The US House of Representatives wants to know more about DNS-hijacking. Huawei skepticism. Anonymous dunnit, say the Russians. Financial data exposed. Family spooked by hackers.
Dave Bittner: [00:00:03] The U.S. House would like some more information from DHS about what prompted its emergency directive about DNS hijacking. More skepticism about Huawei from various governments. A British think tank has been hacked. Observers think Russia's GRU is good for it. But Russia says, no. Hey, it was Anonymous. And they did a good job. Exposed databases leave financial information out for the taking. And creeps take over a family's Nest.
Dave Bittner: [00:00:36] And now a word from our sponsor KnowBe4. You know, email is still the No. 1 attack vector the bad guys use, with a whopping 91 percent of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization in an on-demand webinar by Roger A. Grimes, KnowBe4's data-driven defense evangelist. Roger walks you through 10 incredible ways you can be hacked by email and how to stop the bad guys. And he also shares a hacking demo by KnowBe4's chief hacking officer Kevin Mitnick. So check out the 10 incredible ways and learn how silent malware launch, remote password hash capture and rogue rules work, why rogue documents establishing fake relationships and compromising a user's ethics are so effective, details behind clickjacking and web beacons and how to defend against all of these. Go to knowbe4.com/10ways to watch the webinar. That's knowbe4.com/10ways. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:01:46] From the CyberWire studios at DataTribe. I'm Dave Bittner with your CyberWire summary for Thursday, January 24, 2019. It's now believed, CyberScoop reports, that six U.S. federal civilian agencies have been affected by the DNS-hijacking campaign that prompted the Department of Homeland Security to issue Emergency Directive 19-01 this week. Representative James Langevin, Democrat of Rhode Island, has asked the department to brief the House Homeland Security Committee on the matter. Private security firms, FireEye prominent among them, have said they see signs of Iranian sponsorship of recent DNS-hijacking campaigns. As FireEye puts it, they assess with moderate confidence that this activity is conducted by persons based in Iran and that the activity aligns with Iranian government interests.
Dave Bittner: [00:02:36] Security firm CrowdStrike agrees that there appears to be an Iranian connection. We received an emailed statement in which their vice president of intelligence, Adam Meyers, noted that the DNS hijacking has been global in scope and has affected several different sectors. He said, quote, "CrowdStrike intelligence assesses that there is some basis to believe that the DNS-hijacking campaign is attributed to Iran-based adversaries, given that the targets of the DNS-hijacking campaign align with Iranian interests in the region," end quote. As always, remember that attribution is usually, especially in its early stages, based largely on circumstantial evidence.
Dave Bittner: [00:03:18] More governments express officials' skepticism of Huawei as a potential security threat with recent animate versions from France, the U.K. and Taiwan. The Russians apparently haven't been idle, either. BuzzFeed reports that the Integrity Initiative, a project of the Institute for Statecraft, a British think tank, has apparently been hacked, with stolen material appearing in Russian outlets Sputnik and RT, framed in stories alleging the initiative's role in fomenting anti-Russian sentiment. As RT puts it, quote, "by all means, smear and attack. But be honest about it," end quote. RT adds that honesty would consist in admitting that they represent a conspiracy of mainstream media and her majesty's Foreign Office.
Dave Bittner: [00:04:05] The Russian outlets disclaim any role whatsoever in the hack, which Sputnik says revealed that the Integrity Initiative is, quote, "an international anti-Russian information warfare effort funded by NATO and British state organs, the Foreign Office and Ministry of Defense," end quote. Instead, they credit Anonymous, which they say has been posting files taken from the initiative's servers since November 5. A lot of the stuff has been posted to the CyberGuerrilla site along with disclaimers that it comes from Anonymous, that they warned the British government and so on and so on.
Dave Bittner: [00:04:42] The Integrity Initiative has devoted considerable attention to exposing Russian information operations. The U.K.'s National Cybersecurity Center and others are examining the initiative's servers and its employees devices for evidence of compromise. Suspicion on grounds of motive and a priori probability has turned toward Moscow, despite all the woofing about Anonymous. But the investigation is still young. And the Integrity Initiative has taken its content offline until further notice. The GRU, whom you may know under one of its many names, as Fancy Bear, has been known to devote some attention to think tanks in the past. It's also worth pointing out that it takes more than sinking your posts to begin on Guy Fawkes Night to establish your identity as a member of Anonymous. So we're reluctantly moved by skepticism by RT's and Sputnik's pious claims that Anonymous did it. Could we see some ID - maybe a Guy Fawkes mask? That wouldn't be dispositive either, but least it would be fun.
