The CyberWire Daily Podcast 3.30.21
Ep 1300 | 3.30.21

US considers how to settle accounts with Holiday Bear. International norms in cyberspace. Ransomware continues to surge against vulnerable Exchange Servers, and other criminal trends.


Dave Bittner: The U.S. administration continues to prepare its response to holiday bears a romp through the SolarWinds supply chain. Congress is asking for details on what was compromised in the incident and why the Department of Homeland Security failed to detect the intrusion. The U.N. offers some recommendations on norms of conduct in cyberspace. Ben Yelin on a New Jersey Supreme Court ruling that phone pass codes are not protected by the Fifth Amendment. Our guest is Frank Kettenstock from Foxit on the security of PDF files. Developments in ransomware, including exchange server exploitation, credible extortion and attempts to enlist customers against victims.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 30, 2021. 

Dave Bittner: The AP's report that the Russian threat group behind the SolarWinds winds supply chain compromise gained access to email accounts of senior U.S. Homeland Security officials, including those of former acting DHS secretary Chad Wolf, continues to draw attention. As the AP puts it, quote, "The intelligence value of the hacking of then-Acting Secretary Chad Wolf and his staff is not publicly known, but the symbolism is stark. Their accounts were accessed as part of what's known as the SolarWinds intrusion. And it throws into question how the U.S. government can protect individuals, companies and institutions across the country if it can't protect itself," end quote. CNET has a particularly useful summary and timeline of the entire Holiday Bear incident. 

Dave Bittner: The Washington Post says it's confirmed that Secretary Wolf's emails and those of senior staffers were indeed accessed. But the Department of Homeland Security has declined to confirm either the compromise or the content of the emails the threat actor obtained. Members of both the US Senate and House from both major parties have asked the administration for an explanation. The US administration is believed to be entering the last stages of deliberation over a response to the Russian operation. Delay in appointing the national cyber director, the Solarium Commission recommended and Congress authorized is seen, according to Politico, as hindering the execution of whatever response the administration ultimately decides upon. It ascribes the delay to wrangling over agency equities, executive branch reluctance to introduce another Senate-approved position into the White House and, at some level, personal friction among present and prospective senior cyber officials. 

Dave Bittner: Microsoft expresses its approval in a blog post of the United Nations' evolution of proposed international norms for conduct in cyberspace. Redmond sees three particularly noteworthy aspects of the report by the General Assembly's Open-Ended Working Group. First, it elevates and affirms the authority of international law in cyberspace and the set of norms for responsible behavior that were adopted as voluntary standards in 2015. Second, it recognizes the need to protect health care from cyberattacks, including medical services and facilities. Third, it calls on states to protect the information communications technology, or ICT, supply chain. As the Open-Ended Working Group's report has it, the development of international communications technology have become central to the U.N.'s core goals of promoting peace and security, human rights and sustainable development. The global connectivity such technology has fostered has become a catalyst for human progress and development, transforming societies and economies and expanding opportunities for cooperation. The states who contributed to the working group expressed concern over the extent to which ICT has been, in effect, weaponized and that such weaponization represents a significant threat. Quote, "ICT activity contrary to obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public could pose a threat not only to security but also to state sovereignty, as well as economic development and livelihoods and, ultimately, the safety and well-being of individuals," end quote. The recommendations represent the application of familiar just-war principles to cyberspace, particularly discrimination, proportionality, the protection of noncombatants and the services essential to their well-being. The report recommended a mix of voluntary restraint and cooperation, further development of international law and an effective array of confidence-building measures. 

Dave Bittner: Check Point adds its conclusions concerning a trend remarked by SecurityWeek and others - ransomware attacks are surging against still-vulnerable instances of Microsoft Exchange Server. Check Point says in the last week alone, the number of attacks involving Exchange Server vulnerabilities has tripled. SecurityWeek's partial list of the criminal groups who've entered via the zero day that Hafnium, a Chinese government actor, exposed includes ransomware operators DearCry, also known as DoejoCrypt, and Black Kingdom, also known as Pydomer, with the Lemon Duck cryptojacking botnet in for good measure. 

Dave Bittner: Ransomware gangs are showing some evolutionary trends, as well. Their long move from simply rendering victims' data inaccessible by encrypting it and on to adding data theft with the attendant possibility of either doxxing or compromise of sensitive information is now well known. The BBC reports a shift toward more of what it calls extortionware. That is the location of discreditable material, often pornographic, whose public disclosure would embarrass both the individual victim and the victim's organization. Sextortion has been going on for some time, but it's most often represented an empty threat. The extortionist typically had nothing on the victim and could be safely dealt with simply by ignoring it. In recent incidents, however, the criminals, unfortunately, may well have the goods. 

