The CyberWire Daily Podcast 6.15.21
Ep 1354 | 6.15.21

Disruption of a major BEC campaign. Scope of cyberespionage expands in Pulse Secure exploitation. What the Hades? Russo-US summitry. A more secure workforce. Reality Winner is out, sort of.


Dave Bittner: Microsoft disrupts a major BEC campaign. The scope of cyber-espionage undertaken via exploitation of vulnerable Pulse Secure instances seems wider than previously believed. Secureworks offers an account of Hades ransomware and differs with others on attribution. Final notes during the run-up to tomorrow’s U.S.-Russia summit, where cyber will figure prominently. Helping employees stay secure. Carole Theriault wonders if the Internet of Things is becoming the internet of everything. Ben Yelin weighs in on the Supreme Court’s ruling affecting the Computer Fraud and Abuse Act. And Reality Winner has been released to a halfway house.

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Tuesday, June 15, 2021. 

Dave Bittner: Microsoft said yesterday it had disrupted a major criminal enterprise that exploited multicloud infrastructure to deploy automated tools that staged a very large business email compromise scheme at scale. 

Dave Bittner: The sophistication of the campaign suggests the quality of talent and other resources criminal gangs are able to bring to bear against their targets. 

Dave Bittner: The AP, building on work Group-IB issued late last week, reports that Chinese exploitation of Pulse Connect Secure - patched some time ago - was more extensive than previously believed. It remains unclear what data was extracted in the course of the attacks, but it was clearly an extensive and ambitious cyber-espionage campaign. 

Dave Bittner: Secureworks describes the tactics of the Hades ransomware operators in a report out this morning. The researchers call the threat actor Gold Winter, and they say the gang appears to be financially motivated. It's a big game hunter that finds and pursues high-value targets, notably in the North American manufacturing sector. 

Dave Bittner: Secureworks says its findings don't support others' conclusion that Hades is being run by the Chinese state-sponsored actor Microsoft calls Hafnium, best known for its exploitation of vulnerable Exchange servers. Secureworks also disputes attribution of Hades to the Gold Drake gang. While Hades and WastedLocker share some similar code, Secureworks believes they're run by distinct threat actors. 

Dave Bittner: Lindy Cameron, head of GCHQ’s National Cyber Security Centre, sees criminal gangs and not attacks run directly by states as the threat most Britons will face in cyberspace. She sees coordinated, cooperative defense as the proper direction security should take. 

Dave Bittner: But states are far from innocent. Criminal gangs, Cameron explains, typically operate from overseas jurisdictions who turn a blind eye or otherwise fail to act to pursue these groups. The principal overseas jurisdiction that enables cybercrime is Russia. Quote, "These criminals don't exist in a vacuum. They are often enabled and facilitated by states acting with impunity," end quote. 

Dave Bittner: The NCSC’s Cameron obviously has Russia in mind as the most prominent of the blind eyes and facilitators of cybercrime, and that’s the view U.S. President Biden will take with him to Geneva when he meets his Russian counterpart for their summit. 

Dave Bittner: President Putin has dismissed U.S. accusations of Russian misbehavior in cyberspace. Putin said in an interview with NBC News, quote, "Where is the evidence? Where is the evidence? It’s becoming a farce. We have been accused of all sorts of crimes, including election interference and cyberattacks. We have never created any kind of evidence or evidence of any kind, only accusations," end quote. 

Dave Bittner: Mr. Putin says he doesn’t remember Mr. Biden’s calling him soulless, so the talks have got that much going for them. The best hope that an essay in Foreign Policy can hold out is a cold peace, which, all things considered, wouldn’t be too bad. 

Dave Bittner: Dmitri Alperovitch, who as chairman of the Silverado Policy Accelerator, a seat on Dragos's board and his record as former CTO of CrowdStrike, has an extensive background in cybersecurity, and Matthew Rojansky, director of the Wilson Center's Kennan Institute, draw three lessons from what they see as President Biden's two predecessors' failures to negotiate successfully with President Putin. Quote, "the first is that the U.S. needs a narrow set of objectives on which progress is at least possible, if not assured. Next, Biden should deliver American demands without the finger-wagging and chest-thumping that has sometimes accompanied past U.S.-Russia negotiations. And finally, Biden should lay out the consequences of future Russian malign actions in clear and convincing terms." In short, to deter Russian state cyberattacks and state-enabled privateering, develop an effective and damaging countervalue strategy and pursue it without public humiliation. We're reminded of Teddy Roosevelt, who was never very good at living up to his maxim, who would have called the advice, walk softly and carry a big stick. But the countervalue thinking needs to be serious in identifying what will actually hurt. Big stick is not to be confused with big schtick, which has been a perennial temptation of American public action since the days of Yankee Doodle. 

