Dave Bittner: The Intelligence and Security Committee of Parliament has rendered its report on the Russian cyberthreat. Trend Micro reports on the workings of the cybercriminal underground economy. The Twitter hack still looks like a well-executed but half-baked criminal scam. Ben Yelin on U.S. Customs and Border Protection collecting license plate data. Our guest is Kevin O'Brien from GreatHorn on the role of business policies in security to keep users safe during high-risk events. And it turns out that Russia has no hackers whatsoever. Moscow's finance minister says so, so you can take that to the bank.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 21, 2020.
Dave Bittner: The U.K.'s Intelligence and Security Committee of Parliament rendered its long-anticipated report on Russian espionage and cyber operations at Westminster this morning. The redacted report concludes that Russia's aims are primarily negative, paranoid, also fundamentally nihilistic, seeking to disrupt and damage rivals. Moscow's subsidiary positive substantive goals include sustaining its prestige as a great power and preserving its rulers' privileged positions. The committee outlines extensive Russian disinformation operations against the U.K. These have pursued goals observed elsewhere, including the opportunistic exploitation of existing social fissures to erode trust in civil society and the institutions that serve it.
Dave Bittner: Russia is assessed, unsurprisingly, as a highly capable cyber actor with a proven capability to carry out operations which can deliver a range of impacts across any sector. A striking feature of Russia's cyber capability is the close and symbiotic relationship its intelligence and security services enjoy with Russian organized crime. This relationship, which includes corrupt business operations, is seen as so close as to render the gangs, the contractors and the state operators effectively indistinguishable. But the security and intelligence services are the ones calling the shots. The criminals are compromised, suborned and controlled. They understand that they operate at the sufferance of the organs.
Dave Bittner: The committee's recommendations include closer cooperation with allies and new authorities for the intelligence community. In many respects, the report covers similar ground to that surveyed by the U.S. Cyberspace Solarium Commission. The report's title is the single word Russia, but the committee's discussion of Russian activities makes frequent reference to the cyber threats posed by China, Iran and North Korea as well. It expresses a recognition of the difficulty of properly and effectively balancing defensive resources across the four familiar adversaries.
Dave Bittner: The report also makes note of the United Kingdom's development of an effective offensive capability, suitable for deterrence and, when necessary, retaliation. The Committee appreciates that Russia is a hard target for intelligence collection. It also notes that both collection and active cyber offensive measures against Russia carry a distinct risk. Quote, "In the case of Russia, the potential for escalation is particularly potent. The Russian regime is paranoid about Western intelligence activities and is not able to treat objectively international condemnation of its actions. It views any such moves as Western efforts to encourage internal protest and regime change. The risk is compounded by limitations on U.K. engagement with the Russian government at official and political levels, making deciphering Russian leadership intent even more difficult," end quote. And Moscow's centralized decision-making, seen as distinctively shaped by President Putin's personality and style of government, has given Russia a surprising agility in cyber conflict.
Dave Bittner: Her Majesty's Government is also soliciting comment on a proposal to improve the security of the Internet of Things, particularly consumer smart devices. The highlights of the proposed new measures are, as summarized by lot Australia - first, temporarily ban the supply or sale of the product while tests are undertaken; second, permanently ban insecure products if a breach of the regulations is identified; third, serve a recall notice compelling manufacturers or retailers to take steps to organize the return of the insecure product from consumers; and finally, apply to the court for an order for the confiscation or destruction of a dangerous product. Issue a penalty notice imposing a fine directly on a business. Comments are due by September 6.
Dave Bittner: Kevin O'Brien is CEO and co-founder of email security company GreatHorn. He joins us with insights on the role of business policies in security to keep users safe during high-risk events.
Kevin O'Brien: In many ways, what we've seen over the course of the last - call it three months as of the time we're recording this - are examples of the kinds of situations that give rise to social engineering attacks and then, by extension, you know, phishing attacks and security attacks over email as a channel. And that theme is very much, as you said, a broader one than just this current moment.
Dave Bittner: What sort of events rise to be called high-risk events? What sort of things are we talking about here?
