The CyberWire Daily Podcast 3.9.21
Ep 1285 | 3.9.21

Dealing with Hafnium’s work against Microsoft Exchange Server and Holiday Bear’s visit to the SolarWinds supply chain. A plea for OSINT, and some wins for the cyber cops.


Dave Bittner: CISA urges everyone to take the Microsoft Exchange Server vulnerabilities seriously. The SolarWinds compromise is also going to prove difficult to mop up. The U.S. is said to be preparing a response to Holiday Bear's SolarWinds compromise. Some of that response will be visible, but some will not. A plea for more OSINT. Ben Yelin ponders face scanning algorithms in the job application process. Our guest is Sam Crowther from Kasada asking why we're still talking about bots. And dragnets haul in some cybercrooks.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 9, 2021. 

Dave Bittner: The US Cybersecurity and Infrastructure Security Agency is urging all organizations across all sectors to address Microsoft Exchange Server vulnerabilities. CISA has provided a set of guidelines designed to walk IT security staffs and organizations' leaders through the process of fixing the vulnerabilities. Exploitation is ongoing. Attackers may have established themselves in their victims' systems, and there's more to an effective response than simply patching. 

Dave Bittner: As the US National Security Council tweeted late Friday, quote, "patching and mitigation is not remediation if the servers have already been compromised. It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted," end quote. 

Dave Bittner: Organizations affected by both the Hafnium attack against Microsoft Exchange Server and the Holiday Bear campaign that centered on a SolarWinds Orion supply chain compromise are finding their security teams feeling overtaxed, FCW writes. That doesn't in itself make either incident a "resource attack," but resources are being affected nonetheless. Recovery will be a long slog. From the point of view of Hafnium and Holiday Bear, that's probably just gravy. But the gravy probably tastes pretty good to the threat actors about now. 

Dave Bittner: Cybersecurity firm DomainTools this morning published an overview of how they see the SolarWinds incident as affecting security practices. Among several conclusions, one stands out. There will probably be a new interest in threat hunting. As they put it in their report, quote, "organizations have slowly yet steadily reallocated resources and budget over the last five or six years to build proactive threat hunting teams to combat advanced persistent threats and enhance their incident response speed and accuracy. Threat hunting as a formalized practice within an existing cybersecurity team has been steadily making inroads toward becoming mainstream, and SolarWinds might be the event that puts it over the edge in industry validation. Of the 20% of security organizations that will receive increases to their budget as a direct result of SolarWinds, threat hunting tooling is where the most additional resources will go to support," end quote. 

Dave Bittner: The US government continues to suggest that it's mulling a range of responses to Holiday Bear's romp through SolarWinds, and The New York Times quietly redacted its perhaps excessively muscular headline from "cyberstrike" to "retaliation," as well as muting some of its text. 

Dave Bittner: But Computing cites various sources who speculate that the US response will be both seen and unseen, with the mostly unseen coming first, visible enough to Mr. Putin and his intelligence services, but not to most of the rest of us. The sources said, "the first major move is expected over the next three weeks," adding that these would involve "a series of clandestine actions across Russian networks that are intended to be evident to President Vladimir Putin and his intelligence services and military, but not to the wider world," end quote. 

Dave Bittner: That, of course, and more economic sanctions, which would be visible to everyone. But at this stage in bilateral relations between Washington and Moscow, economic sanctions against Russia are already so extensive as to be deeply affected by the law of diminishing returns. 

Dave Bittner: General Paul Nakasone, director NSA and commanding general of US Cyber Command, last Thursday said that Cyber Command would be playing a key and ongoing role in the US response, and he spoke at some length about how Cyber Command would be supporting agencies like the FBI and the Department of Homeland Security. 

Dave Bittner: He also emphasized, however, as Breaking Defense reported, Cyber Command's "defend forward" concept, and "defend forward" has been characterized as referring to activities that include executing operations outside US military networks. Any such action undertaken by US Cyber Command or NSA would, if significant enough, be referred to the White House for approval, review and modification by the National Security Council. 

Dave Bittner: An essay in Foreign Affairs argues that intelligence agencies face a bear market for secrets and that they should adapt to work in the growing and increasingly transparent world of OSINT. Among other things, doing so would necessarily involve overcoming the widespread human tendency to confuse cost with value. 