Dave Bittner: Tessian has studied the effects protracted remote work has had on labor forces generally, and the security company concludes that, on balance, people have picked up more bad habits than good over the course of the current pandemic. For one thing, more than half the IT leaders surveyed worried that returning staff will bring into the workplace infected devices and the malware that infests them. Tessian says "their apprehension is founded. Forty percent of employees say they plan to work from personal devices in the office," end quote. How much this is the employees' fault as opposed to being traceable to company policies is of course an open question. But it does seem clear that securing a network from the possible risks of personal devices is one of the practical challenges any enterprise will face. 

Dave Bittner: More troubling in some respects may be the finding that more than a quarter of employees surveyed say they've failed to report cybersecurity mistakes because they feared either disciplinary action or what's all too often comparably punitive - remedial security training. Only half of employees bother to report receipt of a phishing email, even when they actually click on it. So developing HR and training practices that help rather than hurt would seem to be another one of the practical challenges organizations face. 

Dave Bittner: And finally, Reality Winner, a former U.S. Air Force translator who worked as an NSA contractor in 2018, received a five-year prison sentence after taking a guilty plea to one count of transmitting national security information. She's now been transferred from prison to home confinement at a halfway house. Ms. Winner smuggled a classified document from her Augusta, Ga., NSA workplace and released it to a media outlet generally believed to have been the intercept. The stolen document detailed Russian government efforts to penetrate a Florida-based supplier of voting software and the accounts of election officials ahead of the 2016 presidential election, the AP said in its report yesterday. 

Dave Bittner: Try to think back to the first time you heard the term internet of things. Got it? Remember the virtual gold rush to try to be first to market, hosing up everything with a power supply to the internet with security as an afterthought, if it was considered at all? To paraphrase author Douglas Adams, this has made a lot of people very angry and been widely regarded as a bad move. Commentator Carole Theriault shares her thoughts on where we find ourselves when it comes to IoT and highlights an organization doing their best to make things better. 

Carole Theriault: The internet of things is moving ever closer to an internet of everything, and we've already heard of a glut of scare stories surrounding emerging IoT tech. They tend to be about nanny cams being hijacked by grunts who want to frighten children or cars and fridges being taken control of remotely by researchers. IoT horror stories can also include less visible dangers, like the Mirai botnet, which infected possibly millions of IoT devices, most of them cameras and routers, and use their collective power to launch massive DDoS attacks. Companies with long expertise in building everything from light bulbs and fridges to cars and railway systems suddenly found themselves also in the networking and software business. And perhaps inevitably, far too many focused first on getting things to connect and only later tacking on security provisions when hijacks, data leaks and other fails embarrass them into action. 

Carole Theriault: As the field reaches a more mature stage, however, there is finally more focus on getting the security right as a basic rather than as an extra. One group pushing hard in this direction is the ioXt Alliance - tagline internet of secure things. Since it was founded in 2019, the group has built an impressive roster of members, including giants like Amazon, Google and a number of VPN firms. Now, the ioXt Alliance focuses on eight key areas in their pledge. These include concepts familiar to most in the security world, such as using only unique passwords, properly proven cryptographic methods, properly signed software, transparent vulnerability reporting and automatic and timely updating. 

Carole Theriault: Its certification program for hardware has covered everything from switching equipment and air conditioners to smartphones and routers. And of course, there are fridges and light bulbs in the mix, too. The thing is, putting an end to unreliable products pushed out by cowboy outfits or indeed by well-intentioned amateur producers should benefit each and every one of us, be we in an office environment or fighting with a home assistant. Alexa, I said volume down. 

Carole Theriault: As the internet and the physical world become more closely intertwined, we need groups like this to help build out the structures on which our lives will depend even more. Our takeaway here is keep a sharp eye on the IoT stuff in your environment, be at your home or your office. And the simplest approach might be the best. If you weren't monitoring it or using it, take it offline. This was Carole Theriault for the CyberWire. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, but also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Good to be with you again, Dave. 

Dave Bittner: You know, for law and policy nerds like yourself, it's been a very exciting week. The Supreme Court came down with a decision on the Van Buren case. Can you unpack it for us? What's the brief history, and what does it mean? 

Ben Yelin: Yes, I was waiting with bated breath for this decision. It was argued last November, and we waited until very recently to get a decision. So this decision concerned the Computer Fraud and Abuse Act, which is a federal statute. It's an anti-hacking statute. It really has two provisions. One basically says you can't hack into somebody's computer or network without authorization. And this other, more ambiguous provision says even if you have access to something, you cannot exceed that authorized access. And this case concerned what the law meant by exceeding authorized access. 

