The CyberWire Daily Podcast 12.15.20
Ep 1234 | 12.15.20

SolarWinds compromise scope grows clearer. DPRK’s Earth Kitsune. Google’s authentication issue. A look at the near future of cybersecurity.


Dave Bittner: SolarWinds' 8-K suggests the possible scope of the Sunburst incident. CISA leads the U.S. federal post-attack mopping up as more agencies are known to have been affected. How FireEye found the SolarWinds backdoor. GCHQ is looking for possible signs of Sunburst in the U.K. Operation Earth Kitsune is attributed to North Korea. Google explains yesterday's outage. Ben Yelin looks at retail privacy issues. Our guest is Jasson Casey from Beyond Identity on going passwordless. And if you have trouble getting things done while working from home, maybe blame it on the dogs.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, December 15, 2020. 

Dave Bittner: SolarWinds, in a Form 8-K the company filed with the US Securities and Exchange Commission yesterday, said that some 33,000 customers had potentially been exposed by vulnerabilities in its Orion platform and that it's notifying them of the risk. The company added, however, that it believed, quote, "the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000," end quote, which is still a disturbingly large number. The company expects to make a patch available sometime today. 

Dave Bittner: CISA issued Emergency Directive 21-01 late Sunday. Lawfare has a quick account of what the directive meant for US Federal organizations and many of their contractors. In many cases, it meant a lot of time with dodgy network availability. CISA required all agencies covered by the emergency directive to report completion of required detection and remediation activities by noon yesterday, which itself is an index of how serious the agency regards the threat. 

Dave Bittner: The Washington Post reports that five major US agencies - the Departments of State, Homeland Security, Commerce and the Treasury, and the National Institute of Health - are now known to have been affected. It's worth noting that a supply chain attack can be notoriously difficult to contain. 

Dave Bittner: It's not entirely clear how the spies, presumably Russia's SVR, familiarly known as Cozy Bear, obtained access to SolarWinds and thus to the software supply chain, but ZDNet reports that a compromise of the company's Microsoft Office 365 email and office productivity accounts may have provided a point of entry. 

Dave Bittner: Bloomberg reports that FireEye found the SolarWinds compromise in the course of investigating the breach of its own red-teaming tools. They found Cozy Bear's Sunburst backdoor and disclosed its existence to both SolarWinds and law enforcement. 

Dave Bittner: The security company Volexity says this incident is connected to a 2019 campaign against think tanks that continued into 2020. Volexity writes, quote, "the primary goal of the Dark Halo threat actor was to obtain the emails of specific individuals at the think tank. This included a handful of select executives, policy experts and the IT staff at the organization. Volexity notes its investigations are directly related to the FireEye report based on overlap between command-and-control domains and other related indicators, such as a backdoored server running SolarWinds Orion," end quote. 

Dave Bittner: Dark Halo sounds a lot more sinister than Cozy Bear. We prefer Cozy Bear, if only because the word on the street is that the Russian organs, however focused, sophisticated and determined they may be, hate being thought of as cuddly and inoffensive. So stay cozy, comrades. 

Dave Bittner: Consensus holds that the effects of the cyber-espionage will continue to spread. The Telegraph reports that GCHQ is investigating the potential impact of the incident on the UK. The risk is complex. There is, of course, the risk that sensitive information British agencies may have shared with their US counterparts could have been compromised or that Cozy Bear might have succeeded in executing a trans-Atlantic pivot. But the principal risk is more immediate and direct. SolarWinds' customers in the UK include the Ministry of Defence, the Cabinet Office, GCHQ and other government organizations. 

Dave Bittner: As we say, GCHQ and its National Cyber Security Centre have the incident under investigation. An NCSC representative told Mail Online, quote, "The NCSC is working closely with FireEye and international partners on this incident. Investigations are ongoing, and we are working extensively with partners and stakeholders to assess any UK impact. The NCSC recommends that organizations read FireEye's update on their investigation and follow the company's suggested security mitigations," end quote. 

Dave Bittner: Turning to another cyber-espionage campaign, Trend Micro this morning published an update to its research into what it's calling Operation Earth Kitsune. While the name may be drawn from the Japanese word for fox, one with strong folkloric associations, Trend Micro has concluded that it's a North Korean unit, APT37, also known as Reaper or Group 123. Their evidence is circumstantial but compelling, depending upon such things as insights into the malware deployed and the development environment in which that malware was built. 

Dave Bittner: Google has an explanation for yesterday morning's outage that affected services worldwide. It looked at the time like a glitch and not a hack, and that's been borne out by what Mountain View discovered during troubleshooting. Google tweeted an explanation yesterday. At 3:47 a.m. Pacific Time, Google experienced an authentication system outage for approximately 45 minutes due to an internal storage quota issue. This was resolved at 4:32 a.m. Pacific Time, and all services are now restored. 

