The CyberWire Daily Podcast 6.21.22
Ep 1603 | 6.21.22

Cyberattack suspected in Israeli false alarms. Risk surface assessments. Fitness app geolocation as a security risk. Cyber phases of Russia’ hybrid war. A conviction in the Capital One hacking case.

Transcript

Dave Bittner: A cyberattack is suspected of causing false alarms in Israel. Risk service assessments; renewed warnings on the potential security risks of fitness apps. Cyber options may grow more attractive to Russia as kinetic operations stall; DDoS in St. Petersburg. Ben Yelin details a Senate bill restricting the sale of location data. Our guest is Jon Check from Raytheon's Intelligence & Space Division discussing the National Collegiate Cyber Defense Competition; and a conviction in the Capital One hacking case.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 21, 2022. 

Cyberattack suspected of causing false alarms in Israel.

Dave Bittner: Sirens used to warn Israelis of rocket attacks sounded a false alarm in Israel over the weekend. Haaretz reports that sirens sounded in Eilat and parts of Jerusalem Sunday night due to a cyberattack on local public address systems, in what is being investigated as a possible Iranian attack. Citing diplomatic sources, the Jerusalem Post emphasizes that the attribution is preliminary, and that the incident remains under investigation. Israel Hayom notes that some of the evidence of cyberattack remains circumstantial. The systems apparently compromised were civilian warning systems, not presumably better protected military ones. 

Risk surface assessments.

Dave Bittner: RiskRecon and Cyentia have published a report on risk surface assessment, finding that organizations that are cloud-first are 85% more likely to be a top performer in risk management. The researchers say, when we take a look at the cloud adoption rates of the top and bottom performers, we start to see some very clear separation. Every 10% increase in host cloud concentration results in a 2.5% increase in the probability of being a top performer. The researchers add that choosing to go majority cloud with one of the big three cloud providers - namely AWS, Azure or GCP - has inconsequential effects rather than being simply cloud-first. 

Fitness app's geolocation feature may be a privacy and security risk.

Dave Bittner: Computing reports that the fitness app Strava may constitute a risk to user's privacy and to operational security when those users are military service members. That risk may be an active threat. Computing writes, unidentified operatives have been exploiting a security weakness in the popular fitness tracking app Strava to track the movements of Israeli defense personnel, according to Israeli open source investigative group FakeReporter. This isn't the first time fitness trackers in general and Strava in particular have been flagged as a potential opsec problem. The U.S. Department of Defense expressed its concerns about Strava in January 2018. 

Cyber options may grow more attractive to Russia as kinetic operations stall.

Dave Bittner: Russia's offensive in the Donbas continues its pattern of heavy bombardment from relatively static positions, The Wall Street Journal reports. But there's still considerable speculation that the cyber phase of the war may intensify if a decisive victory on the ground continues to elude Moscow. Reuters reports that U.S. Deputy Treasury Secretary Wally Adeyemo warned the Bank Policy Institute last week that the threat of Russian cyberattack remained high. The Treasury Department reiterated its commitment to intelligence sharing during a period of heightened threat. 

Dave Bittner: Tanium's Teddra Burgess argues in an essay published Friday by SC Media that Russia's war against Ukraine represents a template for future, broader cyber operations and other hybrid wars. She stresses the threat of both supply chain attacks and the disruption of critical infrastructure. She also argues that assessing that threat requires an understanding of the role criminal groups play in a hybrid war. She says, these most recent developments point to a concerning trend because of the escalation and atypical behavior displayed by established hacker groups. There's potentially a power struggle in play after Russia's invasion of Ukraine. This might explain the change in extortion patterns in an attempt to accumulate larger amounts of ill-gotten gain. As a result, we can expect to see this activity at the very least continue as we work to keep pace with the evolving attack surface. 

Dave Bittner: Whatever course the present war takes, The Hill cites a range of cybersecurity experts who think one lesson of the war is already clear. Cyber operations have become a routine part of combat, as much to be expected, we would add, as electronic warfare came to be in the 20th century. The Hill's essay is also striking for the way in which it presents influence operations as a prominent and routine part of belligerents' larger cyber campaigns. 

Dave Bittner: Mr. Putin's keynote address before the St. Petersburg International Economic Forum took, as its theme, optimism founded on the historic record and destiny of the Russian people. The view he expressed was that the present difficult time comes from the doomed American attempt to maintain a unipolar world under its own direction after declaring victory in the Cold War. In summary, here's his view of the world's situation - this is the nature of the current round of Russophobia in the West and the insane sanctions against Russia. They are crazy and, I would say, thoughtless. They are unprecedented in the number of them or the pace the West churns them out at.