Kevin O'Brien: What you're looking for whenever you're talking about social engineering in high-risk events is something that creates a sense of urgency on the victim's behalf. So global events that everybody is nervous about - and the pandemic that we're currently experiencing certainly qualifies - would be a good example case of that. But you can also see it where an organization might have people who are nervous about their taxes.
Kevin O'Brien: So every year you get a spate of phishing attacks that are focused around tax season - your W-2 is attached. Why? Because money is involved - and that's something that creates a sense of urgency. Oh, my taxes are due, or I owe tax - owe on my taxes, or I'm going to get paid money from the government because I overpaid. People are inherently like, I want to go look at that right now. So money, health, family, jobs status - those are all the sorts of things that create high-risk moments.
Kevin O'Brien: And social engineers and attackers who get this understand how to condition people to certain responses. And it's trivial to send you an email that says, oh, I've got your COVID-19 update from the boss. But you know, more advanced and sophisticated attackers will do this over the course of days or weeks or months, and you don't even realize you're being played. It's just another con. And it can be a short con or a long con. Email is just a convenient delivery mechanism because every professional has an email address.
Dave Bittner: So what's the solution for an organization here? Are there technical solutions? Does it come down to training? How do we dial in a response here?
Kevin O'Brien: There are so many vendors out there who claim that they have some thing that they'll sell you and it's going to solve the problem, and it's really just honestly insane to think that that's the case. The problem is, there's no one thing that you do. There is almost this assumption that this is a problem that can't be solved because it's difficult to solve.
Kevin O'Brien: And you know, I think that for the listeners, that is really the thing that we need to challenge - the assumption that this is an intractable problem - because it is not. And I think that overcoming that fatigue is the story behind the story. Why are things like COVID-19 emails out there? Because they work - but we can still address that. We can do better, but we do better by thinking about this strategically and laying out a defense, in-depth strategy around security posture rather than, here's a thing you can buy. And I think that's the underlying point that, really, I would underscore for your listeners.
Dave Bittner: That's Kevin O'Brien from GreatHorn.
Dave Bittner: Researchers at security firm Trend Micro today issued a report on the underworld's cybercriminal economy. The principal offering seen in fora catering to criminal customers are dedicated and virtual hosting providers; service protection and anonymization providers; additional infrastructure provision, such as in-browser botnet services, IoT hosting, telecommunications; legitimate services used for malicious purposes, such as cloud services, dynamic DNS hosting and SSL certificate provisioning and so on. There is some overlap between criminal-to-criminal fora and those dedicated to gaming, online marketing and search engine optimization.
Dave Bittner: So how do buyers and sellers find one another? Through familiar forms of online marketing - Trend Micro says, quote, "Like any business that sells goods and services to potential buyers, criminal sellers also advertise. Sellers use different platforms to promote their products and services - chat channels, hacking forums and social media posts," end quote. So as always, it pays to advertise.
Dave Bittner: And finally, to return to the U.K.'s new report on Russian cyber operations, for its part, TASS is authorized to disclose that all that stuff in the Intelligence and Security Committee of Parliament's report on Russia is a bunch of hooey - that there are no Russian hackers. Quote, "There are no hackers working for the Russian government, so our government does not consider any actions by hackers, nor does it coordinate them," end quote. That's from Russia's finance minister Anton Siluanov. He added that Russia was developing its own COVID-19 vaccine and therefore had no need to steal anyone else's which, besides, it also did not do. And by the way, the inflated cyber hysteria isn't going to slow down Russia's vibrant and growing economy. In a nice touch, TASS sources its story to an interview Mr. Siluanov gave to CNBC. All politics may be local, but all news seems to be global.
Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Ben, great to have you back.
Ben Yelin: Good to be with you again, Dave.
Dave Bittner: Article came by - this is from the folks over at TechCrunch, written by Zack Whittaker. And it's titled "CBP Says It's Unrealistic for Americans to Avoid Its License Plate Surveillance." These are our friends over at the U.S. Customs and Border Protection Agency. Bring us up to date here, Ben. What's going on?
Ben Yelin: Well, I hope you really have friends over there because...
Dave Bittner: (Laughter).
Ben Yelin: ...Otherwise, you know, we're both going to be subject to a lot of data collection.
Dave Bittner: Yeah.
