Terror attack in Iran prompts info skirmishing, and perhaps worse to come. JET bug disclosed. ANSSI open-sources OS. Anglo-American response to Russian cyber ops. Russian elections. Scam notes.
Dave Bittner: [00:00:00] Hey, everybody - Dave here. I just want to send out a quick thank you to everybody who recommended our show to friends and co-workers. It worked. We saw a big spike in our download numbers last week, and that spike seems to be sticking. So thanks again for doing that. And it's not too late if you haven't already. We do appreciate you spreading the word to your friends and co-workers about our show. It really is one of the best ways you can help support the CyberWire.
Dave Bittner: [00:00:26] A terror attack in Iran heightens tensions among adversaries. Expect a heightened cyber optempo. A JET vulnerability in Microsoft products is publicly disclosed as Microsoft misses the Zero Day Initiative's 120-day deadline. France will open-source its secure operating system. U.K. and U.S. attitudes continue to stiffen towards Russia in cyberspace. Russian elections are surprising by Russian standards. And some notes on some current scams.
Dave Bittner: [00:01:02] It's time for a message from our sponsor, Recorded Future. You've heard of Recorded Future. They're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts and unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel and subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And the price is right. It's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:02:08] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, September 24, 2018. Saturday's terrorist attack on a military parade in the Iranian city of Ahvaz killed at least 29 - 12 members of the Revolutionary Guard and 17 civilian spectators, including children and the elderly. Ahvaz is in Khuzestan, a province on the Iraqi border with a large ethnic Arab population. That Arab population is to a significant extent Sunni, which is a source of religious difference with the Shiite Islamic Republic.
Dave Bittner: [00:02:44] Responsibility for the murders has, according to various reports, been claimed by several groups, including ISIS and the Ahvaz National Resistance, which is an Arab opposition group that operates a television station from its expatriate perch in London. ISIS has distributed video through its mock news outlet that purports to show the attackers. But there have been no reports of any of the attackers, some of whom are thought to have been taken alive by Iranian authorities, claiming allegiance to ISIS.
Dave Bittner: [00:03:15] Tehran attributes the attack to the separatist Patriotic Arab Democratic Movement in Ahwaz, which on its website has denied any involvement in the attacks. But the Islamic Republic places ultimate blame on the U.S., U.K. and the Arab Gulf states, especially Saudi Arabia, whom Tehran considers U.S. and U.K. clients. The U.S. has dismissed all Iranian claims of involvement.
Dave Bittner: [00:03:40] Tensions have been high in any case over renewed U.S. economic sanctions, suspicion of Iran's nuclear and missile programs, the ongoing civil war in Syria and increased Iranian involvement in offensive cyber operations. Iran has promised vengeance for the terror attack. And it's received expressions of support from such sympathetic parties as the Assad regime in Syria and the Hezbollah. Renewed cyber conflict and at a heightened operational tempo may be expected.
Dave Bittner: [00:04:10] The Zero Day Initiative at the end of last week reported a vulnerability in the Microsoft JET database engine. It's said to affect all versions of Windows. Trend Micro, which discovered the issue, disclosed it to Microsoft. The Zero Day Initiative has gone public with the disclosure because 120 days have elapsed since Redmond was notified. The vulnerability, according to the Zero Day Initiative, is an out-of-bounds right issue that could be used to, quote, "execute code under the context of the current process," end quote. Exploitation would require user interaction. You'd have to open a malicious file. The JET database engine is bundled with Windows. Several Microsoft products use it, among them Microsoft Office. The Register says that 0patch has promised to offer its own fix. 0patch has been tweeting about the vulnerability. There's no patch yet from Microsoft. Many hope to see one on October's Patch Tuesday. It's believed Redmond is working on one.
