Hacktivists hit Library of Congress, Stingrays and Security Clearances

Dave Bittner: [00:00:03:17] Hacktivists return to DDoS. The Library of Congress is hit. AKP emails continue to receive scrutiny. A look at the jihadist tool box. Some quick takes on automotive cybersecurity, as the industry moves towards fully autonomous cars. Wassenaar and the DCMA still aren't getting much industry love, and we talk to the lawyers about security clearances and the constitutionality of stingrays, the cellphone intercept tools not the fish, the fish are completely constitutional

Dave Bittner: [00:00:35:00] Time to take a moment to tell you about our sponsor, Netsparker. Do you know how to tell a false positive from a real threat? Netsparker does. If it's exploitable, it's real. Netsparker's distinctive automated scans drive out false positives, save you money and improve security. Their approach is proof-based scanning. Netsparker's innovative scanning engine automatically exploits the vulnerabilities it identifies in websites, and presents you with a proof of exploit. You don't need to verify the scanner findings to see if they include false positives. If Netsparker tells you it's bad, trust them, it's bad. Remember, if its exploitable, then it is definitely not a false positive. Learn more at netsparker.com. But, wait, there's more, and we really do mean more. Go to netsparker.com/cyberwire for a free 30 day trial of Netsparker Desktop. It's fully functional. Scan your websites with Netsparker and let them show you how they do it. We thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:33:10] I'm Dave Bittner, in Baltimore, with your CyberWire summary and weekend review for Friday, July 22nd, 2016.

Dave Bittner: [00:01:41:12] Ransomware and Distributed Denial of Service have been the principal trends in cyber crime this year, and an Okami study of the second suggests that criminals may be preparing long duration campaigns. Technicians who can help enterprises mitigate DDoS attacks are in high demand, both by enterprises and by security service providers. In some cases, the denial of service attacks are done with a criminal objective, often extortion of businesses dependent upon reliable access to their sites. Other attacks are hacktivist in motivation.

Dave Bittner: [00:02:11:20] The US Library of Congress has acknowledged that it sustained one such DDoS attack that began Sunday. Turk Hack Team claimed responsibility on a message board, but that attribution is unconfirmed. Turk Hack Team is a patriotic hacktivist group. They've previously been active against Chinese sites in protest against the maltreatment of ethnic Turkic peoples they perceive in the People's Republic of China. The Library of Congress seems likely to be a simple high profile target of opportunity. The attack has been contained and is now under investigation.

Dave Bittner: [00:02:44:09] Observers continue to sift through the hacked AKP emails as the Turkish Government firmly reestablishes control over the country. The Pastebin Dump, in which they were exposed, is accompanied by the hackers explanation of his motives - sympathy with the frustrated aspirations of some groups within Turkey. Most agree that Phineas Fisher is indeed behind the hack.

Dave Bittner: [00:03:04:14] Flashpoint has released a report detailing the technical toolkits being used online by jihadists adhering to ISIS and its competitors. The report is interesting in the clarity of its recognition that ISIS is fundamentally, for now, engaged in information operations. While the study acknowledges that ISIS has expansive aspirations to extensive cyber attack capabilities, the jihadists core requirement remains, "Consistent channels through which they can release propaganda." And that propaganda is fundamentally inspirational and persuasive. Flashpoint seized the jihadist technologies, therefore, as falling into these categories: secure browsers, virtual private networks and proxy services, protected email services, mobile security applications, encrypted messengers, and mobile propaganda applications. So, while ISIS's aspirations to a true offensive cyber capability cannot prudently be overlooked by the civilized world security and intelligence services, for now, the Caliphate is more concerned with ensuring its ability to get its message out.

Dave Bittner: [00:04:08:23] Can you keep a secret? For many in the cybersecurity world, the answer is yes, and that ability is, for some, put to good use through a government security clearance. Tom Coale is an attorney with the law firm of Talkin & Oh, and we asked him to take us through some of the basics of getting cleared.

