US report on 2020 foreign election meddling is out, and Russian and Iran are prominently mentioned in dispatches. Recovering from the Hafnium and Holiday Bear campaigns.
Dave Bittner: Is luck on your side? Well, you have a chance to win a hundred-dollar Amazon gift card when you complete our survey. We value the opinion of each and every member of our audience. Whether you just listen to our podcasts or only read our newsletters, we want to hear from you. The survey expires in a week, so be sure you have your chance to give us your feedback. Just go to thecyberwire.com/survey. That's thecyberwire.com/survey. And best of luck to you.
Dave Bittner: The US intelligence community has released its report on 2020 foreign election meddling. Ukraine says it stopped a significant Russian cyberespionage campaign. Recovery from the SolarWinds and Exchange Server compromises continues. Joe Carrigan shares thoughts on the Verkada hack. Our guest is Oscar Pedroso from Thimble on getting kids hooked on technology. And no, that celebrity tweeter isn't really going to send you $2,000 for every $1,000 you give back to the community.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, March 17, 2021.
Dave Bittner: The US intelligence community late yesterday released the unclassified version of its report on foreign interference in the 2020 federal elections. The investigation found no evidence of foreign attempts to manipulate vote counts or other technical aspects of the election. It did find evidence of an extensive Russian influence campaign aimed at denigrating then-candidate Biden to the advantage of then-President Trump, with a strong, overarching goal of eroding confidence in U.S. elections. The investigation found that Iran conducted a similar influence effort aimed at damaging President Trump's candidacy. Both efforts were authorized at the highest levels, by President Putin in Moscow and by Supreme Leader Khamenei in Tehran.
Dave Bittner: Russia's efforts were marked by extensive preparation and the use of trolls, agents of influence and influencers of the useful-idiot variety, with messaging amplified by online proxies and Russian official media outlets. In general, Russian policymakers, while not in every respect happy with President Trump, clearly preferred him to a President Biden, although they had made their peace with a possible Biden presidency by the closing weeks of the campaign, seeing a silver lining in President Biden's presumed interest in reviving arms control agreements perceived as working to Russia's advantage. Their long-standing goal, which the report says endures into the present, is to weaken the United States, and whatever is likely to accomplish that, particularly erosion of trust in U.S. civil and political institutions, is a good bet.
Dave Bittner: Iran wasn't particularly in favor of President Biden, but the Islamic Republic was definitely opposed to President Trump. Their influence operation ran principally through social media and, interestingly enough, highly targeted email campaigns that spoofed the Proud Boys and threatened the recipients - for the most part, likely Democratic voters - with crude appeals to vote for Trump, hoping thereby to provoke a backlash against the former president. Tehran's efforts work to exploit and exacerbate fissures in American civil society, and the report warns that these efforts have continued, post-election. Iran chose what the report calls cyber tools and methods because they were cheap, scalable, deniable and required no physical access to the US.
Dave Bittner: The investigation considered the possibility of interference by other governments as well, but none of the others were as active as those of either Russia or Iran. China considered undertaking an influence campaign but, eventually, seems to have decided to sit the election out, apart from taking some minor shots at then-President Trump. In general, Beijing seems to have performed a cost-benefit analysis and decided that it saw no particular advantage to China in the election or defeat of either major party candidate and, in particular, no advantage that would outweigh the bad optics of getting caught while finagling. Traditional influence - lobbying and economics - were judged to be the best bet for advancing Chinese interests, and in any case, the view from Beijing sees bipartisan Sinophobic consensus in the U.S., and that anti-China sentiment is going to endure whichever party holds the major positions in government. Beijing may have thought President Trump mildly worse for Chinese interests than President Biden but not worse enough to warrant a big push to see him defeated.
Dave Bittner: Lebanese Hizballah, Cuba and Venezuela played bit parts with their own minor influence operations. None of them had any use for President Trump and woofed against him, but their efforts were ineffectual, petty larceny stuff lost in the noise. And of course, there was the usual criminal presence, manifesting itself in ransomware attacks, at least one of which affected a voter registration system. But the crooks don't appear to have been aligned with any government or to have had any particular political purpose.
Dave Bittner: As one might expect, the Russian Embassy in Washington didn't much like the IC's report, saying, quote, "another set of groundless accusations against our country of interfering in American internal political processes." The report says the embassy is just more American megaphone diplomacy.
Dave Bittner: Ukraine's SBU security services says it stopped a large Russian cyberespionage effort yesterday, according to Reuters. The goal was to get access to classified data of the highest institutions of state power of Ukraine, the SBU said. They attributed the cyberespionage campaign to Russia's FSB, the security service whose cyber activity has often been called Cozy Bear.
