CyberWire Daily - Arrest by algorithm. Dangers of data enrichment. Golden Falcon in Kazakhstan. FCC vs. Huawei and ZTE. Internet sovereignty. Chuckling Squad popped for Twitter caper. Other crime and punishment.
Episode Date: November 25, 2019A defection and a leak expose Chinese espionage and social control operations. Data aggregation and enrichment seem to underlie a big inadvertent data exposure. Something seems to be up in Kazakhstan�...��s networks. The US FCC takes a swing at Huawei and ZTE. Russia moves closer to its desired Internet sovereignty. A Chuckling Squad member is in custody. A spy goes to prison, cyber hoods do time, and the rats are up to no good in Estonia. That’s the rodents, not the Trojans. Caleb Barlow from Cynergistek with insights gained from a scammer’s call. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/November/CyberWire_2019_11_25.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A defection and a leak exposed Chinese espionage and social control operations.
Data aggregation and enrichment seem to underlie a big inadvertent data exposure.
Something seems to be up in Kazakhstan's networks.
The USFCC takes a swing at Huawei and ZTE.
Russia moves closer to its desired Internet sovereignty.
A chuckling squad member is in custody.
A spy goes to prison.
Cyber hoods do time.
And the rats are up to no good in Estonia.
From Cyber Wire Studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Monday, November 25th, 2019.
A defection and a leak, respectively, shed some light on China's repression of its Uyghur minority and on the country's espionage operations.
Both operations have a considerable cyber component.
Chinese intelligence officer Wang William Lee Kuang has defected to Australia,
where he's being accommodated at an undisclosed location
by the Australian Security Intelligence Organization.
The Age reports that he's blown the identities
of a
number of senior People's Liberation Army intelligence officers in Hong Kong. He's
also said to have provided details of Beijing's extensive influence operations. These have been
waged with particular focus and intensity against the quasi-autonomous city of Hong Kong and Taiwan,
which the People's Republic views as nothing more than a breakaway
province. But Australia has also been of considerable interest to Chinese intelligence
services, who are held to have been responsible for intrusions into parliamentary networks and
for running front organizations aimed at gaining decisive influence over Australian political life.
The leak was obtained by the International Consortium of Investigative
Journalists, which is calling the material the China Papers. It amounts to classified guidelines
for operating the camps in Xinjiang province, where large numbers of predominantly Muslim
Uyghurs are detained. Those guidelines are, the ICIG says, for the most part directed toward
techniques of behavior modification,
what a BBC headline describes as a brainwashing system. The China papers also include classified briefings that describe techniques used to identify Uyghurs for surveillance and detention.
These operate largely through tech means, facial recognition cameras and other means to identify
candidates for detention, flagging for investigation hundreds of thousands merely for using certain popular mobile phone apps.
The activity is not confined to domestic targets.
Uyghurs who are citizens of other states are explicitly designated for arrest and detention,
and expatriate Chinese Uyghurs are tracked and monitored with the eventual goal of returning
them for detention in the Xinjiang camps.
The ICIJ calls the system Arrest by Algorithm.
Very large data leaks from exposed servers were reported late Friday
to have compromised a total of about 1.2 billion records, some 4 terabytes of personal data.
No one seemed at first quite sure to whom the database belongs or belonged,
but DataViper, which found the leaks, suggests that People Data Labs and Oxidata, two data
aggregation and enrichment shops, were the source of the exposure. The exposed data includes,
according to Wired, home and cell phone numbers, email addresses, social media profiles from
Facebook, Twitter, LinkedIn, and GitHub,
and work histories, apparently from LinkedIn. There were about 50 million unique phone numbers
and 622 million unique email addresses on the server. The data lost fall short of the
fulls so coveted by criminals, since they didn't include passwords, social security numbers,
or pay card information, but it's a startlingly large breach nonetheless,
and obviously suggests the heightened possibility of identity theft.
Chinese security firm Qihoo360 says it's detected a major cyber surveillance campaign
against targets in Kazakhstan.
Qihoo calls the group Golden Falcon.
The Russian security company Kaspersky tells ZDNet
that they think this is the APT previously tracked as Dust Squad.
Neither company offers any attribution beyond that,
but they do say the group appears to be Russian-speaking.
In itself, that means little.
There is no shortage of Russian speakers in Kazakhstan.
But Chihoo does think it's found that someone providing Golden Falcon
with tech support is located in Moscow.
That, too, is at best circumstantial evidence.
There's no shortage of IT-hired guns either, anywhere, especially in Eastern Europe.
The story is developing.