Dave Bittner: By consensus, remote work will remain the norm in 2021, and it will probably remain widespread even after the pandemic eases. But a CyberArk study suggests that companies have their work cut out for them dealing with unfortunate remote worker security habits. The personal and professional seem harder to keep apart while working online. And poor personal security practices, like sharing passwords and devices with family members, make that blurred boundary risky territory. 

Dave Bittner: Distracted minds make security mistakes, and there are plenty of distractions at home. CyberArk says, for example, 45% of remote employees cite disruption from family and pets as the biggest challenge of remote work, followed by balancing work and personal life at 43% and Zoom fatigue, which came in at 34%. Our staff can confirm that dogs are affecting working conditions. Some, at least, of our local dogs have been unusually frisky under conditions of social isolation. Maybe it's because they are not wearing masks. 

Dave Bittner: An ImmuniWeb study finds other security issues with working from home. The company thinks remote work with reduced face-to-face contact and fewer opportunities for quick, responsive, even serendipitous collaboration will raise problems for DevSecOps. With respect to law and policy, JD Supra predicts that the US Cyberspace Solarium Commission's report will serve as a reliable guide to their evolution. As CSO points out, the commission's report has already influenced the US National Defense Authorization Act. It's likely to do more than that. 

Dave Bittner: My first recollection of using a password goes back to signing into a local dial-up BBS when I was probably 13 years old or so. That was a long time ago. And yet, here we are still using passwords on a regular basis. Yes, we've got things like touch ID and face ID and password managers and multifactor authentication, but that passwordless world remains frustratingly elusive. Jasson Casey is chief technology officer at Beyond Identity, and he joins us to explain what passwordless actually means. Jasson, thanks for joining us here at the CyberWire. 

Jasson Casey: Thanks for having me. Passwords are, by design, end-user friction. And they haven't changed much in the last 28 years other than just saying things like they need to be longer, they need to always be high entropy, and you need to rotate them on a regular basis. And so, sure, you can pull a password manager to manage some of that complexity. But when we think about who uses passwords in the world or essentially everyone, we're not really making it possible for the rest of the world to be successful. Another way of looking at it is design, user interaction, ease of use from a person perspective has never really been considered in terms of passwords. 

Jasson Casey: And then you flip the coin over, and you realize passwords are the front door for bad things to walk through. Like, ultimately, these knowledge factors create pools of risk called password databases that regularly get harvested. They get sold and bartered and leveraged to maybe not break back into the company that they were stole from, but exploiting human behavior, which is it's really hard to remember lots of high entropy, random strings, so I'm going to reuse things, and I'm going to reuse things across different sites. Rather than patch the problem, why don't we fix the root cause? 

Dave Bittner: Does this really require a shift in the way that people think about this, about their online identities and how they protect their information that's out there? 

Jasson Casey: It does actually provide a different perspective, but we think people are already moving in that direction. And so if you look at the world of - the business world and COVID, you have these highly disparate workforces where most of them were not before, and all of these enterprise organizations that had built security infrastructure that baked knowledge in about infrastructure, where people are coming from, what they're working on, these are the organizations that have been scrambling during COVID to try and shift and change their mindset, whereas the organizations that had really kind of embraced this digital transformation journey as well as a more zero-trust or BeyondCorp style of thinking about security, basically they were more - they were in a mindset that was better able to handle this big shift in how workers behave. 

Dave Bittner: I suppose, also, having that - the ability, as you say, to escalate things, to have some granularity that, you know, not everything needs to have the same degree of scrutiny as other things. 

Jasson Casey: Are you moving $10,000 between bank accounts? Maybe friction's OK in that scenario. 

Dave Bittner: Right. 

Jasson Casey: Or are you moving - maybe you're paying a $5 bill, but you're paying a $5 bill, and you're operating from a device that you haven't really used in a while, and you're in a part of the country that we've never seen you travel to. Maybe that deserves a little bit more friction. 

Dave Bittner: But if I'm at my corner grocery store, you know, buying a tank of gas or a candy bar, I want that to happen as quickly as possible. 

Jasson Casey: If the risk is low, the friction should be as well. 

Dave Bittner: That's Jasson Casey from Beyond Identity. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security. But more important than any of that, he is my co-host on the "Caveat" podcast. Hi, Ben. How you doing? 

Ben Yelin: Pretty good, Dave. How are you? 

Dave Bittner: Not bad, not bad. Interesting article - this is from Vox on their Recode section. And, you know, we are deep in the holiday season here, getting our Christmas shopping done and taking care of our friends and family for Hanukkah or whatever it is we celebrate. And this article is titled "How Retailers Track Your Every Move in Exchange for Coupons and Convenience." The subtitle is "Attention Shoppers, Your Data Has Never Been More Valuable," article written by Sarah Morrison. What's going on here, Ben? 

Ben Yelin: So this article is sort of an all-encompassing summary of what retailers are doing with our data. I think one of the interesting elements of this is it's very timely for the end of 2020. The hook in this article is that not so long ago, i.e. last February, many of us used to go to brick-and-mortar stores. 