Dave Bittner: [00:05:45] Sputnik says the Integrity Initiative is running scared. The online paper congratulates itself by crowing, the drastic measure - that is taking its content offline - may have been spurred by Sputnik's dogged investigations. Connoisseurs of information operations will recognize the rhetorical technique. It's unlikely insistence, like saying over and over again, New York is a fun city or protecting your privacy is our No. 1 priority or happiness is being a Cleveland Browns fan - anyway, we hope there are some British, NATO and, dare we say, U.S. information operations afoot. It's about time.
Dave Bittner: [00:06:25] The folks at CyberSecJobs.com recently published results from a survey on volunteerism in the cybersecurity industry and the benefits that can be realized for both the volunteers and their employees who support their activities. Kathleen Smith is chief marketing officer at CyberSecJobs.com.
Kathleen Smith: [00:06:43] When people hear the word volunteering, I think they believe that it's bake sales or marathons or doing something locally at their, you know, family or church community center. Yet when we look at the breadth of conferences and events and organizations that are in the cybersecurity community, the lion's share of them are volunteer-run. I mean, when we look at DEFCON over 25 years, very much volunteer-run. Many of the organizations that are, or events that are in the cybersecurity community are really volunteer-run.
Kathleen Smith: [00:07:23] And when I see volunteers working, they're just doing that because it's their passion, and that they love coming together and doing something and feeling that sense of accomplishment. And it's also interesting that many employers are not aware of how many of their employees are involved in the community and how that is important in employee retention, but also in building their talent pipeline for recruiting.
Kathleen Smith: [00:07:50] When an employer is looking at their overall recruiting and retention strategy, they need to really look at - how is the company positioned within the community? And how is it that they are supporting volunteering? This is a separate budget from your marketing and your business development. This is not the booth that's at the trade show. This is not the logo being on the website. This is investing in the employees that are on the ground being your brand ambassadors to say, this is a great company. They believe in the community, and they believe in me and believe in me giving back to the community.
Kathleen Smith: [00:08:30] What is great about this community is there are so many different online and offline organizations to be part of. So one, if you are currently employed and volunteering, really look at it as, what are you getting out of the role? And is there a new role you can be moved into, because this is a really great opportunity to plan out your career development. I have seen many people within the community start out as just registration, and they move on to be their own conference organizer founder. So really looking at the way that you can map your career, are you always security, or are you going to move over to a different part of the conference? So when looking at your map of your career development, if you're not volunteering and you want to get into the community, really check out the websites of organizations that are of interest to you. There are many that are solely online. There are many that are solely offline.
Kathleen Smith: [00:09:32] And really see if the mission of the organization matches your personal passion. There's nothing worse than going in and working at an organization, and you're not passionate about it. Everyone who works in volunteering - they're driven by the fact that they want to make the community better, but they also feel that this is a great thing that they're doing. If you don't have that love, you're not going to be happy in volunteering. It's going to take about a year or so of volunteering with a variety of different groups before you start to feel comfortable that this is the place that you want to be. So start with some of the local meetups. Start with, maybe, a local B side. Check out some of the online organizations. There are many large professional organizations, but there are also several smaller ones that focus on certification and training or, you know, putting on online CTFs. There are many organizations out there that are needing volunteers to help out.
Kathleen Smith: [00:10:33] But realize that you have to make the decision how much of your time you're going to commit to this. And what are the questions? Similar to interviewing for a new job, you need to interview an organization. What do they need from you? How much of a time commitment is it? What are the stress times? What is the timeline? Be very diligent because this is an investment of your personal resources, and you want to make sure that you're going to get back that kind of fulfillment that you're looking for.
Dave Bittner: [00:11:05] That's Kathleen Smith from CyberSecJobs.com. You can find the complete results on their volunteerism survey on their website.
Dave Bittner: [00:11:15] Researcher Bob Diachenko has provided details on the exposure of more than 24 million financial and banking documents in an unsecured Elasticsearch database. The documents, mostly pertaining to loans and mortgages from large U.S. banks, were exposed, TechCrunch says, by a third-party document management vendor widely used by the financial industry.
Dave Bittner: [00:11:37] And finally, as if there weren't enough jerks in the world, there seem to be an inexhaustible supply of people willing to step up and fill the ecological niche they so misperceive. For your consideration, a couple. And this couple and their children, we hasten to say, are not the jerks you're looking for in this story. A couple, we say, who've recently moved to the town of Auburn in the state of Washington reported to police that someone was not only watching them through their networked home security cameras and their networked doorbell, but was talking to them as well, even swearing at them. It would appear that someone had obtained the couple's passwords to their Nest system and had decided to use it to pursue their career as a jackanapes. Police are investigating. Nest, which was not itself breached, advises that you not reuse passwords and that you implement two-factor authentication.
Dave Bittner: [00:12:29] So really - trust us - there's tremendous oversupply in the online jerk labor market. If you're a young person considering your career choices, seriously, look somewhere else. You might even try journalism. Go someplace where you won't be led into temptation, and leave the jerk gigs to the professional jerks. Heaven knows there are enough of them out there.