Dave Bittner: [00:05:10] ANSSI, France's national information security agency, is asking outsiders to contribute to the development of CLIP OS, ANSSI's sees Linux-based security-optimized operating system. The decision to open-source an operating system intended to be secure by design is interesting and will bear watching. Tough talk about Russian cyber operations and the prospect of Western retaliation has been emerging from both the U.S. and the U.K. The recently published U.S. cyber strategy continues to receive both high marks from observers and press headlines, like SecurityWeek's "U.S. Takes Off the Gloves in Global Cyber Wars" or Foreign Policy's "Trump Has a New Weapon to Cause the Cyber Mayhem." It's not quite unleash the kraken, but the strategy is an assertive evolution of past U.S. policy.
Dave Bittner: [00:06:03] In the U.K., the Telegraph reports that former MI5 director general Dame Stella Rimington told a conference that Britain should respond to Russia by meeting aggression with a certain degree of aggression. Rimington led MI5, the domestic counterintelligence service, from 1992 to '96.
Dave Bittner: [00:06:24] Russian regional elections appear not to have gone entirely as Moscow would have wished. The contests in the country's 85 regions are not usually expected to turn up results other than those the Kremlin desires. In this case, several of the elections were more hotly contested than is normal. Two incumbent regional governors lost, by which Russian standards is surprising, to say the least.
Dave Bittner: [00:06:48] The outcome is thought by Radio Free Europe/Radio Liberty and others to have been sparked by widespread dissatisfaction with recent revisions to the national pension system that would have required workers to delay retirement. Thus, pensions would appear to be a third rail of Russian politics as Social Security is said to be the third rail of American politics.
Dave Bittner: [00:07:10] It should go without saying, but unfortunately it does not, that U.S. federal tax investigation or law enforcement organizations will not telephone to ask you to pay a fine with your credit card, which they'll be happy to take on the spot for your convenience. The U.S. Marshals Service is warning that just such a scam is pestering residents of the aptly named city of Marshall, Texas. Someone is calling people up and telling them they've failed to report for jury duty and that they face either a fine or jail time. Of course, you should report for jury duty. It's just good citizenship. But this call is bogus. Ignore it, and don't give the caller your credit card number.
Dave Bittner: [00:07:51] Finally, what's the hot commodity these days in dark web markets? Stolen frequent flyer miles, that's what. Please don't be a buyer.
Dave Bittner: [00:08:05] Now, a moment to tell you about our sponsor, ObserveIT. It's 2018. Traditional data-loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time-consuming to maintain and too heavy on the endpoint. They are high-maintenance and require endless fine-tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats, and it's extremely difficult even for the most technical users to bypass. Bring your data-loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:09:15] And I'm pleased to be joined once again by Ben Yelin. He's a senior law and policy analyst at the University of Maryland's Center for Health and Homeland Security. Ben, welcome back. We had an interesting article come by. This was from Ars Technica. Cyrus Farivar, who've - who's been a guest on our show before, he wrote this article. (Laughter) The title is "Cheese Danish Shipping, Warrantless GPS Trackers and a Border Doctrine Challenge." What's going on here?
Ben Yelin: [00:09:39] I could not write a drama with a storyline this compelling.
Dave Bittner: [00:09:42] (Laughter).
Ben Yelin: [00:09:43] And I don't think any of our best writers could do so. So basically, the FBI started investigating a suspected drug trafficker and was following this tracker's vehicle when they crossed the border, the border in southern California, the Mexican border, in 2016. And the smugglers were using the shield of a Starbucks vehicle, claiming that they were shipping cheese danishes to Starbucks locations throughout Southern California. In fact, this was a drug-smuggling operation. The FBI, based on investigative work they had done, suspected that it was a drug-smuggling operation.
Ben Yelin: [00:10:24] So they attached a GPS device, physically attached it to this vehicle, and realized what was going on and initiated a prosecution for drug trafficking. And a judge recently held in this case that the attachment of a GPS device without a warrant is unconstitutional. And it's an interesting case because there are sort of two competing legal concepts here. On the one side, the Supreme Court has held that you generally do not need a warrant to conduct searches at the border. That is what we call special needs apart from the normal criminal investigatory process we associate with law enforcement. Basically, we want to be able to check people’s stuff at the border because we want to make sure we're not letting in bad people who are bringing in unsafe things.
