The CyberWire Daily Podcast 9.15.20
Ep 1173 | 9.15.20

Zerologon: hey, patch already. CISA describes China’s cyberespionage techniques (and, hey, patch already). A data breach at the US Department of Veterans Affairs.


Dave Bittner: Details of the Zerologon vulnerability are published, and it seems a serious one, indeed. CISA describes Chinese cyber-espionage practices. They're not exotic, but they're effective. What's the difference between highly targeted market research and intelligence collection against individuals? Better commercials? Ben Yelin explains a 9th Circuit Court opinion with Fourth Amendment implications. Our guest is Exabeam's Richard Cassidy on why, when it comes to insider risk, context is everything. And there's been a data breach at the VA.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 15, 2020. 

Dave Bittner: Secura researchers have published details of a proof-of-concept exploit Zerologon, a Windows vulnerability that Microsoft patched last month as CVE-2020-1472 without much fanfare. The lack of fanfare is understandable. The problem is potentially a serious one. 

Dave Bittner: As Microsoft put it, quote, "an elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon remote protocol, MS-NRPC. An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access," end quote. 

Dave Bittner: The vulnerability was rated critical, with the maximum numerical score of 10. But as the industry press has been saying yesterday and today, few realized how serious the problem was. 

Dave Bittner: ZDNet gives three actions an attacker who exploited Zerologon could take against the victim network. First, impersonate the identity of any computer on a network when trying to authenticate against the domain controller. Second, disable security features in the Netlogon authentication process. And finally, change a computer's password on the domain controller's active directory, a database of all computers joined to a domain and their passwords. 

Dave Bittner: An attacker would need access to the network before exploiting Zerologon, but then a lot of attackers succeed in obtaining that sort of access. 

Dave Bittner: Microsoft's August patch is regarded as a preliminary fix, but organizations are urged to apply it as quickly as possible. A more comprehensive solution is expected to be out in February. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency has released an advisory on the activities of China's Ministry of State Security, commonly referred to as the MSS, and its associated agencies and contractors. These operations are characterized by collection of open-source intelligence and by the use of readily available exploits. There's nothing particularly exotic about the tactics and techniques, but they've been proven effective nonetheless. 

Dave Bittner: The MSS has tended to concentrate on recently identified vulnerabilities, hoping to catch organizations that have been laggard in patching. Some of the issues exploited include Microsoft Exchange Server, CVE-2020-0688, F5's BIG-IP remote takeover vulnerability - that's CVE-2020-5902 - Pulse Secure VPN's remote code floor, CVE-2019-11510, and Citrix VPN's directory traversal problem, CVE-2019-19781. 

Dave Bittner: None of this should be particularly surprising. There are no style points in intelligence. If people aren't patching, why bother with expensive zero-days? If people are freely oversharing on social media for all the world to see like a deer waggling its antlers at a hunter, then don't be surprised if the intelligence service takes their shot, deer. 

Dave Bittner: The gap between a vulnerability's disclosure and patching and its exploitation has dropped to a matter of days. The agency said, quote, "CISA analysts consistently observed targeting, scanning and probing of significant vulnerabilities within days of their emergence and disclosure. This targeting, scanning and probing frequently leads to compromises at the hands of sophisticated cyberthreat actors. In some cases, cyberthreat actors have used the same vulnerabilities to compromise multiple organizations across many sectors," end quote. 

Dave Bittner: But the knowledge that people are watching and probing and trying should at least lend some additional urgency to applying available patches. That's part of CISA's point. As the agency puts it, "maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks. If critical vulnerabilities remain unpatched, cyberthreat actors can carry out attacks without the need to develop custom malware and exploits or use previously unknown vulnerabilities to target a network," end quote. 

Dave Bittner: While CISA is concerned with countering the activities of an unfriendly intelligence service, the advice goes equally well as far as hardening an organization against a criminal attack is concerned. 

Dave Bittner: Proofpoint researchers this morning reported vulnerabilities that could enable attackers to bypass two-factor authentication in Microsoft Office 365. Two-factor authentication remains a valuable security measure, but this news is a useful reminder that it's not a panacea. 

