The CyberWire Daily Podcast 1.13.21
Ep 1248 | 1.13.21

Looking for that threat actor “likely based in Russia.” SolarLeaks and a probably bogus offer of stolen files. Notes on Patch Tuesday.


Dave Bittner: Speculation grows that the Solorigate threat actors were also behind the Mimecast compromise. SolarLeaks says it has the goods taken from FireEye and SolarWinds, but caveat emptor. Notes on Patch Tuesday. Joe Carrigan has thoughts on a WhatsApp ultimatum. Our guest is Andrew Cheung of 01 Communique with an update on quantum computing. And farewell to an infosec good guy.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, January 13, 2021. 

Dave Bittner: According to The Wall Street Journal, well-informed observers are moving toward the view that the threat actors responsible for the SolarWinds compromise are also likely to have been behind the Mimecast certificate incident. The Journal puts it, quote, "the Mimecast hackers use tools and techniques that link them to the hackers who broke into Austin, Texas-based SolarWinds Corp., according to people familiar with the investigation," end quote. 

Dave Bittner: Mimecast had been a SolarWinds customer, but not recently and apparently not within the period in which its own certificate became compromised. How Mimecast was hit remains unknown, and the Journal's anonymous sources appear to have reached their tentative conclusion on the basis of TTP similarities alone. Acting CISA director Wales thinks more US federal agencies will find themselves affected by the SolarWinds supply chain compromise, CyberScoop reports, so other shoes may remain to drop. 

Dave Bittner: Some, let us presume, loser - or, more probably, crew of losers - presenting their own self or selves as the threat actor responsible for the SolarWinds compromise is out there online under the hacker name "SolarLeaks." SolarLeaks is offering SolarWinds product source code, all including Orion, plus customer portal dump for just a quarter of a million dollars and FireEye private red team tools, source code, binaries and documentation for another 50 grand. Or you can get both, plus an unspecified whole shebang of stuff they're still sorting through for the low, low price of a cool million Yankee dollars. Come on. Huggy Bear is on vacation, and we've all gone crazy. Serious buyers only, says they, so hop to it, wealthy elite - or not. Do we really need to say that there's a greater chance your Aunt Matilda has the winning Powerball ticket than that SolarLeaks really has these or any other goods? 

Dave Bittner: But seriously, forget Powerball and Aunt Matilda for now. BleepingComputer says it tried to contact SolarLeaks through the contact email address the offer provided, but there was no joy there. Whether the SolarLeaks site is what it purports to be remains unconfirmed, as does whether it actually has any of the stolen files it mentioned in its offer. The SolarLeaks domain is registered through Njalla, a registrar favored by Russian intelligence services. 

Dave Bittner: There's a certain similarity, also, between the diction in the SolarLeaks' come-on and what we're familiar with from the Shadow Brokers. To be sure, SolarLeaks' lingo isn't the full-on scriptwriter Heckawi (ph) favored by the Shadow Brokers, but it does have a mannered uncertainty about tense and articles that is vaguely reminiscent of the Brokers. 

Dave Bittner: What's missing from the SolarLeaks' offer, of course, is the promise of delivering files from U.S. government agencies known to have been compromised. And, to be sure, there's nothing out there offered as a sample. Sure, SolarLeaks did say that nothing in this life is free, but that's what you'd say if you were bluffing, too. 

Dave Bittner: Anyhoo, here are some of the likelier possibilities. First, SolarLeaks could be a poseur. And this has two sub-possibilities. SolarLeaks is either a grifter trying a long shot con in order to make a few bucks from the curious, the gullible or the self-important, or they're just some collection of skids rattling the internet's cage for the lulz. Either one of these is possible. 

Dave Bittner: Second, SolarLeaks could be for real, and they could represent a cyber gang who prepped and executed the supply chain campaign with the intention of monetizing it. This is possible but seems unlikely. For one thing, it shows more patience than crooks normally display. For another, it's not clear how the stuff known to have been stolen could be readily monetized. If they really were aiming at theft of something, they could easily cash out. This seems like a lot of trouble to go to just to pick up a lot of fullz you could hawk in a carding forum, so not too likely. 

Dave Bittner: Third, SolarLeaks could be for real and represent a misdirection effort by a member of Huggy Bear's brood. Recall that Russian influence operations historically tend to aim at increasing the adversary's friction. They're disruptive, not constructive, entropic, not ordered, and this kind of thing is just more friction. It's like sending Kevin Mandia a postcard to dunk on FireEye. This seems a real possibility. 