Ben Yelin: So this is about license plate readers. CBP purchases data from commercial license plate readers all across the country. They aggregate that data from some commercial companies, some private companies but also some public sources - so law enforcement, security cameras. And this is to augment its border enforcement efforts. Now, you think this would be limited to the area around the border or maybe, you know, 100 miles from our southern and northern border.
Dave Bittner: Right.
Ben Yelin: But from - what this disclosure is saying is it actually exists all over the country; that in order to fulfill their obligations, this agency - CBP - is collecting license plate data even if individuals are not close to the border at all. And the message they're sending users here is there's really no way to protect your privacy. Your license plate, if you decide to drive on the road, is going to be collected and put in this database. And there's really not much you can do about it. We now have the technology so that cameras can capture thousands of license plates every minute. It's a great way to track the location of vehicles and persons inside those vehicles.
Ben Yelin: And, you know, this is sort of a warning shot on the part of Customs and Border Protection, saying, don't come to us in court saying you had an expectation of privacy because you do not. We're collecting a lot of information. We're scanning it. There's not much you can do about it unless you decide to never go on the roads at all. So not great from the perspective of the average person who's just going to get their groceries and doesn't want, you know, to be caught by a license plate reader.
Dave Bittner: Yeah. I have to say, as someone who initially had raised eyebrows over the CBP's 100-mile border zone, which is basically this - you know, this range near any border 100 miles from any border, which puts a huge percentage of the U.S. population in their sights...
Ben Yelin: It sure does. Yes.
Dave Bittner: ...All the time because, you know, cities - surprise, surprise. Cities pop up near port towns.
Ben Yelin: Yeah - shocker.
Dave Bittner: Yeah. So for those of us who are skeptical of that, to see that they have extended their reach to everywhere (laughter), it - that - my eyebrows are near the back of my head now.
Ben Yelin: Yeah. I mean, I think it's - from their perspective, it's one of the things that we have to accept about modern life. I mean, the individual representative from CBP who is interviewed here said, look. I can't protect myself from speed cameras. If I'm going on the road and there's a speed camera there, they're going to take a picture, you know, if I go 40 miles an hour in a 25 mile an hour zone. And that's exactly what's happening here.
Ben Yelin: And the essence of that is something we've talked about - that as far as the legal system is concerned, if you put yourself in public, you know, whatever is collected about you really from any source - whatever is collected about you from a security camera, from a law enforcement officer with binoculars - is fair game to be used in future criminal proceedings. And the warning here is basically saying, you don't have any way to protect yourself. If you're going somewhere to commit a crime or to violate the policies of the Department of Homeland Security or our immigration services and you're, you know, doing that in a car, we're going to catch you because our system is that ubiquitous. And, you know, I hate to see these circumstances where the public is basically told there's nothing that can be done to protect their private information.
Ben Yelin: Now, there are some mitigation efforts involved in this. They say that, you know, the only time they'll actually search these databases is if there's, quote, "circumstantial evidence" that some sort of criminal activity or illegal activity has occurred. That's a pretty low bar to obtain that information. And they said that they only keep the data for five years. But when I think about where I was five years ago, it kind of seems like a long time to me. So...
Dave Bittner: So do they need a warrant?
Ben Yelin: Absolutely not. No warrant is required because of this so-called plain view doctrine. This was something that was observed, albeit something observed by an artificial system, not by a human being. But it was observed in public. And when you expose yourself in public and you don't make any attempt to conceal your identity, then there is no violation of your expectation of privacy, of your reasonable expectation of privacy. And therefore, there is no Fourth Amendment event.
Dave Bittner: Yeah. Boy, it's interesting because I guess we get into that whole thing of driving a motor vehicle is a privilege, not a right. And, you know, if I'm walking around on the street, I may put on a hat and some sunglasses to try to maintain my privacy. But if I cover up my license plate, that's going to draw even more attention to me...
Ben Yelin: Yeah.
Dave Bittner: ...On the road.
Ben Yelin: You're probably going to get pulled over. That's something I do not recommend doing.
Dave Bittner: All right. Well, again, the article's written by Zack Whittaker over on TechCrunch. It's titled "CBP Says It's Unrealistic for Americans to Avoid Its License Plate Surveillance." Ben Yelin, thanks for joining us.
Ben Yelin: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.