaries like China. Richard Cardillo, Director of the National Geospatial Agency, substantially agreed, citing quantum computing and cybersecurity as two areas in which US innovation may come too late. China, they say, thinks routinely in twenty-year terms. The Americans do not. They forget and must reinvent, and a tradition of technological progress seems to have bred a distinctive version of Victory Disease. Too much winning can make you think winning will just go on forever.
Dave Bittner: [00:04:54:11] One such victory disease hangover is being felt apparently in the second Sputnishka. General Paul Selva, Vice Chairman of the Joint Chiefs, told the Center for a New American Security that American complacency about encryption and precision timing have enabled peer adversaries to steal a march in electronic warfare. If you rely on technical virtuosity as a magic bullet, you may find yourself outclassed by an opposition that remembers the old slow grind that you've forgotten.
Dave Bittner: [00:05:27:00] NSA and Air Force alumna reality Winner, has agreed to a plea deal over charges related to provision of highly classified documents to the Intercept. The Government said that while she was working as an NSA contractor at Fort Gordon, Georgia, she leaked a top-secret report about Russian meddling in the 2016 Presidential election. Ms Winner was charged under the Espionage Act, and faced ten years in prison, and $250,000 in fines. Her family continues to support her, with her mother telling the Atlanta Journal-Constitution that, "I do know that she has always been ready and will to accept responsibility for any wrongdoing, and that she will accept the consequences." Ms Winner's mother has also tweeted that her daughter is a "hero" and a "true patriot." Making due allowance for maternal love and natural affection, we suppose that is one way of looking at it.
Dave Bittner: [00:06:23:06] Gonen Segev, a former member of Israel's Knesset and once the country's Energy Minister, has been arrested on suspicion of spying for Iran. The arrest caps a post-government career that since the mid-90s has earned him a serious ne'er-do-well's reputation. He was involved in fraud, claiming his bank account had been looted from an ATM. A security camera showed that he himself had withdrawn the cash. Later, in 2004, he tried to smuggle 32,000 tablets of ecstasy into Israel. He did a couple of years in prison when the authorities and the court didn't buy his explanation that in fact the tablets were just a big consignment of M&M candies
Dave Bittner: [00:07:07:10] Segev, who's also a medical doctor, had established a practice in Nigeria. That's where he was recruited by Iranian intelligence services. If you run through the traditional acronym of motives for becoming an agent, MICE, that is money, ideology, compromise, or ego, Segev seems to have been driven by the big M: Money.
Dave Bittner: [00:07:34:10] And now a bit about our sponsors at VMWare. Their trust network for workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect, and remediate. A single open platform approach, data loss prevention policies, and contextual policies get you started. They'll help you move on to protecting applications, access management, and encryption. And they'll round out what they can do for you with micro-segmentation, and analytics. VMWare's white paper on a comprehensive approach to security across the digital workspace will take you through the details and much more. You'll find it at the cyberwire.com/vmware. See what Workspace ONE can do for your enterprise security. At cyberwire.com/vmware. And we thank VMWare for sponsoring our show.
Dave Bittner: [00:08:32:12] And joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Help and Homeland Security. Ben, a big day today - the US Supreme Court came down with an important privacy ruling here. Fill us in, what do we have going on?
Ben Yelin: [00:08:47:15] Sure, so the decision is Carpenter v The United States, and this is a decision about cell site location information. So Mr Carpenter was part of a crime syndicate, a ring of people who were robbing, ironically, cell phone stores and as part of a federal investigation into this crime the Government obtained cell-site location information records on the whereabouts of Mr Carpenter. They realized that he was at the location of some of these robberies. They used that information to convict him, and he was sentenced to over 100 years in prison. So Carpenter challenged his arrest on Fourth Amendment grounds, and he said that the Government needs a warrant to obtain a cell-site location information. This presented a novel issue, and that's why it made it up to the Supreme Court. Previously we've been under what we call the third-party doctrine, and you and I have discussed this on length in the past.
Ben Yelin: [00:09:43:20] The Supreme Court has held that if you voluntarily submit information to third parties, that the third parties keep as their business records, then you have forfeited your reasonable expectation of practicing that information. Therefore you do not have any Fourth Amendment protection to that information. There hasn't been a Fourth Amendment search. And what the Supreme court was wrestling with here is whether to extend the third party doctrine to instances like this one where you're not just revealing perhaps one phone number that you dialed, or one bank record that you submitted, but rather a wealth of comprehensive information on your whereabouts, for a relatively long period of time.
Ben Yelin: [00:10:24:03] And the decision that came down today from Chief Justice Roberts, who joined the Courts for more liberal matters, says that the government does in fact need a warrant to obtain your cell-site location information. And this is a massive victory for electric privacy advocates, it's really a ground-breaking case.
