The CyberWire Daily Podcast 12.8.20
Ep 1229 | 12.8.20

IoT supply chain vulnerabilities described. Spyware in the hands of drug cartels. National security and telecom equipment. US NDAA includes many cyber provisions. Fraud as a side hustle.


Dave Bittner: AMNESIA:33 vulnerabilities infest the IoT supply chain. Lawful intercept spyware allegedly finds its way from Mexican police into the hands of drug cartels. Finland's Parliament approves exclusion of telecom equipment on security grounds. The U.S. National Defense Authorization Act's cyber provisions. Online fraud seems to become a side hustle. Ben Yelin responds to Supreme Court arguments in a Computer Fraud and Abuse Act case. Our guest is Darren Mar-Elia from Semperis on group policy security. And Moscow police are looking for the crooks who hacked secure delivery lockers.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, December 8, 2020.

Dave Bittner: Researchers at Forescout this morning released a report on a set of TCP/IP vulnerabilities they're calling AMNESIA:33, the 33 referring to the number of vulnerabilities they found. Four they consider critical. And in general, the issues are believed to broadly and deeply affect Internet of Things devices. SC Magazine says that the US Department of Homeland Security is expected to release a report on the vulnerabilities soon, perhaps as early as today.

Dave Bittner: The problems are believed to pervade the IoT supply chain. Many manufacturers may well be unaware that their products are affected. The AMNESIA:33 vulnerabilities are propagated through third-party software that's used in components of all manner of smart devices, from, as SC Magazine puts it, printers to picosatellites, from the home office to low-Earth orbit. 

Dave Bittner: Both Haaretz and the Guardian are reporting on Forbidden Stories' Cartel Project, which describes the ways in which Mexican police, users of NSO Group's lawful intercept products, have allegedly been reselling that technology to drug cartels, which in turn have used the spyware to monitor journalists and other third parties. Some of the allegations are attributed to sources in the U.S. Drug Enforcement Agency. 

Dave Bittner: The story is dismaying but ought not to be entirely surprising. If weapons can find their way from police lockers to criminal gangs, why should tech tools be any different? The reports stress the threat to journalists and the chilling effect that can be expected to have on news coverage of the cartels. 

Dave Bittner: Reuters reports another setback for Chinese telecom hardware providers like Huawei. Finland's Parliament yesterday passed legislation that permits the authorities to exclude telecommunications equipment from the country's networks if such equipment is determined to represent a security threat. 

Dave Bittner: According to The Washington Post, despite the prospect of a presidential veto, the US House appears ready to pass the National Defense Authorization Act. CyberScoop summarizes the significant cybersecurity measures the NDAA includes. They call it the biggest cyber bill ever. 

Dave Bittner: While much of the attention the bill has received surrounds its reestablishment of a White House cyber coordinator position, the Cybersecurity and Infrastructure Security Agency is, as CyberScoop says, a major beneficiary. CISA gains authority to issue administrative subpoenas to ISPs when the agency detects security vulnerabilities but can't track the owner down. The law also gives CISA authority for excessive threat hunting within the federal government's networks. The Department of Homeland Security has long held responsibility for the dot-gov top-level domain. 

Dave Bittner: CISA will get a Joint Cyber Planning Office, and the agency's director is told to appoint a cybersecurity director for each state. This last provision is intended to improve coordination between state and federal agencies. 

Dave Bittner: The law leaves some matters, including some of the recommendations of the Cyberspace Solarium Commission, untouched. It won't address, for example, the proliferation of congressional committees with competing oversight responsibilities for cyber. Nor did it take up the Solarium advice to amend Sarbanes-Oxley to make it more explicit with respect to cybersecurity risk assessment. But, of course, not all things are best dealt with in what is, after all, a defense authorization bill. On balance, the act is noteworthy for what it sought to address. 

Dave Bittner: The security predictions emerging this week continue to emphasize the ways in which the continuing trend toward remote work and migration to the cloud will open new opportunities for criminals. Trend Micro, for example, in addition to predicting more criminal attention to APIs, also forecasts that enterprise software and cloud applications used for remote work will be hounded by critical-class bugs. 