Dave Bittner: The essayists rightly point out that a call for more attention to open-source intelligence isn't new, going back at least as far as Admiral Stansfield Turner, who was President Carter's director of Central Intelligence in the late '70s. They see the intelligence community as oriented toward exclusive, compartmented sources and methods. And they argue that this not only tends toward narrow, siloed analysis - which, in fairness, is part of protecting not only restricted intelligence but also the sources and methods used to build it - but that it also overlooks the considerable growth of commercial intelligence companies. These offer access to collection and analysis that incorporates everything from cyberspace to high-resolution overhead imagery. 

Dave Bittner: The authors suggest, as part-proposal, part-thought-experiment, establishing a platform managed by the Office of the Director of National Intelligence through which intelligence professionals could easily and quickly access OSINT from such nontraditional sources. This wouldn't replace the intelligence community's traditional closed architecture, but it would, at the very least, afford a useful source of alternative viewpoints and analysis. 

Dave Bittner: And finally, some news of collars in the world of cybercrime. Police in the Spanish province of Catalonia have arrested four men on charges of allegedly operating the FluBot malware, an Android Trojan that's been used mostly for stealing banking credentials. The Record by Recorded Future reports that some FluBot activity has persisted but that it's not clear whether some other members of the gang remain at large and active or whether some of the FluBot servers are just running on inertia. 

Dave Bittner: The Czech Republic has extradited two alleged Ukrainian goons to the Northern District of Texas, where they face U.S. federal charges of providing money laundering services to cybergangs. And the South Korean National Police have nabbed an alleged GandCrab affiliate on charges of distributing the ransomware to South Korean targets. The Record says the police tracked the young gentleman through his cryptocurrency transactions. So from Prague to Barcelona to Dallas to Seoul, well done, law enforcement. 

Dave Bittner: If, like me, you are of a certain age, you may remember lining up outside your favorite store to be the first on your block to get the newest hot Atari video game or perhaps a "Star Wars" action figure. These days, most of that queuing takes place online. And instead of worrying about the kid down the street beating you to it, hot items like PS5s or the latest sneakers find themselves snatched up by bots to be later auctioned off to the highest bidder. Sam Crowther is founder at security firm Kasada, where they have their sights set on beating the bots. 

Sam Crowther: As a society - right? - as we're doing more things in a world where it's harder and harder for us to have a level of assurance that the other people that we're interacting with from a, you know, social media perspective or the people who are interacting with us from an organizational perspective online are actually who they say they are and - yeah, the problem's only getting worse just because we're enabling everyone to do more things online, right? We're enabling people to book vaccines online. We're enabling, you know, people now to perform transactions online thanks to COVID that were, you know, maybe previously only ever done in the real world. And so it's creating more and more avenues for abuse at the end of the day. 

Dave Bittner: Can you give us a rundown of the spectrum of types of bots that are out there, the places where they're causing trouble? 

Sam Crowther: I think we could, you know, probably break them down into two main categories, right? There's bots who are there to influence, right? And that's, you know, very popular amongst disinformation campaigns. They're there to look like real humans to spread ideas. 

Sam Crowther: And there's ones that are used, you know, on a bit more of a personal level for, you know, real monetary gain. So that could be everything from your more traditional fraud - right? - where you're washing credit cards that have been stolen through a payment gateway, you're stealing credentials to break into people's accounts, you know, or it could even be the personal gain of getting someone in line for a vaccine ahead of everyone else. 

Dave Bittner: So what can folks do here? I mean, if I'm an online retailer, how do I ensure that my customers are going to be getting the best experience by trying to keep bots out of my system? 

Sam Crowther: Yeah, so I think the first step in dealing with this sort of issue is trying to isolate and understand the problem because it is going to be, you know, somewhat unique to every business based on what you're doing online. So looking at the data that you have access to about who these items are being sold to, information about how they're interacting with the website, whilst it is a retroactive exercise, can give you a good insight into how bad the problem may or may not be, right? You could also take customer feedback, you know, from - you know, if everyone's complaining that they can't get their hands on them, you know, maybe there's something to look into. 

Sam Crowther: And from there, it's really, I think, got to be solved initially with technology. The reality is it's very difficult to see this type of behavior. And so you need to work with, you know, someone at least who has expertise in this area and can help you isolate that traffic and then subsequently deal with it and prevent it from stealing what the humans are entitled to. 

Dave Bittner: That Sam Crowther from Kasada. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Ben, great to have you back. 

Ben Yelin: Good to be with you again, Dave. 