Tom Coale: [00:04:24:09] The government does an evaluation to decide whether or not, and this is the standard that they use, it is clearly consistent with the government interest to entrust an individual with the government's secrets. There are different classifications from literally just personnel information, Social Security numbers, and dates of birth, and things of that nature, to the highest level, which is top secret SCI. SCI is a mechanism by which the government separates apart different pieces of protected information amongst different groups, so that one person may know one bit of that information, another person may know another part, but rarely does one individual know all of the different aspects of a government program.

Dave Bittner: [00:05:13:14] So, if you find yourself up for a job where clearance is required, you begin with an application, which gets submitted to an agency for review.

Tom Coale: [00:05:20:15] There will be different levels of investigation. The slightest will be an interview with a government investigator. The most heightened level of clearance is a polygraph. Within that there are different levels of polygraph - full scope or a lifestyle. They often start, before they even hook you up to a machine, saying, "Tell me something that you are concerned about discussing with me today." That is when people normally just say all of their life secrets all at once, before they even get hooked up. Little do they know that once they are hooked up they're going to get follow up questions about everything that they just said.

Dave Bittner: [00:06:05:08] I asked Tom Coale to describe some of the most common disqualifiers he sees.

Tom Coale: [00:06:10:08] Let me start with the one that most people don't appreciate, and that is significant debt. Normally, if an individual has over $20,000 in delinquent debt, meaning over 90 days due, that will trigger a denial. That can be in a circumstance where a credit card is shared with a spouse, and they're not aware that they have this debt hanging out there. I won't say those are common, but they happen enough, and they are more often than not a surprise to the applicant when they happen. What also happens is a lot of people think that if they've ever used drugs, if they have any offense in their background, that they will disqualify themselves from a clearance. I can tell you that, more often than not, depending on the passage of time, past indiscretions will not disqualify someone from a clearance. Those people that tell themselves, "Oh, I could never have a clearance because I smoked pot in college," that is just not the case.

Tom Coale: [00:07:11:13] The cases that I most often see are those who have some repeat behavior, such as: DUI's, DWI's, drunk and disorderlies, or drug offenses. One thing you'll see over and over again is the phrase “pattern of behavior,” because the government understands that we're all flawed, and we've all made mistakes in our past, and no clearance is likely to be denied for a one-off experience. But, if an individual shows a pattern of poor judgment, and a pattern of substance abuse, that it seems to indicate they're not even in control of their own lives, that is when the government's going to say, "You might be a perfectly fine individual, but we can't trust you with our secrets, because we don't know if, when you are inebriated or when you are exercising this pattern of bad judgment, that's going to then implicate the government’s concerns."

Dave Bittner: [00:08:08:23] What about things like adultery?

Tom Coale: [00:08:11:02] Adultery actually does come up, but normally only comes up in two circumstances. One is if the adultery is committed while the individual is in the Armed Services. Adultery is not necessarily a criminal offense, although it is identified in the Military Justice Code - you can be written up and brought before a tribunal for adultery. The government's concern is not so much the adultery itself, but rather that you knew that this was a rule that you had to follow, and yet you breached it anyway. That is where the government's concern comes in. So, a tendency not to follow the rules.

Tom Coale: [00:08:51:18] The other circumstance where adultery may come into play is if the individual is susceptible to blackmail. The adultery itself, again, is not the concern, but if the individual, and I've seen this before, is making payments to someone to not disclose that adultery, or is under threat that that will be disclosed, particularly if they are living a lifestyle, they're prominent in their church, is an example, where that disclosure could have consequences outside of ruining their marriage. The government is very concerned about those instances, because, one, that is a common area of compromise to sort of trap someone in that way, and then have that information, and use that to extract information. Two, again, it goes back to that issue of judgment of, what did you do to get yourself into this circumstance, and why weren't you thinking better about that when you did it?

Dave Bittner: [00:09:49:21] Based on his experience, Mr. Coale offers some advice for making your way through the process.