Dave Bittner: Digital Shadows today warned that companies' access keys are being inadvertently exposed during software development, turning up on GitHub, GitLab and Pastebin. Almost half are for database stores. 

Dave Bittner: And finally, the U.S. Department of Veterans Affairs has disclosed that unauthorized parties accessed one of its applications and in doing so obtained personal information belonging to some 46,000 veterans. The VA's Financial Services Center was the organization affected, and the department says the breach has now been closed. The motivation was apparently straightforwardly criminal. The hackers were apparently interested in diverting payments for veterans' medical treatment from the community health care providers who should have received those payments. The VA is offering the customary free credit monitoring to those whose Social Security numbers may have been compromised. 

Dave Bittner: The Insider Risk Summit is coming up this week on September 17, and the CyberWire is a media partner for the event. During this session, Richard Cassidy and Sam Humphries will discuss why, in their view, the standard practice of focusing purely on security alerts won't give you anywhere near the full picture and how context will help you understand and tackle the true risk faced by your organization. Richard Cassidy joins us with a preview. 

Richard Cassidy: Well, if we think about kind of the biggest challenges that we're certainly seeing the world over for any organization, it's all context. So what better way to start a context-based story with a little bit of a tongue twister that makes you think, what on earth is that all about? And you'd be right in asking the question. You need more context to figure out what's actually going on. So we thought, what an apt start to a context-based discussion. 

Dave Bittner: Well, so we are talking about insider risk management and, as you mention, context. Can you connect those dots for us there? I mean, what is the importance of context in this context? 

Richard Cassidy: Yeah, absolutely. So as it pertains to insider risk, we really are in an industry where data is at an all-time high. It's no longer a commodity; it's something that we're seeing a hyperproliferation of. So with so much data and so many data points to investigate and understand, actually what we're missing is the context of what multiple different data points mean. 

Richard Cassidy: When we talk about insider risk, we're really talking about when something happens. If you see an alert of whatever kind, what does it actually mean, and why should you care about it? And that's kind of where context becomes super important. 

Dave Bittner: And how is that context realized? 

Richard Cassidy: Well, it's the age-old challenge of the data that you have at your fingertips, or maybe the data that you do have but haven't quite realized and brought into effect. So essentially, if you have the right data points and you are able to connect those dots and build a story that allows you to understand context as it pertains to risk, whether that risk is security - that's OK. It may not be security, could be audit; it could be compliance - that's what's important. It's making sure that you have the right data points and that you're actually connecting the dots in the fashion that gives you the answers you need. 

Dave Bittner: Well, give us a preview of your presentation here. You've got some interesting topics that you're going to cover. 

Richard Cassidy: Absolutely. So we're going to start by really looking at kind of, what does context mean? And if you have an understanding of context in a security perspective, we're going to really augment and enhance that. We're going to talk about the data points that make context more interesting and how you kind of gather them and the pitfalls to avoid - and then how you evolve from that kind of single-track context-based investigation discovery into multitrack. 

Richard Cassidy: And what that means is, how do you get all this data that's sitting everywhere, that's coming in from all these different points and actually converge it so you can make sense of it? And actually, more importantly and on the final point, how does automation help you get there almost instantaneously? - because at the end of the day, it's how quick we can pivot on these risk events that really defines how quickly we can protect the business. 

Dave Bittner: What are you hoping that people come away with after seeing your presentation? 

Richard Cassidy: That the challenge that they may be facing from an insider risk perspective is not insurmountable and that even though we're seeing cybercriminals and nation-state groups getting far more automated and even sophisticated, you could argue, in their breach tactics, that actually you can start to weaponize and go on the offensive in terms of your own data capability to really stay one step ahead of the insider risk management game. 

Dave Bittner: That's Richard Cassidy from Exabeam. You can check out his presentation at this week's Insider Risk Summit. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Ben, always great to have you back. 

Ben Yelin: Good to be with you again, Dave. 

Dave Bittner: So you are following some interesting rulings from the 9th Circuit Court. This has some Fourth Amendment implications. Give us the background here. What's going on? 