Ben Yelin: [00:10:44:16] The decision rests on basically two principles that distinguish the information being collected here from the information that has been collected in previous third party doctrine cases. And what Justice Roberts says is both the breadth, and depth, and the comprehensiveness of the information revealed is just so fundamentally different in this case. Cell-site location information reveals not only your whereabouts, but can give any potential viewer, whether it's somebody in the public, or whether it's the Government, information on your private associations, your religious, or political affiliations. I mean imagine if somebody followed you for a whole week, how much information they could find about you. Whereas in the past we were talking about how much information somebody could find out about you by virtue of dialing one phone number. I mean it's just a fundamental difference in the information that's being submitted and that's, I think the main justification that Justice Roberts is using here.
Ben Yelin: [00:11:46:12] The other justification he talks about, is the fact that in most third-party doctrine cases a person should have full knowledge that they are submitting, or they are transmitting information that's going into the hands of a third party. So for instance, when I make a call on my cell phone, I know that I get a cell phone bill every month, I know that calls are recorded, I know that's gonna be part of AT&T's business records. Here Justice Roberts says it's not so clear cut. People have an idea that their information on they physical location is being collected by the cell phone companies, but we don't really as a society have a fundamental understanding of how that works. There the voluntariness that so fundamental for a third-party doctrine, it's just not really present here.
Ben Yelin: [00:12:36:14] We're not actively pressing a button that submits information to a third-party. And even if you take out that voluntariness equation, even if you think that simply by turning on our cell phones we are voluntarily conveying our information to our cell phone company, and that's potentially to the Government, i's just not really fair to expect that people will go without their cell phones because they don't want the Government to know where they are at all times.
Ben Yelin: [00:13:06:07] Cell phones are such a fundamental part of our lives, we use them for familial relations, we use them in our work life, and our personal life, it wouldn't be realistic to expect people to stop using cell phones just because they would be forfeiting a right to privacy by pressing the on switch. And that's sort of the basis for Justice Roberts’ decision.
Ben Yelin: [00:13:29:19] A couple of notes I would say, there are no bright lines in the decision. I think a lot of scholars were looking for whether there was some sort of determinant factor that would make the transmission of cell-site location information into a fourth amendment search. Perhaps there would be some sort of time requirement. Like if the information was collected over a period of seven days or more, that would constitute a search. There was no bright line like that in this case. And that's something that the four dissenting Justices have really harped on, that this might not be an easy decision for local law enforcement, state law enforcement, or federal law enforcement to follow, because there are no bright line standards. But I think the bottom line, it's a major victory for privacy advocates. Not only do we have a reasonable expectation of privacy, and the location information that we submit to our cell phone companies, but we've cut against this very broad third-party doctrine.
Ben Yelin: [00:14:27:15] There's now an understanding that just because we voluntarily transmit information to a third-party, that doesn't necessarily mean we have forfeited our reasonable expectation of privacy. It has to do with the quality, and the quantity of information that we submit, and whether that submission was in fact voluntary. So I think it's a ground-breaking decision.
Dave Bittner: [00:14:48:18] Ben Yelin, thanks for explaining it to us, I'm sure this is something you and I are going to continue to talk about in days to come. Thanks for joining us.
Ben Yelin: [00:14:56:07] Absolutely, and I apologize for being so long-winded.
Dave Bittner: [00:14:59:03] No, no. it's an important one. But thanks Ben.
Ben Yelin: [00:15:03:00] Thanks Dave, bye bye.
Dave Bittner: [00:15:08:13] And now a few words from our sponsor CYBRIC. There is a rallying cry for cyber resilience, discussions and session topics that RSA 2018 puts cyber resiliency and collaboration front and center. To be effective, security needs to be woven throughout the business and infrastructure, which requires collaboration. What does this really mean for IT, security and development teams day to day? Well Mike Brown, retired rear admiral of the US Navy, and former director cybersecurity coordination for DHS and DOD, discusses the type of collaboration that yields immediate results to teams and the criticality of protecting application infrastructure. Be sure to listen to this insightful recorded webinar which you can find at cybric.io/cyberwire. Check it out. That's cybric.io/cyberwire. And we thank CYBRIC for sponsoring our show.
Dave Bittner: [00:16:16:02] My guest today is Taavi Kotka, he's the former chief information officer for the nation of Estonia where they enjoy a national digital identity system. He's a special advisor to the European commission and is currently CEO of a company called Proud Engineers. Our conversation focuses on Estonia's digital identity system, and how it affects privacy and security.
Taavi Kotka: [00:16:39:24] First of all you have to understand the Estonian IT architecture. So it's a fully distributed solution, and to connect all those different distributed systems, in Estonia every person is a unique identifier, and this unique identifier is used in private sector, in healthcare, in government, basically everywhere. So if we need to get information about the person, we can actually combine different data sets between different sectors, that's the first thing. So we have a very strong base then for data activity. And every Estonian who is older than 15 years old, they have to have a digital identity. So the government demands that everybody has to have digital identity. And in this way, using digital identity we can sign documents, we can authenticate ourselves, open any kind of government portal or private sector portal, so it's very widely used. Actually I have to say that digital identity is quite used. The technology is actually is different, like somebody using body parts, some people using mobile ID, some people use smart IDs. So it's important that everybody has digital identity. It's not so important what the technology they're using.