Dave Bittner: [00:11:10] Right.
Ben Yelin: [00:11:12] Then there's the separate doctrine that comes out of the United States v. Jones case. And in that case, the Supreme Court held that it is unconstitutional to physically attach a GPS device to a vehicle without a warrant. And that's what happened here. And I think this judge's rationalization was this no longer became a simple border search because the surveillance was pervasive, going far beyond the border. They were tracking this vehicle as it made its way from the Mexican border all the way through Los Angeles. So if you have sort of two competing legal doctrines here, I think the Jones doctrine of disallowing the warrantless attachment of a GPS device is more compelling in this particular case.
Dave Bittner: [00:11:56] And so the FBI was - I suppose - trying to make the case that because they attached this GPS tracker at the border that the border exemption would take place here.
Ben Yelin: [00:12:09] Yeah. And, you know, that's something that I think will make it up through our court system because I don't think it's a - this particular scenario's one the Supreme Court has directly addressed. I think the border exception to the warrant requirement was for physical searches at the border, you know, doing warrantless searches of people's cellular devices - that's obviously been a controversial issue - but checking people's suitcases. Again, this is part of a special needs exception for our national security. But, you know, I can understand the reasoning in this case. How far is that exception going to extend? Could you attach a GPS device, some sort of (laughter) tracking device on a person, and follow that person the rest of his life or her life just because that person happened to cross the border?
Dave Bittner: [00:12:57] Or a listening device.
Ben Yelin: [00:12:59] Or a listening device. I think that would be - I think all of us would consider that a major invasion of privacy. So I think because this wasn't a traditional border search, I think the border search exception was not well-applied in this case.
Dave Bittner: [00:13:13] Now, is there - in the eyes of the law, is there a fundamental difference between a search and tracking? Are those different things, or does something like a GPS tracker fall into the Fourth Amendment definition of searching?
Ben Yelin: [00:13:30] So it's actually a very interesting case. Everybody sort of assumed in the last 40 years that the court had moved away from a physical trespass standard for determining whether there was a search. So up until the 1960s, there wasn't really a Fourth Amendment search in our legal system unless somebody physically trespassed on your property, usually law enforcement. That changed in a decision called Katz v. United States, where the court held that it wasn't simply a physical invasion that would cause a search, but rather a violation of a person's reasonable expectation of privacy.
Ben Yelin: [00:14:06] What was unique about this GPS device case, United States v. Jones in 2012, is that Justice Scalia in his majority union held that they need not decide whether this was a violation of a reasonable expectation of privacy because this was a traditional Fourth Amendment search. By physically placing that GPS device on a vehicle, that was a physical trespass in the way that searches had been understood up until the 1960s. And that was sufficient to establish a Fourth Amendment search.
Ben Yelin: [00:14:38] So unlike other forms of surveillance that are purely electronic - we talk about cell site location information, other types of surveillance - here, you actually do have a physical invasion of somebody's personal property. A car is an effect. The language of the Fourth Amendment says you can't have unreasonable search - searches and seizures against effects. A car is an effect, according to our Supreme Court, so they held that you cannot have a warrantless attachment, physical attachment, to the GPS device on a vehicle. Now, I think five justices in that case also seem to agree that it also violated a person's reasonable expectation of privacy, which would have broader implications for Fourth Amendment jurisprudence. But when we're talking specifically about GPS devices, it's, according to the Supreme Court, the physical intrusion that really matters.
Dave Bittner: [00:15:32] All right. (Laughter) As always, Ben Yelin, thanks for explaining it to us. Good talking to you as always. Thanks.
Ben Yelin: [00:15:38] Absolutely. Thanks, Dave.
Dave Bittner: [00:15:42] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:15:50] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.
Dave Bittner: [00:16:10] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:16:17] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.