Dave Bittner: Senior administration officials said during a White House media availability Friday that US agencies are within about a week of remediating the effects of Holiday Bear's SolarWinds compromise. The nine agencies known to have been compromised are addressing, among other things, network visibility. A major part of the response is intended to be modernization of federal IT systems, which the senior officials characterized as a bargain when compared to the cost of sustaining another compromise of this kind and magnitude.
Dave Bittner: Those same officials also commented on the ongoing campaign against Microsoft Exchange Server. Here, too, network visibility was cited as a challenge - quote, "The U.S. government largely does not have visibility into U.S. infrastructure, and many of these actors operate out of U.S. infrastructure. And as we talked about, the us part of really needing to start prioritizing security in the way we build and buy software, we can do innovation and security."
Dave Bittner: Worldwide response to Hafnium's Exchange Server hack continues. Netherlands authorities, Reuters reports, have found at least 1,200 compromised servers. Authorities said, quote, "The National Cyber Security Centre observes that as a result of vulnerabilities, data is being stolen, malware is placed, back doors are being built in and mailboxes are offered for sale on the black market." So much of the fallout from Exchange Server vulnerability exploitation continues to be criminal in nature.
Dave Bittner: And finally, the Tampa Bay Times reports that the teenaged Twitter hacker Graham Ivan Clark has taken a guilty plea to Florida state charges of running a scam that used hijacked high-profile Twitter accounts to get people to send him bitcoin. Last summer, Mr. Clark, then a student at Gaither High School, worked the now-familiar cast-your-bread-upon-the-waters scam, tweeting things like this from famous people's accounts - I'm giving back to the community, he tweeted from an account belonging to then-candidate Joe Biden. All bitcoin sent to the address below will be sent back doubled. If you send $1,000, I will send back $2,000. Only doing this for 30 minutes. Enjoy.
Dave Bittner: A pro tip - if you want to give back to the community, treat it as a gift and don't look for a return on your investment. Mr. Clark will be a guest of the governor of Florida for three years, with an additional three years of probation to follow.
Dave Bittner: Among the casualties of the global COVID pandemic has been the opportunity for students to enjoy in-person, collaborative classroom experiences, specifically things like science and technology labs, robotics clubs and other STEM-related activities. Oscar Pedroso is CEO at Thimble, a company that provides live and on-demand robotics and coding classes for kids, as well as hands-on kits that students can have shipped to them. Not surprisingly, throughout the pandemic, he and his team have been busier than ever.
Oscar Pedroso: Right now, it's a little bit of everything as far as hybrid and - you know, hybrid learning is a term being tossed around a lot, which just consist of in-person as well as online instruction. And last year, when the pandemic hit, parents weren't really sure what was going on. I don't think anyone knew what was really going on, really. But from the school standpoint, a lot of schools ended up shutting down or remained online - strictly online until they knew more information about where everything was going. So for a good chunk of 2020, kids were really learning at home for the most part. And now that we're in 2021, there seems to be a shift into hybrid learning and then the slow transition back to in-person instruction.
Dave Bittner: Now, you all have filled some of the gap here. Can you describe to us - I mean, what are the kits that you all make available to some of these students?
Oscar Pedroso: So we teach electronics and programming. So a lot of our kits revolve around robots, drones, video games. And these are - these tend to be things that kids are drawn to. And I was certainly drawn to them when I was younger, too. And so we have 15 different types of kits, and they range anywhere from building a Wi-Fi robot, a weather station, a little piano synthesizer. And each of these projects touches on a different type of discipline out there. So whether it's smart home technology, GPS and navigation, robotics and mechatronics, like, we really try to make it broad so that kids can be exposed to different subject areas and not just one.
Dave Bittner: We have - boy, we've really come a long way since my RadioShack 150-in-1 kit back in the day.
Oscar Pedroso: (Laughter) Definitely.
Dave Bittner: How do you go about making sure that you're reaching some of the kids that are underrepresented and that - I mean, are there things like scholarships? Are there ways to hit those particular kids and families?
Oscar Pedroso: Definitely. We do monthly scholarships. So we do five a month, and we will usually put out a campaign on social media for anyone that might not be able to afford a membership. We also work with schools and through various partners like National Grid, for example. They're a big utility provider here in the Northeast. They have various community and neighborhood programs geared at serving underserved schools. So through those partnerships, we're able to work with National Grid to subsidize the cost of these programs for kids who might not ever really get to access any of this type of instruction.
Dave Bittner: That's Oscar Pedroso from Thimble.
Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the "Hacking Humans" podcast. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've seen widespread coverage of this story about the surveillance camera company Verkada...
Joe Carrigan: Right.
Dave Bittner: ...And some bad news that they've had to deal with here. I'm looking at a story from Bloomberg that covers this over on the Yahoo! Finance site. Can you bring us up to date? What's going on here?