DDoS in St. Petersburg.

Dave Bittner: Friday's proceedings at the St. Petersburg International Economic Forum were delayed for about an hour and a half, Reuters reports, by a distributed denial-of-service attack. The now familiar Kremlin spokesman, Dmitry Peskov, put the delay down to a cyberattack that began on Thursday and affected the conference's admissions and accreditation systems, but he offered no attribution. Others, of course, speculate that the DDoS attack was organized by actors operating in the Ukrainian interest, if not under the actual direction of Ukrainian services. 

A conviction in the Capital One hacking case.

Dave Bittner: And finally, Paige Thompson, formerly an engineer with Amazon, was found guilty on Friday, the U.S. Justice Department said, of wire fraud, five counts of unauthorized access to a protected computer and damaging a protected computer. The department added that the jury found her not guilty of access device fraud and aggravated identity theft. The New York Times reports that, in 2019, Thompson was responsible for gaining access to the data of more than 100 million Capital One banking customers. The Justice Department explained how the prosecution went. They said, using Thompson's own words in texts and online chats, prosecutors showed how Thompson used a tool she built to scan Amazon Web Services' accounts to look for misconfigured accounts. She then used those misconfigured accounts to hack in and download the data of more than 30 entities, including Capital One Bank. With some of her illegal access, she planted cryptocurrency mining software on new servers, with the income from the mining going to her online wallet. Thompson spent hundreds of hours advancing her scheme and bragged about her illegal conduct to others via text or online forums. 

Dave Bittner: Thompson's defense team argued, in effect, that their client was acting as a white hat hacker, a good faith bug hunter, finding vulnerabilities with the intention of disclosing them to the organizations affected. The prosecutors weren't buying it and didn't see this case as one in which a legitimate vulnerability researcher had inadvertently run afoul of the Computer Fraud and Abuse Act, whose use against such researchers is now regarded as an improper expansion of the law's intent. The jury didn't buy it either. Thompson used the online handle Erratic and the story is a sad one, SecurityWeek summarizes. In interviews with the Associated Press following her arrest, friends and associates described Thompson as a skilled programmer and software architect whose career and behavior - oversharing in chat groups, frequent profanity, expressions of gender identity distress and emotional up and downs - mirrored her online handle. At one point, two former roommates obtained a protection order against her, saying she had been stalking and harassing them. 

Dave Bittner: Thompson joined Amazon in 2015 to work at Amazon Web Services, a division that hosted the Capital One data she accessed. She left that job the next year. Some friends said they believe the unemployed Thompson, destitute and by her own account, grappling with serious depression, believed the hack could bring her attention, respect and a new job. Thompson is scheduled to be sentenced in September. The Justice Department says wire fraud is punishable by up to 20 years in prison. Illegally accessing a protected computer and damaging a protected computer are punishable by up to five years in prison. They note that the sentence imposed will be up to the judge. 

Dave Bittner: Jon Check is from Raytheon's Intelligence & Space Division, who are major sponsors of the National Collegiate Cyber Defense Competition. I spoke with Jon Check about the competition and why he and his colleagues at Raytheon believe it's a project worth supporting. 

Jon Check: The CCDC holds eight different regional competitions with schools that are assigned to a region, and they participate in a regional champion. There's also an at-large school as well as a wild-card school, which gets in based on schools that placed second place within their regional, then go through a wild-card round to get in as well. So it's a - it's quite a long event that culminates in the final competition, which is the national competition. 

Dave Bittner: Well, let's go to that final competition here. Can you give us a little description of what the contestants faced? 

Jon Check: Happy to. So the competition, really - they create a fictional real-world scenario, if that makes sense. So this year, the students were defending a gaming company that was traditionally a brick-and-mortar company that had an online presence. They got into some online games that they were selling. And so within that, the students really need to maintain all the typical services of a company - so the web presence, the financial presence, the e-commerce sites, the email for the corporation, the help desk and call-in areas for people that need support. And you have - and so they're the blue team. And then the red team, which is the ethical hacking team, tries to knock those services offline periodically. And the students really work to maintain that business resilience while they're being attacked by the red team hackers. 

Dave Bittner: So how did the competition go, and which team eventually came out on top? 