Citing national security concerns surrounding 5G networks,
the U.S. Federal Communications Commission prohibited the use of universal service funds for purchasing Huawei or ZTE equipment. The U.S. has also suggested to some
of its closest allies that their adoption of Huawei and ZTE equipment for their 5G buildouts
will inevitably hinder close cooperation on intelligence matters. The Washington Post sees
a series of U.S. tactical victories over China in the coming 5G market, and that American reservations about Chinese hardware may be gaining traction.
effect this coming July. You are not actually going to be required to use the software, but any laptop, phone, or tablet you buy will have to come with it, out of the box, or it's no deal.
The new law is generally seen as a further push toward Moscow's aspirations for internet
sovereignty. The government will use the next few months to work out exactly what software it wants
to appear on every device sold in Russia. No serious observer sees this as anything other than a move to install tools
that will enable the organs to see or control what goes on in every device.
Louisiana's recovery from the Ryuk ransomware infestation
that afflicted the state government systems
is proving more protracted than officials hoped or expected,
as, according to KATC, Governor Edwards on Friday declared a state of emergency.
The Office of Motor Vehicles, whose service disruption has particularly irritated citizens,
is now expected to remain offline through Monday, WWL-CBS4 reports.
Former CIA officer Jerry Chun-Shing Lee, who took a guilty plea to a single charge of conspiracy to provide national defense information to a foreign government, has been sentenced to 19 years in prison.
The foreign government in question is China's. Mr. Lee was arrested by the FBI about two years ago.
An alleged member of the Chuckling Squad, the clowns who sim-swapped Twitter boss Jack Dorsey's account to distribute bomb threats, racist messages, and anti-Semitic material, has been arrested.
He's a minor, and his name is so far not known.
The Santa Clara County District Attorney's Office in Silicon Valley is handling the case.
The motivation is unknown, but probably wasn't financial, just the now sadly familiar quest for online glory.
Alexei Borkov appeared Friday in the U.S. Federal Court for the Eastern District of Virginia,
a court known as the Rocket Docket for the Dispatch, with which it handles its cases,
where he entered a plea of not guilty to charges of computer intrusion,
identity theft, and other forms of fraud. The 29-year-old St. Petersburger arrived in the U.S. from Israel on November 12th.
Mr. Borkhoff is alleged to be the impresario of Card Planet
and a second unnamed forum where the elite could meet to swap insights,
do some chest-thumping, and trade contraband.
We should mention that Mr. Borkhoff is entitled to the usual presumption of innocence, and so on.
No longer entitled to such presumption is one Stanislav Vitalichisov,
a Russian national arrested in Barcelona in 2017 and extradited to the U.S. in 2018.
He was sentenced last week to four years in a U.S. federal prison.
After he completes his sentence, he'll also serve three
years of supervised release and will have to pay a $50,000 forfeiture as well as nearly half a
million dollars in restitution. Mr. Lisov, who this past February entered a plea of guilty to
one count of conspiracy to commit computer hacking, was the proprietor of the NeverQuest
banking trojan. NeverQuest, also known as Vautrak and Snifula,
is thought to have been responsible for $4.4 million in damages, according to the Hacker News.
Finally, we've all heard the entertaining but questionably relevant observation that squirrels
are a greater threat to the power grid than hackers are. But attacks on Ukrainian electrical
utilities around Kiev have
somewhat muted this particular moe, but statistically it retains a gree of truth.
Squirrels getting into Transformers have blown out more power service than have hackers.
Of course, the squirrels have been at it longer, for well over a century now.
Anywho, add another rodent to the rogues' gallery. Over in Estonia, it's rats.
And that's rodents, my friend, not remote-access Trojans.
They've been chewing on the power cables of one of the most highly connected countries in the world,
and they're probably up to it in other places, too.
Get yourself some rowdy dogs, Talon.
That's what we've done.
Calling all sellers. Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
and joining me once again is caleb barlow he's the ceo at synergistic caleb it's great to have you back um you have an interesting tale to share today uh something that
i think our listeners will enjoy kick us off what happened to you recently okay so dave we're first
of all it's good to be back um but imagine the setting of, you know, you're at the end of a staff meeting with a whole bunch of security professionals, and your phone's rung a couple of times during the meeting with a number that you just don't recognize, so you just, you know, hang it up.
Right. somebody really wants to get a hold of me. So you answer it. And of course, and we've all gotten
this phone number, it's the IRS. In fact, it's an investigator at the IRS. And they're calling
to tell you that your social security benefits had been seized or suspended. Now, as we all know,
as security professionals, this is not a real call. People start laughing in the room and you put the phone on speakerphone and
what happens next is well pretty interesting but not only is it comical dave but we actually learned
some things because with a whole room of people we're able to take a lot of notes as this call
unfolded and what we saw here was a pattern that i think as security professionals we can actually
learn something
from. All right, well, let's go through it together. Yeah. So to set the stage of the story,
right, and you know, this is kind of what you'd expect. I get this call from an officer of the
Social Security Administration, Officer Rick Smith, and he indicates that my Social Security
number has been suspended. But what was amazing was the amount of time and investment that the caller was willing to
put into this before actually asking for anything.