Dave Bittner: Fourth, SolarLeaks could be for real, but its purpose is just to crow, as if that postcard to FireEye's Mandia the FBI is looking at was really done to count coup. Maybe, but whooping it up seems more cowboy than Cossack, so probably not. 

Dave Bittner: Finally, SolarLeaks could represent misdirection by some other, hitherto implicated nation-state. Again, maybe, but that really is a priori speculation. 

Dave Bittner: If we had to bet, we'd go for door No. 1 or door No. 3. That's our own a priori speculation. 

Dave Bittner: Yesterday's Patch Tuesday saw software updates from several companies, including SAP, who released 10 security notes, seven of which represented updates to earlier fixes; Adobe, whose security bulletins addressed Adobe Photoshop, Illustrator, Animate, Campaign Classic, InCopy, Captivate, Bridge; and Microsoft, which, according to SecurityWeek, dealt with 83 issues, 10 of them critical, one of which is undergoing active exploitation. One of Microsoft's patches addresses a Windows Defender flaw, and the Zero Day Initiative speculates in its Patch Tuesday summary that this particular issue was exploited in the Solorigate cyber-espionage campaign. 

Dave Bittner: We end today on a sad note. The information security world lost one of its own this month. Yonathan Klijnsma, most recently head of Threat Research at RiskIQ and a friend of this show, lost his life to cancer last Wednesday. He was just shy of his 30th birthday, taken far too soon. We wish him peace and his family consolation. He'll be missed. 

Dave Bittner: Our guest today is Andrew Cheung, CEO of 01 Communique, a company that's developing a number of post-quantum cryptographic systems for security. Andrew, welcome to the CyberWire. 

Andrew Cheung: Thank you. Pleasure to be here. 

Dave Bittner: Before we dig into the details of some of the goings-on when it comes to post-quantum cryptographic systems, can you give us a little of the backstory and sort of where we stand today? What is the significance of - when we're talking about quantum computing, why is that important? 

Andrew Cheung: Yeah, well, that's a very good question. So quantum computing can be explained in a layman term as an extremely fast computer. We're talking about millions times faster than a conventional supercomputer. You're not talking about a hundred times faster. You're talking millions times faster. It would render traditional encryption useless because they can compress the over-a-century time needed to kind of hard cracking an encryption in use today to become just a few seconds. So that's the problem a quantum computer is having on the bedrock of cybersecurity today. And we are providing the shield, you know, or you can call it the quantum-safe encryption, to withstand that excessive computing power. 

Dave Bittner: Do you find that there's some skepticism from people that this is going to happen so quickly? It seems to me as though - that there's a sense that it's always a little bit off in the future, you know, no matter when you ask. 

Andrew Cheung: Exactly. You know, this is just like any - I think we are right in one of those best examples. Like COVID, you know, people ignore it until it happens. And this is - we are human beings, and human beings tend to be like that. When they see a problem, they say, well, you know, I will act when it is here. But this is a very serious issue because when it come - right? - it's not like overnight you can convert your system to become quantum-safe. It takes time to do it. 

Andrew Cheung: And even more scary is that hackers today, they can grab your data - well, your data today is encrypted, so even if they grab the data, it's meaningless. That's OK. They can grab your data, but then they just simply put it aside and wait until after a few days to decrypt your stuff, right? So the protection should already be protected today, not on two days or even shortly before two days. And it is very scary. 

Andrew Cheung: The only fact that people knows is that there are many - many nations are also pouring billions and billions dollar in the quantum computing research. And they won't tell you what they have. It's very, very scary. And launching (ph) from here between now and two days. 

Dave Bittner: Right. All right, well, Andrew Cheung, thank you so much for joining us. 

Andrew Cheung: My pleasure. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting story from Ars Technica. This was written by Dan Goodin and is titled "WhatsApp Gives Users an Ultimatum: Share Data with Facebook or Stop Using the App." 

Joe Carrigan: Isn't that nice? 

Dave Bittner: What do you think about this? 


Dave Bittner: Because, you know, I thought to myself, I'll bet Joe has thoughts on this. 

Joe Carrigan: Yeah. 

Dave Bittner: So, Joe, what are your thoughts? 

Joe Carrigan: Yeah, I have been on the verge of wanting to delete my Facebook account for so long, and this kind of behavior is exactly why. Facebook bought WhatsApp, I think, back in 2014 for a large sum of money. WhatsApp... 

Dave Bittner: Right. 

Joe Carrigan: ...Was - or is an end-to-end encryption communication app, right? 

Dave Bittner: Yeah. 

Joe Carrigan: And once they got acquired by Facebook, of course everybody was like, well, that's the end of that. And it turns out... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Well, yeah, that is the end of that. 

