CyberWire Daily - Caution in the Play store. EU power consortium’s business systems hacked. Cablegate--a look back. Schulte trial ends in minor convictions, but a hung jury on major counts. The cyber underworld.
Episode Date: March 10, 2020Google removes from the Play store an app nominally designed to track COVID-19 infections. An EU power distribution consortium says its business systems were hacked. An assessment of Cablegate has bee...n declassified. Ex-CIA employee Schulte’s trial for disclosing classified information ends in a hung jury. The alleged proprietor of a criminal market is arrested. Crooks hack rival crooks. More US primaries are held today. And a case of identity theft in North Carolina. Ben Yelin from UMD CHHS with updates on ClearView AI, guest is Kathleen Kuczma from Recorded Future on 2019 Top Vulnerabilities List. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_10.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Google removes from the Play Store an app nominally designed to track COVID-19 infections.
An EU power distribution consortium
says its business systems were hacked. An assessment of Cablegate has been declassified.
Ex-CIA employee Schultz's trial for disclosing classified information ends in a hung jury.
The alleged proprietor of a criminal market is arrested. Crooks hack rival crooks. More
U.S. primaries are held today. and a case of identity theft in North Carolina.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 10, 2020.
Google has removed an app, AC-19, from the Play Store.
Developed on behalf of the Iranian government and deployed in Tehran,
AC-19 is described as an app that tracks COVID-19 coronavirus infections.
Four things made Google skittish about AC-19.
First, it collects user geolocation data.
Second, it was developed by Smart Land Strategy.
Third, its description appeared to claim that it could test people for COVID-19,
which, of course, it's impossible
for a simple Android app to do.
And fourth, it has to do with the coronavirus,
and there's been so much misinformation
and disinformation disseminated on that topic
that Google is wary of anything
purporting to have to do with COVID-19.
Smart Land Strategy has indeed been involved in creating other apps for the Iranian government,
notably the Telegram clones Gold Telegram and Hotgram. Both of those were ejected from the
Play Store last spring, on the grounds that they were suspected of secretly collecting user
information, apparently on behalf of Iranian intelligence and security services.
But AC-19 may be innocent, at least in general.
ZDNet cites an ESET researcher to the effect that he found no signs of malicious activity on the app's part.
It requests user location data in the same overt way many other innocent Android apps do,
and in any case, the location
of an infected person is a reasonable bit of public health data. Some Iranian dissidents,
who asked to remain anonymous for their own safety, did tell ZDNet that they thought Tehran
was playing a long game here, get people to download a tracking app during a period of crisis
that the users would be inclined to leave in place even after the crisis has passed.
In the short run, however, it's not clear that AC19 is anything other than what it claims to be.
The app is still available in third-party stores, but it won't test anyone for COVID-19 or anything else.
The European Network of Transmission System Operators for Electricity, that's ENSO-E,
which coordinates European electrical power markets,
disclosed that it suffered a successful cyber intrusion into its business systems.
CyberScoop says power generation and distribution are unaffected by the incident.
ENSO-E's office network isn't connected to any operational or control system.
And so, barring a successful pivot into an ENSO-E member's control network,
this should remain a business system compromise.
The National Security Archive has released U.S. Cyber Command's declassified assessment
of the damage done by the 2010 WikiLeaks publication of sensitive State Department cables.
The National Security Archive summarizes the
report as suggesting that illegal release of classified State Department cables in 2010
led to a period in which the U.S. government was hindered in its ability to track the activities
of at least one of the most sophisticated APTs operating on the geopolitical stage.
Thus, the assessment by the fusion group assigned to investigate
is that Cablegate, as it was called at the time,
tipped off an adversary on how well the U.S. was able to monitor
one of its cyber-operational groups.
The identity of that nation-state is redacted in the declassified material,
but it's generally believed to have been China.
The trial of former CIA employee Joshua Schulte on charges connected to WikiLeaks Vault 7
ended in New York yesterday with convictions on the minor counts of perjury and contempt
but with a hung jury on the eight far more serious charges of improperly disclosing classified information.
The jurors could not agree that the government met its burden of proof,
and presiding judge Paul Crotty declared a mistrial. The Washington Post says the government
will in all likelihood seek a retrial. A conference scheduled for March 26th is expected to outline
the next steps. U.S. authorities have arrested Kirill Viktorovich Firsov in charges related to his alleged operation of the Deere.io black market, ZDNet reports.
The FBI picked up Mr. Firsov at New York's Kennedy Airport this past Saturday.