The other thing that we started to notice was something about this call was very different.
There seemed to be following a pattern.
I kind of realized, wait a second, I've seen this pattern before and it's actually the pattern that's used by
large-scale CRM vendors that train people to call for inside sales the
first thing you have to understand here is that the pretext was amazing and the
pretext took almost 10 minutes and during this entire time I wasn't asked
for any PII other than the last four digits
of my social security number, which let's face it, you can't do much with that. Now,
all the security professionals that are listening to this will laugh a little bit when I told them
that the last four digits of my social security were 1337. But of course, he didn't seem to catch
that joke. You know, it was kind of amazing of how long will this go?
But then we switched to the second phase.
So if you think of this, the first phase, the pretext was trying to build trust.
Is there something that connects me to them?
And think of this, this is just like what you would do if you're trying to sell somebody
something.
And I'll get to why that's important in a minute.
But the second phase, now we're exploring.
And as he starts to explore, how many homes do I have?
How many bank accounts do I have?
Now, he didn't ask me for the bank account numbers,
but he did go through the balances.
And of course, I had to tell him one of the balances
was over a million dollars.
And of course, there's a long pause
as clearly more people are probably
coming around the phone so then
it pivots again I eventually say I trust him and it's like Dave it was like I
said the magic word on the call and the call changed again dramatically so now
the exploration stage stopped and now he switches to giving me choices and advice
now key again again think about this. Anyone
that's ever worked on a sales floor, you don't want to tell the customer what to do. You want
to give them options and let them choose, right? You want them to be part of the process. And
that's exactly what he did at an amazing level of patience. So I'm then connected after this conversation goes on,
and we're now about 30 minutes in the call. I'm connected with a U.S. marshal who calls my phone
separately. And now the story thickens. And they're incredibly patient. Why I'm just a complete pain
in the backside is they walk through options asking me to pick. And this U.S. marshal, which
I later looked up, he gave me a name,
Jeff, and I won't say the last name. It turns out actually is a real U.S. Marshal. And they were spoofing the actual number from the U.S. Marshal service. So they obviously picked that
up on the web. But now the plot thickens. Now I go from this being a kind of identity theft issue
to there's money laundering, there's drugs involved, and I'm going to go to court and be locked up for nine days. It's a recorded call. And I need to tell the U.S.
Marshal what I want to do. I need to pick. So I finally pick. And then we get to the ask.
And the ask is, and of course, anybody listening to this already knows where this ends up.
He wants me to go to the bank, but he wants me to keep on the phone while I do. So he doesn't
want me to put the phone on mute.
He wants me to carry the phone with me, go to the bank, and withdraw as much money as I can to safeguard my money while the IRS supposedly locks up my account.
I tell him that I can't take the phone with me because it's a landline.
And there's a little bit of –
I have to say I didn't see that coming.
No, I don't think he did either
i i particularly loved that part of the whole transcript and uh there was a little bit of
frustration i think they were swearing on mute but i finally talked him into letting me hang up
the phone go get the money and then he called me back in an hour and that's kind of where this
landed and he did actually call me back.
I just didn't have the time for it, didn't answer.
Yeah.
The other thing that strikes me is that at no point did they turn up the heat on you.
They were killing you with kindness here.
Absolutely.
And the minute I said the word trust, man, did the whole call change.
Now, here's where this gets really interesting.
So if you think about this story, he starts by identifying with me and then connecting
with me, right?
And only after we've connected a bit, he's talked through what the story is, he's explained
to me what the problem is, he's there to help.
Then does he start to explore?
He starts to ask about my driver's license, my car, my bank accounts.
And only at the very end does he advise. Well, that cadence, identify, connect, explore, advise,
is the exact methodology used by one of the major CRM vendors in the market. And my thesis,
totally unproven, of course, is I actually think we've enabled this problem because
as we you know let's face it we've outsourced many a help desk to locations
like this along the way we've trained people I am thoroughly convinced that
whoever wrote this script and is managing this call center is either
using these CRM tools which is highly likely or was certainly trained in these
methodologies
so they know exactly how to approach this. And they're using everything they learned from selling
us stuff to try to sell us a scam. No, it's a fascinating insight, quite a tale. And I guess
hats off to you for wasting their time, but certainly a cautionary tale to everybody else
out there.
Well, Caleb Barlow, thanks for joining us. Thanks, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.