Dave Bittner: (Laughter). 

Ben Yelin: You could browse things. You could try on shirts and dresses before you decided to buy them. You could, you know, be relatively anonymous, maybe even pay in cash, where it's untraceable. 

Dave Bittner: Right. 

Ben Yelin: Now more of us are online shopping. It's not as safe to go into brick-and-mortar stores, you know, even the ones that are open and are not restrictive. 

Dave Bittner: Yeah. 

Ben Yelin: And because more of us are shopping online, we are trading convenience and potential coupons for what amounts to a pretty big invasion of personal privacy because these companies collect a lot of data on us. We have extreme examples like Nordstrom, which was collecting data about us while we were in their store by having our - tricking our cellphones into transmitting real-time data. But, you know, more typically, it's that these stores will lure us into their applications by offering us coupons. You know, you get 10% off Target by downloading the application or whatever. 

Dave Bittner: Right, right. 

Ben Yelin: Not to pick on any individual company. So they lure us in that way, and then they have us opt in to a bunch of EULAs that allow our information to be shared pretty broadly. And we know that information is purchased by data brokers. In some cases, it's sold by the cellphone company itself. 

Dave Bittner: Yeah. 

Ben Yelin: And it's a lot of information. I mean, it's not just our purchasing habits. It's, you know, using GPS tracking to figuring out our personal habits, what kind of life - what kind of lives we lead. It's getting information from applications that we'd never suspect would be sharing personally identifiable information. You know, I always talk about when I order a sandwich from Jimmy John's, they're learning a lot more about me than you'd think... 

Dave Bittner: (Laughter) And you should be ashamed of yourself, yeah. 

Ben Yelin: ...Just by sharing my location, just by agreeing to their terms of service, you know, by allowing them to connect to my other social media profiles. 

Dave Bittner: Right, right. 

Ben Yelin: So, you know, I think in some ways, this is sort of something that we already knew. But I think it's kind of bringing into focus that there is no free lunch here. 

Dave Bittner: Yeah. 

Ben Yelin: You are paying for something with those coupons. Most of us don't think about them because most of us will never face the consequences of, you know, data brokers purchasing information on us or selling information on us and, you know, companies knowing the intimate details of our lives. But I think, you know, that's something that should be on every person's mind before they sign those terms and conditions. 

Dave Bittner: Yeah. You know, I think about the grocery store loyalty programs. And, you know, I have a friend of mine, a dear friend of mine, who is very bitter at the fact that in order to get the various discounts and sales that are around the grocery store while he's - well, in the old days when we used to, you know, browse through the grocery store. 

Ben Yelin: Seems so long ago now. 

Dave Bittner: I know (laughter) - that you, you know, you have to - in exchange for giving them your information, in exchange for allowing them to track your purchases, you get these discounts. He wants the discounts without the tracking. And I - my - I feel differently about it. In this case, I feel as long as it's all aboveboard and this is a deal you're willing to make to say... 

Ben Yelin: Right. 

Dave Bittner: ...OK, yeah, I will - it's optional. You can track me in exchange for these discounts, and that's the arrangement we've made here. And either I'm OK with it, or I'm not. 

Ben Yelin: Right. I mean, in contract law, we talk about, you know, these bargained-for exchanges, where as long as the terms and conditions are clear, you know, if somebody really values something and you really value something else, those are legal grounds to make a trade, right? And, you know, I think that's what's happening here. 

Ben Yelin: As long as consumers are aware that this is what's happening, that by getting these, you know, 10-cent discounts on cereal boxes, you are potentially providing your local grocery store a lot of private information about yourself - as long as that's information that's widely understood, I think your perspective is right. It is - you know, it is a bargained-for exchange. It's fair. The problem... 

Dave Bittner: Yeah. 

Ben Yelin: ...We run into is that just most people aren't aware that that's what they're bargaining for. 

Dave Bittner: Right. 

Ben Yelin: And I don't think we've properly answered, just from a policy perspective, this problem of the fact that most people don't read terms and conditions and are just blissfully unaware of what they're giving up when they agree to use an application in exchange for a coupon. 

Ben Yelin: So, you know, I think in the long term, it's going to be about education around these things, just alerting people and giving people meaningful information before they agree to these terms and conditions. 

Dave Bittner: Well, let me add, for those of you who are interested in a certain degree of anonymity at the grocery store, I have yet to experience a grocery store where if I put in the phone number 867-5309, it's not already in the system. So (laughter)... 

Ben Yelin: Oh, I am not surprised. Jenny, they got your number. Yep. 

Dave Bittner: Just put your area code and 867-5309. Jenny is in the system, and you get all the discounts you want. And, boy, Jenny buys a lot of stuff (laughter). 

Ben Yelin: Dave, I resent you for the fact that that song is going to be in my head the rest of the day. 

Dave Bittner: Well, there you go. 

Ben Yelin: So thank you for that. 

Dave Bittner: Yeah, yeah. My gift to you. All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. We floor the competition. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.