Dave Bittner: There is a fascinating story from The Washington Post. This is written by Drew Harwell, and it's titled "A Face-Scanning Algorithm Increasingly Decides Whether You Deserve the Job." This is an older story here, but I think it speaks to some issues you and I have certainly been discussing on the "Caveat" podcast here. What's going on? 

Ben Yelin: So, yeah. This is November 2019, which seems like, you know, eons ago, but as you say, it's still very relevant. So there is a company called HireVue which uses artificial intelligence to give an employability score to various applicants. It's hard to know exactly what goes into the secret sauce here, but some of it has to do with facial movements, word choice, speaking voice - you know, the types of things that to me seem to be rather insignificant in terms of judging potential employees if you're an employer. But, you know, this has been persuasive to some of the country's largest employers. They mentioned Hilton as one of them here. They've used this company called HireVue to help analyze applicants. 

Ben Yelin: So a lot of privacy advocates are, not surprisingly, up in arms, saying it's a very disturbing development that we have technology that claims to be able to distinguish between a productive worker and a nonproductive worker based on tone of voice, mannerisms, facial expressions, et cetera... 

Dave Bittner: Right. 

Ben Yelin: ...And that it could end up hurting large classes of potential applicants, including non-native speakers. You know, from a human perspective, I just don't - I can understand the use of artificial intelligence in any context that you can think of, even if I don't agree with it. 

Dave Bittner: Yeah. 

Ben Yelin: This just seems like it's completely unnecessary. I mean, even large companies would benefit from having face-to-face interactions with their employees and judging them by their experience, you know, their characteristics, you know, how they come across in an interview. This just seems like a very bizarre thing to siphon off to artificial intelligence. 

Dave Bittner: Well, the case that they make here is that if you have a hot job and a thousand people apply for that job, only one person's going to get the job, and they just don't have the resources to meet, you know, with 999 people, that this gives them a way to allow people to submit a video of themselves and let the (laughter) - let the AI have at it and decide whether - and I'm laughing here because, again, it just seems absurd, and yet companies are finding this useful. 

Dave Bittner: Here's the problem I have with it. And this is what brought this - what brought this to my attention was somebody referenced this article in a tweet about the differences between people from different cultures, right? So, you know, let's say you grew up in one culture. I grew up in another culture. You know, some - I'll just be hypothetical here. You know, an Italian American family versus an Irish American family, right? And if I go have dinner with your family, it might be a very different environment than what I'm used to - the way people are communicating, you know, just using their hands, talking over each other or, you know, different people communicate in different ways. And artificial intelligence - what might be run-of-the-mill conversation with one social group may be perceived as being aggressive or argumentative, right? And how do you handle that subtlety? I'm not convinced the AI can do that. 

Ben Yelin: No. I mean, it's one of those things where as humans, we have biases, of course. 

Dave Bittner: Right. 

Ben Yelin: And those factor into our hiring decisions. And you see it all the time. Attractive people who are well-spoken, you know, disproportionately get hired over unattractive people who are not well-spoken, even, you know, if all other aspects of their applications are the same. 

Dave Bittner: Right. 

Ben Yelin: And, you know, there are certainly racial elements to it. When you send people identical resumes, you know, with one name sounding like a white person and one name sounding like an African American person, you get very disparate responses. 

Dave Bittner: Right. 

Ben Yelin: But my question is why we would want to bring those things, which to me are negative, into - like, why would we want to transfer that over to an artificial system? I think the solution would be rooting that out in the nonartificial system, becoming more aware of our biases, not sort of transferring them to a nonhuman entity like artificial intelligence. And that's what's so baffling to me is I'm just not sure what problem this is trying to solve. 

Ben Yelin: There are other ways that, you know, you can cull down resumes, even for jobs where there are - you know, where there is a lot of interest. You know, having certain thresholds in terms of experience, you know, even things like grade point averages, universities - those are a lot more objective and less subjective than the types of things that are being analyzed by this system. 

Dave Bittner: Well, I mean, maybe we're just missing the boat here and they - I mean, clearly, they've got customers and folks who believe in it, so maybe we're just... 

Ben Yelin: We're the odd ones out. 

Dave Bittner: We're cynical and jaded here, but I don't know. I think it's definitely worth keeping our eye on this. It just doesn't set - it just makes me a bit unsettled. And it sounds like you and I are in the same boat. 

Ben Yelin: I think so, yes. 

Dave Bittner: Yeah, yeah. All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. The big train for small hands. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.