Dave Bittner: And while many are remarking on the growing sophistication of attackers, Onfido notes a contrary or perhaps complementary trend - a lot more skids getting into the criminal game as low-skill amateurs find that the barriers to online fraud have dropped. Fraud, Onfido says, has become the new side hustle - where once you might have, for example, tutored or sold cupcakes or babysat or done a little freelance writing, now you may find yourself tempted over to the dark side, and you try ways of winkling people out of a little cash. You don't have to know very much, and maybe, we speculate, the curious disinhibition that leads people to disport themselves in cyberspace in ways they'd never even consider in kinetic space. So you take up fraud. How hard can it be? Not very - and so broad is the path that leads to perdition. Don't go there. 

Dave Bittner: One of the things the researchers point out is that the time during which the fraud attempts occur no longer approximates the 9-to-5 hours that a lot of professional criminals have kept. And that, too, is consistent with a side hustle. It used to be called moonlighting for a reason. 

Dave Bittner: Another point Onfido makes is that consumer online behavior has shifted enough during this time of widespread lockdown, isolation and distancing that we're finding it more difficult to recognize suspicious behavior. Some of the older markers aren't seeming quite so reliable anymore. Our behavioral assessments need to catch up with this unfortunate new normal. 

Dave Bittner: And finally, ZDNet reports that 2,732 PickPoint package delivery lockers across Moscow were opened by a criminal who hacked the PickPoint app. Landlords and guards responded quickly to keep an eye on obviously malfunctioning lockers. PickPoint is a purveyor of secure lockers users can lock and unlock with an app. 

Dave Bittner: Russian security organizations and, by implication, law enforcement organizations take a lot of grief, and often rightfully so, but this is one case where we are happy to wish the Moscow militsiya good hunting. 

Dave Bittner: A popular feature on Microsoft Windows systems is Group Policy, which enables centralized management and configuration of operating systems, applications and user settings in an active directory environment. But, of course, anything that provides centralized control over multiple user accounts and settings has the potential for abuse. 

Dave Bittner: Darren Mar-Elia is vice president of products at Semperis, a company that provides directory threat monitoring, detection and response services. Darren, welcome to the show. 

Darren Mar-Elia: Thanks. It's great to be here. 

Dave Bittner: Can you give us a little explanation of what exactly Group Policy is and how it leads to potential problems? 

Darren Mar-Elia: Yeah, for sure. So many, many, many organizations out in the world have deployed Microsoft's Active Directory, and with Active Directory came free and in the box, so to speak, Group Policy. Group Policy is the ability to deploy configuration to Windows desktops and servers, and it's been out there for as long as AD's been out there. It is broadly used to do things like locking down users' desktops, configuring their browser. But most importantly, it's also used for security hardening of Windows servers and desktops - so in other words, setting security settings to reduce the Windows desktop or server from an attack surface perspective. 

Dave Bittner: And so what's the potential problem there? 

Darren Mar-Elia: So the potential problem is actually not dissimilar to the problems that we're seeing with Active Directory today. So Group Policy, because it defines - in a lot of organizations, it defines the security hardening, you know, who has administrative access to which machines and is also world readable to anyone who is a valid user in Active Directory. It provides a road map for sort of seeing where the interesting stuff is from an attacker's perspective. 

Dave Bittner: You know, I'm imagining in larger organizations that merely the process of auditing this can be, you know, quite something to contend with. I mean, are there - is this something that you can come at with with a certain level of automation? 

Darren Mar-Elia: Yeah, there's definitely some steps you can take for monitoring against this. What's interesting is that Microsoft doesn't make this easy out of the box. So by default, the Windows security event logs will tell you that something has changed in a Group Policy object, but it won't tell you what has changed. 

Dave Bittner: (Laughter). 

Darren Mar-Elia: So you need extra software to determine that. 

Darren Mar-Elia: And to make it even more challenging, when an attacker gets access to this environment, the tooling has gotten sophisticated enough so that they're not using normal Microsoft APIs to make changes to these Group Policy objects. They're just writing settings directly into the settings storage in what's called SYSVOL in the file system on the domain controller. And this will bypass most auditing solutions that are just looking for changes to the Group Policy objects being made using normal tools. So you have to look for that kind of change in addition to, you know, the typical, you know, normal AD-based change to Group Policy. 

Darren Mar-Elia: So I've been working with Group Policy for many, many years, and it was actually surprising to me to see Group Policy being abused in the wild. I always considered it to be a theoretical possibility, but to see it actually being done really kind of woke me up around this problem. 

Darren Mar-Elia: And I encourage everyone to not take this for granted - that their Group Policy environment is safe. It is happening, and I encourage people to take the problem as seriously as they take the problem of hardening their Active Directory itself. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Ben, great to have you back. 