Dave Bittner: And the ransomware gangs are also calling in victims' customers to help induce the victims to pay up. BleepingComputer wrote Friday that the Clop gang has begun to threaten those customers with data exposure in the expectation that the customers will pressure the victims to pay. This was first seen, BleepingComputer says. When Flagstar Bank was hit and then when the University of Colorado was affected by the Accellion incident. 

Dave Bittner: More recently, BleepingComputer says it's seen an email sent to customers of an unnamed online maternity store - the publication won't, on principle, name the retailer - urging them to push the store to pay the ransom. The email's subject line says, your personal data has been stolen and will be published. The body goes on to say, perhaps you bought something there and left your personal data, such as phone, email, address, credit card information and Social Security number. It closes with creepy urgency - call or write this store and ask to protect your privacy. There is, of course, no particular reason for anyone, customer or not, to assume that the Clop gang will keep its word. Forbes points out that this tactic seems to make the victim out to be the bad guy. Their article also urges people not to fall for it and to avoid becoming complicit in the crime. 

Dave Bittner: The trusty PDF file format dates back to 1993, a portable document format developed by Adobe. Standardized in 2008 and fairly ubiquitous today, it's one of those file formats that's been around so long and is in such common use that for a lot of folks it's essentially benign. The thought that PDF files could carry security issues doesn't really cross their minds. 

Dave Bittner: Frank Kettenstock is CMO of Foxit Software, a provider of PDF tools, and he joins us with a few security reminders about the format. 

Frank Kettenstock: So we look at security for a PDF - we look at as three different ways. The first one is secure any vulnerabilities. That's to protect you against malicious software. The second is document security. That's really to protect the confidential information within a document. And then the third one is service security - right? - because we do a lot of things over the cloud now. And if you're dealing with a cloud service that goes outside your firewall, you want to make sure that your documents are secure as well as your privacy is protected. And so we look at those three separate things. 

Frank Kettenstock: Now for security vulnerabilities - this has been happening for, you know, since the Internet had started. Right? We download software onto our computer, and sometimes there's unwanted software that comes with it. Right? And a lot of times that's malicious software that we don't want. And so we install virus protection - right? - to guard against that. Also, our browsers now also have capabilities built into it to warn us against suspicious websites or other types of things. And so our PDF software that reads and displays and allows you to manipulate or edit PDF documents really does the same thing as well. 

Frank Kettenstock: And so one of the great things about PDF is it's very powerful, but it allows you to do things like JavaScripting and so forth, and that's where someone can put in some malicious software. So what we want to do is protect you and your computer against that - right? - so we have something called a safe mode, which will basically turn, like, a lot of things off. And so you're very secure with that. But sometimes your PDF might not operate correctly. Right? So we have ways - things like whitelisting - to be able to provide you the capability to say, this is what I want to protect myself against, and this is what I don't. 

Frank Kettenstock: We also look at things when you try to - when a PDF tries to access areas of memory that it shouldn't be or does some external commands that's not very typical. We would stop those and say, hey, your PDF is trying to do this. Do you really want it to do that? So we're trying to protect the user when they download documents off the internet to make sure that both their data as well as their system doesn't get negatively affected. 

Dave Bittner: So bright days still ahead for PDFs. I mean, it's a format that's been around for a while but still provides us with the service we need for many, many useful functions to come. 

Frank Kettenstock: So yes, that's correct. And what we see now is more and more people are using PDFs on cloud-based services - right? - Whether it's cloud storage or PDF creators or editors like ours, also augment the desktop with cloud-based services or just have standalone cloud-based services. Now, there's security in that as well - different type of security, right? So a lot of these cloud-based services, some of your information or data might get moved to a cloud-based server outside of your firewall. And you want to ensure that your documents, your information, as well as your personal information, are secure and are private. You also want to make sure that the IT folks of your cloud-service provider or internally, that they are also have restrictions and so forth and so people within the company can't steal the data as well. And these are all kinds of things that you want to look at for a PDF document or, obviously, even if it's a non-PDF document. 

Dave Bittner: That's Frank Kettenstock from Foxit Software. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. 

Dave Bittner: Ben, it's great to have you back. 

Ben Yelin: Good to be with you, Dave. 

Dave Bittner: Interesting article from CPO magazine. And it is titled, New Jersey Supreme Court Rules Phone Passcodes Are Not Protected By 5th Amendment. What's going on here, Ben? 