He's charged with two counts relating to aiding and abetting fraud through the site, which has been in operation since 2013.
The indictment affords an interesting look into the criminal economy.
Deer.io sells access to storefronts on its platform,
and those storefronts are generally used to offer the sort of wares criminal hackers sell.
Compromised or stolen credentials,
personally identifiable material used for identity theft,
hacking services, and so on.
On March 4th, the FBI made a buy of about 1,100 gamer accounts
from one of Deer.io's storefronts, confirmed their illegal provenance, and so obtained their
warrant. The Bureau says it's found no legitimate businesses operating in Deer.io. The platform is
hosted in Russia, which makes one wonder why Mr. Firsoff was so incautious as to travel through JFK.
A Deer.io admin, believed to be Mr. Firsoff, explained the business to ZDNet back in 2016.
Quote, Deer.io works according to the laws of the Russian Federation.
Our clients can create shops that do not violate the laws of the Russian Federation.
We block shops that sell drugs or stolen bank accounts. Elsewhere in the underworld, cyber reason researchers have observed criminals hacking criminals,
infecting rivals' hacking tools with NJ RAT,
leading many writing about
the topic to return to the gods of the copybook headings and so remark that there's no honor
among thieves. Threat intelligence firm Recorded Future recently published their list of top
vulnerabilities they tracked in 2019. Kathleen Kuzma is a sales engineer at Recorded Future,
and she joins us with their findings.
This report was first created five years ago.
So this is the fifth annual version of the annual top exploited vulnerability report.
And it was first created because there is the gap between which vulnerabilities are listed as critical versus which ones are actually actively being exploited on the dark web
and on underground forums. And based on Recorded Features' collection in those areas,
Recorded Features thought that we can shed some light and help security practitioners
know exactly which vulnerabilities they should patch based on weaponization.
Well, take us through some of the key findings here.
What were some of the insights that you were able to bring to the table?
Some of the key findings of this year's report is that for a third straight year,
Microsoft was the technology most impacted by these vulnerabilities.
So eight of the top 10 exploited vulnerabilities were impacting Microsoft products,
similar to 2018's report.
And there are a few different reasons why Microsoft itself might be a bigger target.
One of those is because of how prolific Microsoft products still are throughout a variety of
enterprise and government employers, whether that's federal, state, or local governments.
So Microsoft still continues to be a large target for the cyber criminals.
Were there any particular surprises that came out of this year's version of the report? Anything
that bubbled up that you didn't expect? One of the biggest surprises of this year's report
compared to other years is that there was a large number of vulnerabilities that were repeated from the prior year. This goes hand in hand with then there only being one
vulnerability from the 2019 calendar year that was exploited enough to be included in the top 10.
And this was surprising because in past years, we've typically had at least three or four
vulnerabilities from
that particular calendar year included. And I believe, or Recorded Future believes, one of
the main reasons why there were so many repeated vulnerabilities is because of the number of new
exploit kits continues to dwindle. So because of the number of exploit kits continuing to decrease,
So because of the number of exploit kits continuing to decrease, there are less reasons to include new vulnerabilities in those exploit kits.
And this has helped contribute at least why Recorded Future thinks that there are not as many 2019 vulnerabilities included in that top exploited category.
What are your recommendations based on the information you gathered here? What are you suggesting people do to help protect themselves? One of the main things that people and companies
can do to protect themselves from these vulnerabilities is to enable automated
patching whenever possible. There are many researchers across Microsoft and Adobe as well who are working on what are those vulnerabilities that are new and helping them with the patching cycle.
So enabling automated patching whenever possible.
But then for those vulnerabilities that they can't be automatically patched or there's a reason they can't be maybe because of the technology itself that the automated patch would be impacting.
That's when using threat intelligence to learn of these vulnerabilities that are left,
which ones are the most weaponized. These are the ones that we should impact and are the ones that
we should patch. That's where threat intelligence can come in and help prioritize those critical vulnerabilities that patching teams cannot keep up with.
That's Kathleen Kuzma from Recorded Future.
Another test of U.S. election security comes today as five states, Idaho, Michigan, Mississippi, Missouri, and Washington, hold primaries, and one, North Dakota, holds a firehouse caucus.
hold primaries, and one, North Dakota, holds a firehouse caucus.
NBC has a summary as well as an explanation of what a firehouse caucus is.
It's more like a primary than the sort of caucus recently held with dismal effect in Iowa.