Jon Check: The competition is really - it's really a great competition. So first, I would say it went really well. The students - I mean, this competition has been happening for a while. So over time, the competition has escalated, right? The students have learned, as well as the red teamers have learned, how to anticipate certain attacks or defend against those attacks. So it's constantly evolving on both sides - on the defensive side and on the offensive side. And so it's really - the teams that do really well have participated for quite a few years and understand the different scenarios, as well as the techniques, tactics and protocols that the offensive side uses to protect the students' networks. So this year, the champion was the University of Central Florida, and they've won the championship five times out of the 17 years, and they were the runner-up three other times. So they - that's a team that has a history, right? They practice very hard. They understand what's happened year over year and pass that knowledge down to the teams. And they actually have team members that were formerly on the team come in to practice with the team during the year - for former students to come back and help them prepare for the year's competition. So it's really quite a great tradition they have there and really take it very seriously and put in the hours, which is what it takes - practice - to be as good as they are. 

Dave Bittner: Yeah. I was going to ask you, I mean, what is the winning formula for a team like University of Central Florida? Is it putting together the right variety of folks on the team? Is it institutional knowledge? What seems to work for them? 

Jon Check: I'd say that if I had to put it to one thing, it's that the team can communicate well. Cybersecurity is a team sport. And when you've seen the University of Central Florida in the thick of battle in one of these competitions, they're communicating very well. Each of the team members knows exactly what their role is, and they - nobody's panicking. Everybody understands what to do. They - it's really their preparedness. They know what to do. They've practiced. Everyone understands what their role and responsibilities are. And it just - it really works extremely well for them. And then you layer on to that, of course, the history they have and the institutional knowledge they've built up through these competitions. It really makes a very strong team - a very powerful formula for success. 

Dave Bittner: Why are competitions like this important? What are they contributing to the overall cybersecurity community? 

Jon Check: The No. 1 thing and what this competition really highlights - and you don't see this in all competitions - but when you have someone else actively working against you - like the red team are actively working to take the students' networks offline, degrade the services and really impact their ability to defend - the learning - you can't just gain that anywhere. You learn it by doing. And in cybersecurity, you absolutely need the framework and understanding of how cyber works and the traditional learning side. But having another team actively working against you, that really brings out some skills that you may not have had or some things that you might not have contemplated when you're doing more of a theoretical exercise versus a live-fire type exercise. 

Dave Bittner: And how about for Raytheon? You know, for you and your colleagues there who put in both financial support but also all of the time and energy that you all put in, why is it worthwhile for all of you? 

Jon Check: Well, for me, it really comes down to, we're under constant attack. And I want to make sure that - you know, as Raytheon, we have a responsibility to do our part in cybersecurity. What that means is ensuring that we're building and helping build a cyber workforce that protects all of us. I mean, over the course of years since we've been involved, we've hired over 100 people from the competition. But I'd like to think that we have really helped thousands learn skills and really increase their cyber proficiency, as well as maybe convince other people to join the cyber community to help defend our way of lives. And so for me, it's really more just about the typical are we going to be able to hire people out of this group? It's what are we doing to ensure the entire community gets raised by having competitions like the CCDC that help protect our way of life and build that next generation of cybersecurity professionals? 

Dave Bittner: That's Jon Check from Raytheon's Intelligence & Space Division. 

Dave Bittner: And joining me once again is Ben Yelin. He's from the University of Maryland's Center for Health and Homeland Security and also my co-host over on the "Caveat" podcast. Hello, Ben. 

Ben Yelin: Hey, Dave, how are you? 

Dave Bittner: Good, good, good. Interesting story from Joseph Cox. This is over on the Motherboard website, and it's titled "Sweeping Legislation Aims to Ban the Sale of Location Data." Caught my eye here, Ben. What's going on? 

Ben Yelin: So Motherboard and Joseph Cox himself reported a couple of months ago multiple instances in which companies were selling location data of people who had visited abortion clinics. 

Dave Bittner: Right. 

Ben Yelin: And this came in the wake of the draft opinion that was leaked overturning Roe v. Wade. So it was very - I think it resonated with a lot of people because we face this future where abortion is going to be illegal in many states in this country. 

Dave Bittner: Yeah. 

Ben Yelin: And some of these companies were making subsets of this data freely available. And they're not just selling it to data brokers. They are, but sometimes they're selling it to purchasers that include law enforcement, local, state law enforcement agencies. And there's a real fear that people's private information could be given to these agencies and it could be used to justify arrests and prosecutions. So with that in mind, there is a proposal coming out of the United States Senate called the Health and Location Data Protection Act, which would outlaw the sale of location data harvested from smartphones. 