Tom Coale: [00:09:55:07] I'd say the first thing is, is not to disqualify yourself. I think, unfortunately, so many people are just insecure about the process and concerned about being denied that they won't even begin the application process. The second most important piece of advice is to know yourself and to be truthful with yourself, in terms of your background. Because the more you understand about the areas of concern, and the more forthright, again, without disclosing too much, but the more forthright you are about past offenses, past troubles, the better off you're going to be later in the process, because the government investigator, at the very least, will say this person is telling me the absolute truth, to the extent that they know it. The worst scenario is when there's a surprise, because chances are, the applicant has not disclosed it. Chances are it's much more serious than the applicant had originally considered. And also, you have the shortest amount of time to mitigate against it.

Tom Coale: [00:10:52:13] If an applicant knows that they have a DUI, before they even submit the application, they can go into AA and complete abstinence from alcohol, and by the time it eventually gets to an area where the clearance is an issue, they can say, "Look, I've done this to mitigate the government's concern, even before my clearance was denied."

Dave Bittner: [00:11:12:02] That's Tom Coale, he's an attorney with the Maryland law firm of Talkin & Oh.

Dave Bittner: [00:11:20:20] It's time to thank our sponsor, E8 Security. You know the old perimeter approach to security no longer protects against today's rapidly shifting cyber threats - you've got to address the threats to your network once they're in your networks. E8 Security's behavioral intelligence platform enables you to do just that. It's self learning security analytics give you early warning when your critical resources are being targeted. The E8 Security platform automatically prioritizes alerts, based on risk, and let's your security team uncover hidden attack patterns. To detect, hunt and respond, you need a clear view of the real risks in your business environment. That's what E8 gives you. Visit e8security.com/dhr and download the free White Paper to learn more. E8, transforming security operations.

Dave Bittner: [00:12:10:24] Joining me once again is Ben Yelin. He's a Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security. Ben had an interesting case recently in the US Southern District of New York about a stingray device. Important ruling here. Before we dig into that, explain to our audience, what are we talking about when we're talking about a stingray device?

Ben Yelin: [00:12:32:03] Stingray's are known as cell site simulators. What they do is they mimic cellphone towers and basically trick cellphones in the area to transmit identifying pings, so to speak, back to the devices. The consequence of this is that law enforcement are able to track a suspect's phone, even though the suspect is unaware that they're revealing location information. So, it's a very potentially important tool for law enforcements to get location identifying information, to use as evidence in criminal trials.

Dave Bittner: [00:13:07:10] What happened in this case in the Southern District of New York?

Ben Yelin: [00:13:12:15] A US District Judge, by the name of William Pauley, decided that the defendant in this case rights were violated when the Drug Enforcement Administration, the US DEA, was able to use this device without a warrant. This judge, just for a little context, was the one that actually upheld the Bulk Phone Metadata Program as constitutional, a couple of years ago. So, it's significant that this judge would come to such a different conclusion in this case. He used the precedent of a case called Kyllo v. United States. In that case law enforcements used a thermal imaging device to figure out how much heat was being emitted from a suspect's home, to determine whether that suspect was using marijuana. The Supreme Court held, in that case, that because that technology was not widely available to the public, a person should have a reasonable expectation of privacy that it will not be used against them. And as we know from our previous discussions, that is the standard for whether there is a search under the Fourth Amendment - whether somebody's reasonable expectation of privacy has been violated.

Ben Yelin: [00:14:23:03] I think Judge Pauley just went on the same path here: this is a technology that is not widely available, the suspect would not know, or should not have known, that he would have been revealing identifying information about his location. In that sense, it violates the reasonable expectation of privacy and it's a search for Fourth Amendment purposes. Now, I should know that this just means that from now on law enforcement would have to get a warrant - it's not prohibiting stingray searches, but it does add a level of judicial oversight. Law enforcement will now have to go to a Magistrate and get a warrant for these devices.

Dave Bittner: [00:15:02:07] Is there a sense that they'll appeal? Is this something that we could see go to the Supreme Court?