Ben Yelin: It concerned this guy in Georgia named Van Buren, who was a law enforcement official. He had access to this license plate database. He was allowed to look at it as part of his law enforcement work. But somebody who turned out to be an undercover cop tried to get him to search an individual in this database for non-law enforcement purposes. He was paid to do this by this undercover law enforcement agent, was caught and charged. Mr. Van Buren argued that the Computer Fraud and Abuse Act should only apply where somebody goes into an area of a network or a computer where they're not supposed to be. So exceeding authorized access means going to a folder that you don't have access to or going to a file that you're not allowed to view - either it's password protected, for example, or it's very explicit in your company's policies. 

Dave Bittner: Right. 

Ben Yelin: What the government was arguing is that the Computer Fraud and Abuse Act should have a broader meaning. It should mean that if you are using anything, some document or database, for a purpose that goes beyond the authorization given to you by your employer, for example, that in and of itself should be a violation of the Computer Fraud and Abuse Act. 

Ben Yelin: The Supreme Court sided with Van Buren. It was a 6 to 3 decision written by the court's newest justice, Justice Amy Coney Barrett. She said - and I won't get too much into legalese here - but if she looked at the textual history and the context of the law, that it was meant to apply in these narrow circumstances where somebody has access to a computer or a network and they go to a file or a folder where they're not supposed to be. It's what she calls a gate-up, gate-down approach. The determining factor is, are you allowed to view this document? Are you allowed to be in this folder? 

Ben Yelin: What the court didn't clarify is whether that, you know, is a code-based approach where - were you not allowed to view this folder because it was password protected, encrypted, et cetera, or is it simply based on your company or organization's own policies? That was left unresolved in this case. 

Ben Yelin: So the dissent, which was written by Justice Thomas and joined by Justice Alito and Chief Justice Roberts, said that the court should have had this more broad definition, that courts should be able to look at the purpose of somebody using a database that they were otherwise authorized to use. 

Ben Yelin: So, you know, I think most privacy - digital privacy advocates are very pleased with this decision. It means that we're not going to have criminal liability for a bunch of things that all of us do all the time. You can see that if this decision went the other way, you know, if our employer told us we can't use Facebook on our work computers, if the dissent's interpretation had been adopted, that would expose us to criminal liability because we would have exceeded our authorized access to that computer. But because the court came down the way that it did, we're not going to be left in a situation where we're all overly exposed to criminal liability here. 

Dave Bittner: Now, from a practical point of view going forward, does this mean that we're likely to see prosecutors limit the range of things that they'll go after folks using the Computer Fraud and Abuse Act? 

Ben Yelin: Yeah, they're going to have to. I mean, we're not going to see the scenarios where, you know, law enforcement is going to throw the book at individuals. And there have been high-profile incidents in the past for exceeding their authorized access, using databases - you know, academic databases that they've already had access to for some sort of illegitimate purpose - you know, maybe exposing something in a company's own database as part of a journalistic investigation or something like that. 

Dave Bittner: Right. 

Ben Yelin: Prosecutors are no longer going to be able to use the Computer Fraud and Abuse Act as a jackhammer unless it is one of those limited types of circumstances where that person has access to a file or a folder or anything that they are not allowed to access. So we really do have this dividing line - gate up, gate down. If you are authorized to be in a database, any part of that database, any part of a computer, any part of a network, the government doesn't have the authority to prosecute you based on your purpose of using that database or network. And that's really a profound decision that's going to have a huge impact on litigation under the Computer Fraud and Abuse Act. 

Dave Bittner: Do you suppose this could also point to the need for the Computer Fraud and Abuse Act to get an update? I mean, could Congress step in here and say, hey; this is a law from the '80s; things have changed; it's time for us to - we've learned a lot since then? 

Ben Yelin: Yes. It's been over 35 years since the Computer Fraud and Abuse Act took its current form. So certainly Congress could have stepped in and clarified this provision. They could have properly defined what exceeds authorized access means, and they still could do that. If they are not happy with this decision, they could clarify in a federal statute that exceeds authorized access does relate to, you know, somebody going into an access - to a database that they already have access to and using it for illegitimate purposes. I don't think Congress would do that at this point. You know, I don't think they would see a need to, and I think it would be a very difficult task politically. 

Dave Bittner: Right. 

Ben Yelin: But certainly that's an option that Congress has. And I think it shows that, you know, if Congress doesn't go in and revisit these laws that were enacted prior to the digital age, you know, they really should go back and try to clarify those before it makes its way through the court system. I mean, it would be better for public policy if Congress could have hearings, could consider changing these definitions, and it wouldn't be up to nine people in robes trying to parse the definition of the word so, which is exactly what happened in this decision... 

Dave Bittner: Right, right. 

Ben Yelin: ...If you read it closely. 

Dave Bittner: Right, right. All right. Well, thank you for explaining it. Ben Yelin, always a pleasure. 

Ben Yelin: Always a pleasure, Dave. Thanks. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.