People go to a polling place, like maybe the local firehouse, to vote, but the voting is run by the political party and not by state and local election officials.
The voting is run by the political party and not by state and local election officials.
Finally, to return to crime, a poor guy in North Carolina had his identity stolen by an unknown creep who used it to create a PayPal account and use it to subscribe to a database of leaked personal information,
which the unknown creep then used to pretend to be country singer Kenny Chesney.
unknown creep then used to pretend to be country singer Kenny Chesney.
The false Chesney then contacted various women in the hope of luring them into sending him,
or perhaps her, racy photographs.
What success the creep had is unclear from the Daily Beast's account,
but the arbitrariness of the initial identity theft is unsettling.
The victim was initially a person of interest to the FBI, which confiscated
his devices for two weeks before returning them upon realizing that they had the wrong guy.
The victim, an innocent math teacher, told the Beast that, quote,
it could have been anyone who got my information from an envelope or anybody who ever had my name
and address, end quote. And that is just creepy.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with BlackCloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's from the University of Maryland Center for Health and Homeland
Security. Also my co-host on the Caveat podcast. Ben, great to have
you back. Good to be back with you, Dave. We have been following with great interest the
ongoing saga of Clearview AI,
a company that scraped, by many counts, billions of images from the web.
And this story just keeps on getting more and more interesting.
What's the latest here?
So we found out, and I'm reading this from a Daily Beast article,
but it was really all over the Internet,
that this facial recognition company, Clearview AI,
suffered a very significant data breach,
which exposed its entire client list.
And there were, like all data breaches,
you know, maybe compare this to Ashley Madison.
This is not necessarily a client list that you want to be a part of.
It included many local police departments,
state police, Department of Homeland Security, etc.
We don't really have any information as to who perpetuated the attack.
The company is saying that security is, of course, their top priority.
Of course.
Data patches are part of life.
Servers weren't accessed.
They patched the flaw, etc., etc.
But it comes at a very perilous time for Clearview AI.
They were the subject of this recent expose by the New York Times, which reported that
they're scraping 3 billion images from the internet from most popular social media sites.
And we talked about that article.
There were some follow-up articles.
There were interviews with the founder of Clearview AI.
And this just sort of adds on to this very difficult period
and will certainly bring more bad publicity,
not just for suffering the breach,
but from having the list of clients come out.
I've seen some follow-up on this story saying that,
sort of as you say, some of the agencies who may be doing
business with Clearview aren't very happy that their names are out there. Yeah, I mean, it's bad
timing for them too, because we're still sort of in the early stages of this controversy. I mean,
most people didn't know that Clearview AI had existed. Even people who are, you know, up to
date on these types of issues didn't know that this company AI had existed. Even people who are up to date on these types of issues didn't know
that this company had existed until a couple of months
ago. And I
think it's not only bad
publicity. For the private companies that
contract with them, it could be bad for the bottom line.
But for police
departments that have wrought relationships
with particular communities,
it might be eye-opening
to their constituents to see that they are
contracting with a company that's been publicly revealed to be scraping images from the internet
and using that technology to identify criminal suspects. So from these organizations that have
been breached, from their perspective, I can see why this is so frustrating.
The same bad publicity that's coming the way of Clearview AI
is going to come to them because they are one of the clients.
So at a moment when Clearview already has a spotlight shining bright on them,
this really doesn't help their case.
It certainly does not.
And this is exactly the development that Clearview didn't want to happen
for a couple of reasons. One, you know, as a company that is scraping this information,
you don't want anything to call into question your security and privacy practices as a company.
And I think that's why a spokesman for the company was so quick to try to mitigate
the public relations damage here. I think they would be particularly sensitive to the fact that their data,
whatever data was breached, and here it's just a client list,
that there are vulnerabilities.
Because as we know, when you have three billion images,
it's only a matter of time.
If somebody is able to infiltrate your client list,
they might be able to get a hold of some of those images.
So certainly it's something that should deeply concern Clearview AI.
I sort of noticed just in the general social media community,
there was like a shouting for it, you know,
because Clearview AI had exposed private images of so many people,
and now, you know, there's sort of been comeuppance now
that some of their information has been stolen.
Right, turnabout is fair play, yeah.
Which I can certainly understand that perspective.
Yeah.
All right.
Well, as we said at the outset, their saga continues, and I suppose there's more to come.
I'm sure we'll be talking about Clearview AI into perpetuity.
All right.
Ben Yellen, thanks for joining us.
Thank you.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.