Ben Yelin: This is a blanket ban on the sale of location data. It does not just apply in the abortion context. It applies to any sale of location data to a private broker. Part of the impetus of this is there's kind of this loophole that if a law enforcement agency, federal or state, purchases data, then they don't have to obtain a warrant to search that data. 

Dave Bittner: Right. 

Ben Yelin: Whereas if they had not purchased it, they have to go through the traditional warrant process to get it approved by a judge. 

Dave Bittner: And who has time for that? 

Ben Yelin: Ain't nobody got time for that. 

Dave Bittner: (Laughter). 

Ben Yelin: So I think that has motivated legislators, including the lead co-sponsor or the lead sponsor here, Senator Elizabeth Warren, to introduce this bill. That is the major thing this bill does. It also does other things, gives a bunch of enforcement powers to the Federal Trade Commission. There's an allegation that they've been under-resourced over the past several years in rooting out these abusive trade practices. And it also gives individual users a cause of action to sue in state or federal court these data brokers, to assert their right to - their right to private information. So it would be granting millions of potential users the right to sue these big companies. It would be a brand-new cause of action. 

Ben Yelin: There are some exceptions in the bill. So activities that are compliant under HIPAA, for example, things where - and I can't really think of a good example of this, but things where if the information was not sold, there might be a violation of First Amendment rights. And then things like national security, those are built in as exceptions, but it's a very broad piece of legislation. 

Dave Bittner: What do you think its chances are (laughter)? 

Ben Yelin: Not good, Bob, not great, Bob. 

Dave Bittner: OK, as if he asks rhetorically. 

Ben Yelin: Yeah. So I get why these legislators are trying to do this in the wake of the draft Roe v. Wade - the draft opinion in Dobbs, which would overturn the Roe v. Wade decision. 

Dave Bittner: Yeah. 

Ben Yelin: I think that - there is sort of this political groundswell to protect people who are going to live in the states where abortion is outlawed. What they are doing is introducing the most controversial issue in politics into a debate about data location - the sale of location. And that's - might be the poison pill that kills it. You have a very closely divided House, where it, potentially, could pass, and then you have a 50-50 Senate where, to get anything passed that's not some sort of budget bill, you need 60 votes. And if this is motivated by the desire to protect people seeking abortion care, that's very unlikely to obtain 10 Republican votes. 

Ben Yelin: I will say that there are other efforts to constrain the governments - or the ability of these companies to sell location data that have a better chance of succeeding, including Senator Wyden's bill, which would simply require a warrant for any government agency to access data that was purchased by one of these companies. That sounds... 

Dave Bittner: Take away that end-around. 

Ben Yelin: Exactly. 

Dave Bittner: Yeah. 

Ben Yelin: That stands a better chance of passage. I think that has more widespread bipartisan support, and it's not closely interlocked with such a divisive issue. But I would - I don't see this Senator Warren legislation advancing in the near term, even though it is extremely relevant. 

Dave Bittner: Do you think we're headed towards a time when we get bipartisan agreement that enough is enough with this stuff? 

Ben Yelin: Yes, I do. But I just don't know exactly what form that is going to take. I don't know if there is - I think there is bipartisan concern, based on our experience in the past several years, that something is foul about data brokers purchasing this very private location data and selling it to private sector entities but also law enforcement. I think there's widespread concern that that's happening. 

Dave Bittner: Right. 

Ben Yelin: I don't know if there's widespread consensus that there needs to be a blanket ban on the purchase of location data. And the lobbyists haven't weighed in here. I mean, if we - yeah - if we had a realistic effort to constrain those purchases, we'd start to see advertisements. We'd start to see lobbying campaigns saying things that your consumers enjoy, things that they take for granted, would go away if we weren't able to sell this very valuable data. So I just - I don't know that we've seen the full contours of this debate play out, and I don't think we will until there is a credible threat that this type of legislation is actually going to pass. 

Dave Bittner: Yeah. All right. Well, it's an interesting step along the way. I suppose it's a little discouraging that these things have a hard time getting better traction, but such is the way of things right now. 

Ben Yelin: Yeah, it sure is. Yeah. Getting any legislation is hard to pass, but certainly something where you have this controversial element to it makes things that much more difficult. 

Dave Bittner: All right. Well, Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com The CyberWire podcast is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.