Ben Yelin: [00:15:07:18] I think it's very possible. The Department of Justice has said that they're looking into appeals. I think this is an issue that's going to come up in other circuits. We've already seen it here in Maryland. The Maryland Appeals Court, in March, was the first appellate court to review evidence obtained using a stingray device, and was the first to suppress that evidence. This was a state appellate court, and the case here in New York was in the federal appellate courts. I think if we see disagreements among federal courts themselves and between state and federal Courts, this is definitely an issue that could make its way to the Supreme Court.

Dave Bittner: [00:15:45:08] Ben Yelin, thanks for joining us. We'll keep an eye on it.

Dave Bittner: [00:15:51:02] Time to thank our sponsor, VMware - the global leader in cloud infrastructure and business mobility. If you're a security software architect or engineer, you also know them as world leaders in virtualization. So, think about them as a career destination, especially now, because VMware is looking for experts to be part of an empowered and innovative security team that builds on VMware's industry leading virtualization technology, to deliver a new model of IT that combines flexibility and quick deployment with world class security. If you're a security professional looking for a career with an innovative industry leader, committed to making the networked world a place that's not only secure, but also easy to work in, then navigate on over to careers.vmware.com and see what you and VMware might have to offer one another. The visit will be worth your time. That's careers.vmware.com. We thank VMware for sponsoring our show.

Dave Bittner: [00:16:57:18] The CyberWire is covering the Billington Automotive Cyber Security Summit in Detroit today. We'll have a full report Monday, after the conference closes. But, for now, two interesting themes are the automotive industry's full throated embrace of the White Hat Hacking Community, and of the FBI's direct promise to treat as victims companies whose networks or products are hacked. That promise goes surprisingly far. A Bureau speaker directly said that the FBI "would not provide opinion or commentary," to regulatory bodies.

Dave Bittner: [00:17:27:16] Concerns that go into law enforcement for help when you're hacked amounts to inviting Nemesis's into ones business, have exerted a chilling effect on reporting of cyber crime. Today's sessions suggests that the Department of Justice wishes to go out of its way to bring companies in from the cold.

Dave Bittner: [00:17:43:17] Returning to the embrace of the white hat's, the automotive industry also seems to have embraced those white hat's in the form of crowdsourced bug hunting for bounties. How this gig economy form of penetration testing and vulnerability research will play out, in terms of ancillary issues, such as legal liability, remains to be worked out, but the industry as a whole seems set on the bug bounty road.

Dave Bittner: [00:18:06:04] Many of the sessions have been discussing the cybersecurity best practices, released yesterday by the Auto-ISAC. Its recommendations fall into seven categories: governance, risk assessment in management, security by design, threat detection and protection, incident response and recovery, training and awareness, and collaboration and engagement with appropriate third parties. Their implementation is likely to be flexible. Many speakers expressed satisfaction that the automobile industry evolved these best practices before it sustained a major successful cyber attack.

Dave Bittner: [00:18:39:16] Leaving Detroit, and that part of the internet of things that you can ride in, we turn to the portion that you live - the smart home. The Tor Project has turned its attention to ways of helping secure the devices in smart homes by rendering them more anonymous, which is to say less accessible to the administrations of attackers.

Dave Bittner: [00:18:58:06] Finally, some cyber regulatory systems still can't get much love from the security industry. Both the Wassenaar Cyber Arms Control Regime and the Digital Millennium Copyright Act, the DCMA, remain unpopular. Industry still isn't happy with how Wassenaar is shaping up. And the Electronic Frontier Foundation has initiated a court challenge to the DCMA. In both cases, people see a worrisome tendency to inhibit, if not criminalize, security research.

Dave Bittner: [00:19:29:02] That's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. The CyberWire Podcast is produced by Pratt Street Media. Our Editor is John Petrik. Our Social Media Editor is Jennifer Eiben, and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe. I'm Dave Bittner. Have a great weekend, everybody. Thanks for listening.