Dave Bittner: [00:12:57] And now a word from our sponsor, Coalfire. When organizations stand up new services or move existing applications to the cloud, they need to coordinate IT security efforts with business units and partners. So the question arises - is security the cloud platform provider's responsibility, or is it the customer's responsibility? To answer that data security question, you must clearly articulate who owns what, identify security gaps and determine who will close those gaps. With the HITRUST Shared Responsibility Program, there is now a clear path to address the misunderstandings, risks and complexities when partnering with cloud service providers. Coalfire has delivered hundreds of HITRUST CSF certifications since 2011. And they help organizations clarify the roles and responsibilities of security controls that protect information. They've certified the leading global cloud service providers and can help you migrate data to the cloud securely. Find out more from Coalfire, the HITRUST cloud assessor at coalfire.com/hitrust. That's coalfire.com/hitrust. And we thank Coalfire for sponsoring our show.
Dave Bittner: [00:14:20] And joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, it's great to have you back. You sent over this interesting case. This is from the court of appeals of the state of Alaska. And it has to do with a laptop and personal privacy and so on. Dig in here. This is an interesting one.
Ben Yelin: [00:14:40] Yeah, it is. So a Fourth Amendment case that comes from the final frontier in Alaska - it involved an individual - a woman named Erin Pohland, who was a former assistant AG in that state. She was convicted for official misconduct. So the alleged crime was that she was using her position as a legal adviser at the Labor Relations Agency in Alaska to benefit her personal friend. Now, that personal friend was not an ordinary friend of hers. It was a close friend, and they happened to share an apartment. So this friend named Skye McRoberts, she owns what was essentially a large apartment, it seemed like. And Pohland, the defendant in this case, rented a portion of that apartment, which wasn't really separated by any physical barrier. So Pohland was the tenant, and her good friend was the landlord.
Ben Yelin: [00:15:32] Now, this good friend was suspected of her own financial crimes. So the police while they suspected that Pohland might have participated in some official misconduct - didn't have probable cause to get her, but they did have probable cause - they established probable cause to get a warrant to search Skye McRoberts' house for any evidence about her potential financial crimes. And as part of a search of their house, they uncovered the computer of the defendant Erin Pohland. And they searched that computer and contained within stored text messages was incriminating evidence that Pohland indeed abused her position of power. She engaged in official misconduct. And she was convicted.
Ben Yelin: [00:16:17] And the holding in this case was that the Alaska Court of Appeals overturned her conviction on a couple of grounds. And these get into really interesting digital privacy issues. For one, they said the computer is not like any other effects that exist in a person's house for Fourth Amendment purposes. So there's this sort of long-standing Supreme Court doctrine that if you get a warrant to search somebody's house, you can search everything in that house even if it doesn't belong to the owner, even if it belongs to a tenant. You know, and in the past, that's applied to things like physical files or notes or whatever other, you know, stuff, things you can find in a given residence.
Ben Yelin: [00:17:00] But what the court here is saying is that the computer is fundamentally different. It is personal. It contains our private secrets. And it shouldn't be considered just a standard effect, a thing that's lying around the house. In no real way, is that something - even though it's physically in Skye McRobert's house, does it belong to her? There's no evidence that Skye McRoberts was using Pohland's computer to hide evidence of her own crimes. And without that sort of suspicion, the government had no right to open this computer. You know, that's one of the profound holdings in this case that presents very significant Fourth Amendment issues.
Dave Bittner: [00:17:38] So help me understand the implications of this. Does this mean that if police are serving a warrant - a search warrant in someone's home, and they happen upon a laptop, can they - they can gather that laptop, but then do they have to go back to the judge and say, we'd like additional permission to dig into this laptop here?
Ben Yelin: [00:17:57] So if they have reason to believe that that laptop does not belong to the person named in the warrant, the implication of this decision is, yes, they would have to get a separate warrant to access that laptop because even though they were able to legally enter the physical space listed in the original warrant, this computer, for Fourth Amendment purposes, is not part of that physical space. It sort of exists in the ether. It's not like going into somebody's house and searching through their file cabinets because of how personal a laptop is and how much of an individual's private life can be maintained on that device and, you know, because it is presumably password protected in a way that the landlord in this situation couldn't gain access to it. So yeah, that is the natural implication here - is that you would need a separate warrant to access this device. This isn't just a thing lying around the house. This is something that's more deeply personal, that's more deeply revealing, and it merits its own Fourth Amendment protection. And I think that's continuing a broad trend in digital privacy that we've seen across a number of cases over the past several years.
Dave Bittner: [00:19:09] Yeah, it's fascinating. Ben Yelin, thanks for joining us.
Ben Yelin: [00:19:12] Thank you.
Dave Bittner: [00:19:17] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIt, the leading insider threat management platform. Learn more at observeit.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.