Ben Yelin: So we've talked about this on this show and on our "Caveat" podcast as well. This relates to the call detail records program, one of the programs uncovered in the Edward Snowden leaks in 2013 where we found out the government was collecting nearly all domestic phone metadata from the major phone carriers in this country. 

Ben Yelin: I should note the program was actually largely discontinued in 2015, but this case concerned the program as it existed prior to that point. It concerned an individual who was a Somali immigrant living in the United States. So he was a U.S. person. 

Ben Yelin: Some of the evidence used to obtain this person's conviction for giving material support to a designated terrorist group was obtained using call metadata records. So they had a record of his cellphone number calling a suspected terrorist overseas, and that was part of the evidence used against - Mr. Moalin was the name of the criminal suspect. 

Ben Yelin: He was convicted and appealed his conviction. And the 9th Circuit came down with a ruling that said that the collection of bulk metadata under Section 215 of the USA Patriot Act is very likely to be unconstitutional. They didn't come out with a definitive ruling because they also said that even without this evidence, this metadata, they likely would have been able to sustain the conviction regardless. But they did go on at length about why they thought this program was unconstitutional. 

Ben Yelin: So I know we've talked about this extensively, but generally, these types of cases are governed by what's called the third-party doctrine, where you lose your reasonable expectation of privacy when you willingly submit data to a third party, like a phone company. And that's been a precedent for about 40 years now. 

Ben Yelin: What the court is saying here - and this echoes what we've seen from a bunch of other courts - is that the nature of metadata or these types of records now is so fundamentally different than it was 40 years ago that the laws really have to change. Whereas in 1979, you know, we're talking about putting a pen register on one phone, you know, tracking which phone number an individual dials in one circumstance, that's very different from what we have now, where you could get a pretty encompassing record of a person's life just by perusing that metadata. And not only does it apply to the person that you intend it to surveil, but also the individuals communicating with that person. So it potentially has a broader reach as well. 

Ben Yelin: So the tangible impact of this decision - you know, it's not that significant because the program has already been discontinued. But I do think this is sort of the final death knell for the call detail records program, the best evidence yet that it really was - it did represent an unconstitutional search and seizure under the Fourth Amendment. 

Dave Bittner: Now, there's another element to this as well in terms of notifications. 

Ben Yelin: Yeah, so there's a very interesting part of this case that dealt with giving notice to criminal defendants when the government uses these types of surveillance techniques. 

Ben Yelin: So the way the law exists now is that the government is required to give criminal defendants notice when a warrant has been issued against them, either in the criminal context or even a warrant through the Foreign Intelligence Surveillance Court. That notice requirement has, until this case, not applied to situations where no warrant has been issued. Here, they just simply obtained an administrative subpoena. There was no warrant. And still, the court here says that law enforcement is required to give notice to the criminal defendant that they used call detail records to obtain evidence. 

Ben Yelin: And this could be a potentially game-changing, groundbreaking movement in Fourth Amendment jurisprudence just because we haven't seen this. It opens the door to cases in both the foreign intelligence and criminal context where even if there's been something that's not necessarily a Fourth Amendment search, even if it's just a perfectly valid legal inquiry under a congressionally authorized program, notice is still going to be required to be given to criminal defendants. And that's something that we're really seeing for the first time. 

Dave Bittner: And worth noting, I suppose, that over on Twitter, Mr. Snowden himself has been crowing about this decision. 

Ben Yelin: Yeah, he did a little bit of chest thumping. And you know what? I think from his perspective, it's merited in the circumstance. Whatever you think about Edward Snowden - we're about 50-50 in this country, hero versus traitor - in this circumstance, he really did effectuate change. I mean, we would not have reformed this program in Congress, nor would we have had these judicial decisions if it were not for Snowden's decision to reveal the existence of this program in 2013. 

Ben Yelin: Obviously, he has his own motives. He wants a presidential pardon. I think he wants to move back to the United States. But, you know, in a narrow sense, he was successful in bringing public attention to something that he thought was violating our civil liberties. And he can certainly claim some vindication. 

Dave Bittner: All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed, and it won't fade in the sun. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.