Ben Yelin: Good to be with you again, Dave. 

Dave Bittner: You have done the heavy lifting for us here by sitting through the arguments in front of the Supreme Court about the Computer Fraud and Abuse Act. Give us the lowdown here. First, how about a little quick background as - what is this case, and how did it make its way all the way up to the Supreme Court? 

Ben Yelin: So, yes, I did listen to oral arguments in the case of Van Buren v. United States. It was a good couple of hours on C-SPAN on Monday. This is a case dealing with the Computer Fraud and Abuse Act. And it's actually the first CFAA case that's made its way all the way up to the Supreme Court. 

Ben Yelin: Just as a little bit of background, this act imposes civil and criminal liability for unauthorized access to computers. It's a law that was enacted in the 1980s, originally enacted to address hacking. But it also has this provision that prevents unauthorized access to particular materials, websites, et cetera, even if somebody has authorized access to the network or the computer itself. So it prohibits individuals from exceeding authorized access. And that's what's at issue in this case. 

Ben Yelin: So there was a police officer in Georgia, Nathan Van Buren, who had access to computerized records about license plates just because he was a law enforcement officer. But an FBI agent was interested for his own purposes in gaining access to that database. And it appears as if he paid off Mr. Van Buren to do a search for him. Mr. Van Buren was criminally prosecuted. And he appealed his conviction, made its way up to the Supreme Court. 

Ben Yelin: Oral arguments were really interesting. The attorney for Mr. Van Buren was arguing that if we have an overbroad interpretation of this provision about exceeding authorized access, that would lead to what the justices referred to as a parade of horribles, a bunch of scenarios where we're criminalizing behavior that pretty much all of us engage in, so accessing Facebook or Instagram on our employer's network or, you know, on a work computer. One of the things they mentioned is somebody posting false information on a dating website. These are the types of things, in the view of Van Buren's attorney, that would be criminalized if we had such a broad interpretation of the Computer Fraud and Abuse Act. 

Ben Yelin: What the government's attorney was saying, conversely, is if we were to not criminalize this type of behavior, that would also set up its own slippery slope. So, for example, we could have people who work for federal agencies who have access to, you know, personal health information. Maybe you work for the Centers for Medicare & Medicaid Services, and, you know, you try to check out some information on your ex-girlfriend or ex-boyfriend. If we don't have a broad interpretation of the Computer Fraud and Abuse Act, according to this attorney, then that type of behavior might be legalized. 

Ben Yelin: So it's always a dangerous game to try and glean out what the result is going to be from oral arguments, but I'll do my best. 

Dave Bittner: (Laughter) That's never stopped you before, right (laughter)? 

Ben Yelin: It's never stopped me before. I will always opine. 

Ben Yelin: It seemed like at least a few justices, including liberals like Justice Sotomayor and conservatives like Justice Gorsuch, were more inclined to side with Van Buren, saying that this overbroad interpretation of the Computer Fraud and Abuse Act would lead to an undue expansion in criminality among federal statutes and would, you know, contribute to a trend where the federal government is just criminalizing too much innocuous behavior. 

Ben Yelin: It seems to be that there are at least a couple of justices, specifically Justice Alito, who is perhaps more amenable to the government's argument. So we could see a split decision here. 

Ben Yelin: But I think overall, the justices were skeptical of having such a broad interpretation because of, you know, even if this - the entire parade of horribles does not happen, at least, you know, a portion of those things might happen if we had such a broad interpretation. So that's my initial read on it. 

Dave Bittner: So what sort of timeline are we on here? How does something like this typically play out? 

Ben Yelin: So the end of the Supreme Court term is next June, so it'll have to be decided by then. I don't anticipate that it's going to take that long. Generally, cases that are more controversial tend to take a little bit longer. You have to have a justice write an opinion. If there's a dissent - you know, a justice is going to write a dissent. And then the person who wrote the opinion has to respond to the dissent, et cetera. 

Ben Yelin: I anticipate that that process would probably wrap up more like in the next three or four months, so maybe February or March. And that's when perhaps we would see a decision on this. So the absolute latest, you know, if they're really having trouble coming up with a majority one way or another, would be the end of June. But I anticipate that we should get a resolution probably sooner than that. 

Dave Bittner: All right. Well, we will stay tuned, for sure. Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Snap, crackle, pop. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.