Dave Bittner: [00:17:59:24] Now where there any privacy concerns that went along with that?
Taavi Kotka: [00:18:03:02] Funny, I always get this question always from US, is there a privacy concern? People think that if everything is digital and everything is connected then they have to give away their privacy. I mean, it might be true if the Government has a dictatorship or they want to have full control over the data, like in China. But Estonia is a democratic country and we believe, like other North European countries, like Sweden or Finland, being digital is actually more privacy protected compared with being a lot of. I mean take an example. Do you know who has looked at your health records in your local hospital that you're using? Give me an honest answer?
Dave Bittner: [00:18:49:21] No, I do not.
Taavi Kotka: [00:18:50:19] But I know. And that's the point. I mean, everything is digital. Yes, every patient record in Estonia is digital. But also like I can see who has looked at it. Not only that they changed it, but also who has looked at. Meaning that I actually have more control over my data compared with you. And that's the point. I mean like if you don't want to be a control freaking dictatorship, you will build a system like is built in Estonia that everybody has a power to see who has accessed or approached their data. If there is no reasonable explanation, this person gets fired, or even goes to jail. And suddenly you become your own big brother. I mean like let's say a policeman or a doctor, yes they have access to your data, actually a certain amount, but they know if they don't have a reason they will be kicked out of the system. They will lose their jobs. So we totally understand that you can build those digital systems, and you can get the benefits of this digital systems but still keep the privacy or even better, you can increase the privacy data protection.
Taavi Kotka: [00:19:57:19] Because for example if there's something in my health record that I don't like, let's say I had some sort of mental problem years ago, I can actually cover it. So even though every doctor can see my data, yes they have to have a reason, but if there's something I truly want to forget and I truly want to cover, I'm allowed to do that. So if you think about it, in this way you can get both -better services and also increased privacy.
Dave Bittner: [00:20:27:17] How does in compare when it comes to things like identity theft?
Taavi Kotka: [00:20:31:01] I'll give an example. If you are able to go to court and prove that somebody has stolen your digital identity, or access your ID card, and you haven't given your PINS to anybody, if you're able to prove that in court, that somebody has stolen your identity the Government takes the liability up to 5 million Euros, and it has never been used.
Dave Bittner: [00:20:54:15] So what are your recommendations, what could the United States for example do to improve our identity systems?
Taavi Kotka: [00:21:01:03] It's actually not the question of the identity system, it's a question do we actually have a pain to solve? The countries think that they want to be digital but if you ask them, why? I mean, I can ask you, why America wants to be digital, like digital Government? Why do you think you actually need that. It's a complicated task, it's difficult, you have to make many compromises with society. And life in US is good, actually it's better than Estonia, so why change? Why do you have to actually do that? I mean at least answer me.
Dave Bittner: [00:21:31:15] Well I suppose there could be cost savings, there could be security advantages, certainly things could be easier. I would love to see for example medical records to be easier to navigate and to share from doctor to doctor.
Taavi Kotka: [00:21:47:01] Okay, but is it painful enough? Is it painful enough to actually start building solutions? That is the point that we make. The pain in your society hasn't reached the moment where it actually basically justifies that, "Okay, we need to do this change now." When you actually articulate that, I have certain pain, and then the only way to solve that is being digital. Then you start thinking how can I solve this problem? And then you'll find out that, "Oh, it seems to be that being digital is actually more privacy protected than being out." But without having that pain, you'll never reach to those questions. So Estonia, the problem already in a lot of North European countries, we actually share the same pain. Our pain is that we have lots of land, and not too many people. So many people live in rural areas, and didn't have physical access to the bank office or Government officer, so they have to use IT solutions like Internet bank or a Government portal, or whatever it is. So we had to push people to use these services. So as we had the pain, and that's why we are more advanced in this field, but you don't have this pain.
Dave Bittner: [00:22:56:21] That's Taavi Kotka, he's the former chief information officer of Estonia.
Dave Bittner: [00:23:06:03] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. Find out how Cylance can help protect you using artificial intelligence. Visit cylance.com. And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMWare, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:23:34:04] The CyberWire Podcast is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
With ThreatConnect, security analysts can simultaneously coordinate with incident response, security operations and risk management teams while aggregating data from trusted communities. Your team will be better equipped to protect the organization from modern cyber threats, mitigate risk and address strategic business needs all thorough a single, robust platform. Start Using ThreatConnect Today for Free.
VMware is a global leader in cloud infrastructure and business mobility. Built on VMware's industry-leading virtualization technology, our solutions deliver a new model of IT that is fluid, instant and more secure. Learn more.
CYBRIC is the first to orchestrate and automate code and application security across the DevOps lifecycle. CYBRIC's Continuous Application Security Platform leverages patent-pending technology to seamlessly integrate security into the development process, delivering frictionless security assurance from code commit to application delivery. Learn more.