Joe Carrigan: So this group of hackers calling themselves - I don't know if they have been dubbed an APT with a long number after it or if this has been designated to them by other people, but they are - essentially, Arson Cat is what they call themselves. And one of them - somebody found a leaked super user account name and password out on the net - on the internet somewhere. And they used that to gain access to the system. In fact, as soon as Bloomberg contacted Verkada, these actors lost control and lost the access that they had. But while they were in, they were able to access the feeds of 150,000 security cameras, surveillance cameras, inside of prisons, hospitals, companies, police departments, schools. They were inside the Sandy Hook School, which is where that horrible shooting...
Dave Bittner: Wow.
Joe Carrigan: ...Took place back in 2012. They claimed that they were in a Tesla production facility, although Tesla says, that's just one of our suppliers, that's not us. All of our stuff is stored locally, not in the cloud.
Joe Carrigan: There was one case where they had a - or one example in the video that Bloomberg saw where, in a Florida hospital in Halifax called Halifax Health, that showed what appeared to be eight hospital staffers tackling a man and pinning him to a bed. Of course, we don't know what the situation is here, but the - on their public-facing website, Verkada has a case study that is called "How a Florida Health Care Provider Easily Updated and Deployed a Scalable HIPAA-Compliant Security System." Safe to say this is no longer HIPAA compliant, or at least this is a HIPAA violation, right?
Dave Bittner: (Laughter) Right, right. Yes, I don't think you're going out on a limb by saying that, sure. Sure.
Joe Carrigan: Right, right. So, you know, this actually has impact on the - on a lot of people, like the patients. Though, I don't know that the video's been released. I don't know that - I mean, Bloomberg has seen the video. I don't think they're going to publish it. That would be unethical, I think.
Dave Bittner: Yeah.
Joe Carrigan: The fact that - just the fact that they state what's here is fine. We don't need to see the video.
Dave Bittner: Right. And it's interesting to me these folks are claiming to be hacktivists...
Joe Carrigan: Right.
Dave Bittner: ...In that they're not out there - they're not - you know, it's not a ransomware thing. They're not asking for money. They're trying - they say that they're trying to raise awareness at how video cameras are everywhere, this panopticon of surveillance, and they just want to draw attention to that. Do you feel any sympathy for their case there?
Joe Carrigan: Well, I don't know. The - this - there's somebody who's identified as Tillie Kottmann - probably not their real name. And their Twitter account has already been suspended. So...
Dave Bittner: Yeah.
Joe Carrigan: ...No more is coming out of that venue. But the quote here is - the reasons for hacking are, quote, "lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism and a hint of anarchism, and it's also just too much fun not to do it." That's the quote. So, you know, I think that anti-capitalism is in vogue right now, so there - they might be trying to curry favor with people. Maybe they actually are anti-capitalist. Who knows? You know, the - you know, curiosity, fighting for freedom of information and against intellectual property - I understand fighting for freedom of information.
Joe Carrigan: I really do empathize with the surveillance state. I'm not a big fan of this - of all the surveillance that goes on. And it - this does bring up a good point about the - about, you know, while we have all this surveillance technology around, but don't worry; it's secure. No, it's probably not secure. There's - all you have to do is look on the internet and find a username and password that lets somebody go in, and everybody's security just goes right out the window.
Dave Bittner: Yeah.
Joe Carrigan: So I empathize with that a lot. But that being said, this is not how you go about it.
Dave Bittner: Well, and I think also it points out the issue of third-party risk...
Joe Carrigan: Right.
Dave Bittner: ...Which is certainly a hot topic these days, how so many organizations had put their trust in Verkada.
Joe Carrigan: Right.
Dave Bittner: You know, well-known organizations globally had put their trust in Verkada. And, you know, you've got this - what reportedly was a hardcoded password hanging out there on the internet, and all these organizations get hit.
Joe Carrigan: Right. Everybody gets owned on this.
Dave Bittner: Yeah.
Joe Carrigan: I don't know. This is kind of, like, a basic failure of an authorization system, you know? We talk about the three A's - authentication, authorization and auditing. There is no reason for someone who, to be authorized, to view every single thing in the Verkada system. I mean, there's really no reason to have a superuser account like this, especially in modern times. I mean, the principle of least privilege is a security basic, almost an axiom by now...
Dave Bittner: Right.
Joe Carrigan: ...That you don't go around creating, essentially, what are users in an enterprise system like this, that you compartmentalize as much as you can. But there's really not a reason to have this kind of level of access.
Dave Bittner: Yeah.
Joe Carrigan: And there's certainly not a reason to publish it or to let it leak out.
Dave Bittner: Yeah. Well, it's an unfortunate and cautionary tale, and it's going to be interesting to see how this plays out over the long term.
Joe Carrigan: Yeah, it will be interesting to see what happens here.
Dave Bittner: Yeah. All right. Well, Joe Carrigan, thanks for joining us.
Joe Carrigan: It's my pleasure, Dave.
Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. The more you drive it, the better it gets. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.