Dave Bittner: It only took a few years. 

Joe Carrigan: It only - yeah, it just took a little while. But now they have these terms of service, TOS, that if you don't agree to them by February, it will not let you continue to use the app. So the data that WhatsApp collects includes your phone number, other people's phone numbers stored in your address books, profile names, pictures, status messages, including what the user - when the user was last online - right? - diagnostic data collected from the log apps. I actually don't have a problem with that one. That one's actually kind of important for - from a development standpoint. But under the new terms, Facebook reserves the right to share collected data with, quote, "its family of companies." 

Dave Bittner: (Laughter). 

Joe Carrigan: Right? 

Dave Bittner: That's a big family. 

Joe Carrigan: That is a big family. And you're not going to have the choice of that anymore. So until recent - or until next month, that data has always been separated from the vast pile of Facebook data. After next month, it will be integrated into it. And if you don't agree to that, you can't use the service anymore. 

Dave Bittner: Right. 

Joe Carrigan: There is another article on The Verge that is interesting. It says, "Signal Sees Surge in New Signups After Boost from Elon Musk and WhatsApp Controversy." 

Dave Bittner: (Laughter). 

Joe Carrigan: So users are evacuating WhatsApp and heading over to Signal. In fact, I signed up for Signal today... 

Dave Bittner: Yeah. 

Joe Carrigan: ...'Cause I didn't use it before, but I probably should've been. I had been using Telegram as my end-to-end encryption messenger service. 

Dave Bittner: Yeah. 

Joe Carrigan: But Signal, I think, has - is better. And it doesn't collect any data at all. It's run by a foundation. It's supported by donations. I like that model a lot better for communicating securely. That's, I think, the better way to go. 

Dave Bittner: Yeah. 

Joe Carrigan: This whole thing, though, Dave - there's been talk in Washington about breaking up some of these large tech giants, like Facebook and Google. 

Dave Bittner: Right. 

Joe Carrigan: You know, I don't know about - or I guess Alphabet. It wouldn't be Google. 

Dave Bittner: Yeah. 

Joe Carrigan: I don't know about Alphabet, but I think it might be time to break up Facebook. And this is just my opinion, not the opinion of my employer or anybody else. This is solely Joe Carrigan's opinion. But I think that Facebook is a company that we need to actually look at that from a consumer protection standpoint and make sure. 

Dave Bittner: Yeah. 

Joe Carrigan: I mean, because the amount of data that they're collecting about people is staggering. And the ways they're collecting it is also staggering. 

Dave Bittner: Yeah, yeah. You know, it's - I think the thing that gets my goat is that they - there's no granularity here. It's all or nothing. You either share... 

Joe Carrigan: Right. 

Dave Bittner: Share it all or just, OK, fine, go away, you know? 

Joe Carrigan: Right. 

Dave Bittner: If you're not going to let us do this, we don't want you. 

Joe Carrigan: Right. Well, guess what. I think, Mark, that you're about to lose me. 

Dave Bittner: Yeah (laughter). Right. I'm sure he'll lose sleep over it, Joe... 

Joe Carrigan: Yeah, he's going to lose sleep over that. 

Dave Bittner: ...Just like he did when I shut down my Facebook account. But, I mean, you know, you... 

Joe Carrigan: He'll cry himself to sleep on his pillow stuffed with billion-dollar bills. 

Dave Bittner: (Laughter) Right, right. You know, even if you're not on Facebook anymore, they still track you. 

Joe Carrigan: They do, absolutely. 

Dave Bittner: You know, they still track you around the web. So... 

Joe Carrigan: Yep. 

Dave Bittner: I mean, I think you're right. I think there's a case to be made for breaking up some of these big tech companies. But I also think there's a case to be made for giving users control of this information in a much more meaningful way. So hopefully we'll see some political will in the coming years, or hopefully sooner than later... 

Joe Carrigan: Yeah. 

Dave Bittner: ...That we can get control of this for ourselves, that all this information can't just be shared around without us - let us opt in. 

Joe Carrigan: Right. 

Dave Bittner: In the very least, let us opt out... 

Joe Carrigan: Yes. 

Dave Bittner: ...Without having to not use the - anyway, I'm rambling. Everybody knows what I mean here. 

Joe Carrigan: Right (laughter). 

Dave Bittner: Yeah. It's frustrating, though. It's - can you tell it's frustrating, Joe? Can you tell it's frustrating? 

Joe Carrigan: It is frustrating, and I can tell. Yeah, I can tell. 

Dave Bittner: (Laughter) All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Share the wonder. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.