Ben Yelin: So this is an issue we've talked about on this podcast and on the "Caveat" podcast. And there's really a large disagreement among courts in this country as to how to address it. So the Fifth Amendment says, basically, you can't be forced to testify against yourself. And that, we know, is the right against self-incrimination. That's why people say they're pleading the Fifth. They don't want to incriminate themselves. 

Ben Yelin: There are situations, such as the case identified here, where the government asks you to either decrypt your device or use your passcode to unlock your phone. And you, the user of that device, know that if you do that, there's going to be incriminating information and you are going to get arrested. So the question is whether the government can force you to enter that passcode - whether they can compel you to do that - or whether that would violate somebody's Fifth Amendment rights. 

Ben Yelin: Other courts across the country - including the Supreme Court of Indiana, I think, in a case that we discussed - have said that this is a Fifth Amendment violation, this does violate that right against self-incrimination. The New Jersey Supreme Court, along with a lot of other courts, have come up with a different conclusion, basically saying that because the discovery of the incriminating information is what they call a foregone conclusion, it is actually not protected by the Fifth Amendment. 

Ben Yelin: So what do they mean by foregone conclusion? Well, in this case, they know that the individual knows his passcode, and they know that the individual is aware of what is on his device. So in the view of the law, it is simply a matter of time before that device is going to be unlocked and accessible to government agents. 

Ben Yelin: To me, this seems like a legal fiction. I've always said that. I don't really understand or see the value in the foregone conclusion doctrine, but that's how - that's what courts have argued. That if you can prove that somebody knows their passcode, it's not incriminating in and of itself to simply enter a passcode. That's not something that's, you know, in and of itself revealing information. What happens to be on the cellular device, you know, that's the incriminating information. It's not the passcode itself. 

Dave Bittner: Would - is this the same as, like, in the real world, would they be - could they compel me to unlock my safe? 

Ben Yelin: So basically, there are a couple of things there. Basically, yes. The Fifth Amendment only applies to testimonial evidence. So it's evidence that's spoken. It's not something like standing in a police lineup, for example. Being forced to stand in a police lineup would not subject you to that Fifth Amendment protection. And in the majority of cases - you'd have to look at the exact circumstances - but forcing somebody to unlock a safe deposit? If you are convinced that that person has the key - that could be proven - or that they know the passcode to that safe deposit box, then the foregone conclusion doctrine would still apply. So it is something where we do have an, you know, relative agreement between the analog and the digital world. 

Ben Yelin: There are a couple of interesting unanswered questions here. You know, what do you do if you're - if law enforcement are not sure who owns a particular device? And could, you know, you perhaps be getting incriminating information on somebody else because, you know, your friend was borrowing your phone or something like that? So there's that question. What if somebody has a burner phone and, you know, it's not connected to their real name? They, you know, could make a plausible claim that it doesn't really belong to them, it belongs to somebody else. I think those questions remain unanswered by the logic in this case. 

Ben Yelin: And I think because we've seen disagreement among state courts on this, this is something I think eventually is going to make it up to the U.S. Supreme Court. Federal courts have had their own disagreements on compel decryption and entering pass codes in the context of the Fifth Amendment. And I think eventually, the Supreme Court is going to have to resolve these disagreements. 

Dave Bittner: Any speculation for how that might go? 

Ben Yelin: Oh, it is a fool's errand to try and speculate on Supreme Court jurisprudence... 

Dave Bittner: (Laughter). 

Ben Yelin: ...Especially in areas that aren't, you know, neatly politicized like this one. 

Dave Bittner: Yeah. 

Ben Yelin: But, you know, there are a couple of justices across ideologies who have recognized a person's privacy interests - enhanced privacy interests in a cell phone. So this case invokes Riley v. California, a 2014 case where the Supreme Court says the government needs a warrant to access your cell phone. So that, you know, this state Supreme Court ruling would seem to kind of go against the spirit of Riley, although here, you know, this is simply about putting - entering in one's passcode. It's not actually gaining access to the device. But, you know, I think perhaps Riley gives us an indication of how serious the Supreme Court takes digital devices and smartphones, and that those devices, because of the amount of information contained therein, perhaps merit advanced privacy protections in the Constitution. 

Dave Bittner: All right. Well, time will tell. We'll see how this continues to play out. It's interesting how it - how different it is depending on what part of the country you're in. We've seen so many different rulings on this. 

Ben Yelin: Yeah, it's really an unanswered question, and I hope we get some resolution in the near future. 

Dave Bittner: Yeah. All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Batteries not included. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.