CyberWire Daily - Crooks use Facebook, too. Congress asks FEMA for an explanation. Card skimmers in Mexico.
Episode Date: April 5, 2019In today’s podcast we hear about an “Amazon-style fulfillment model” for the criminal-to-criminal market. Criminals have Facebook groups, too, and lots of friends (“friends” here being a ter...m of art). Xiaomi patches man-in-the-middle problems in its phones. Defense firms organize a supply chain security task force. Congress would like FEMA to explain its privacy incident. Alleged card skimmers arrested on other charges in Mexico. And Mr. Assange remains in Ecuador’s London embassy, at least for now. Ben Yelin from UMD CHHS on predictive policing software. Guest is Rob Strayer, Ambassador and Deputy Assistant US Secretary of State on security challenges in the global supply chain. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/April/CyberWire_2019_04_05.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An Amazon-style fulfillment model for the criminal-to-criminal market.
Criminals have Facebook groups, too, and lots of friends.
Friends here being a term of art. Xiaomi patches man-in-the-middle problems in its phones. Defense firms organize a
supply chain security task force. Congress would like FEMA to explain its privacy incident.
Alleged card skimmers are arrested on other charges in Mexico. The U.S. State Department's
Rob Strayer joins us to talk international negotiations about 5G security.
And Mr. Assange remains in Ecuador's London embassy, at least for now.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 5th, 2019.
Dave Bittner with your CyberWire summary for Friday, April 5th, 2019.
There's a great deal of reporting on the criminal underground, and it's no longer surprising to see the ways in which criminal markets resemble legitimate markets. Earlier this week, for
example, researchers at security firm Bromium described a collection of servers thought to
be run by the masters of the Necker's botnet. Dark Reading calls the criminal operation an
Amazon-style fulfillment model. Bromium says the servers belong to bulletproof hosting providers
owned by Frantec Solutions. Many of those servers are located in the U.S. state of Nevada.
This particular operation uses over a dozen U.S.-based servers that host 10 malware families,
distributing them for the most part in mass marketing phishing campaigns.
Some of the malware families are familiar.
The Drydex banking trojan, GandCrab ransomware,
and the Neutrino exploit kit are among them.
Bromium believes it sees evidence of three distinct threat actors.
One is responsible for email and hosting,
and the other two operate
the malware itself. Researchers at Cisco Talos report this morning that criminal groups are
working openly on Facebook, connecting, trading, and cooperating. Their activity isn't hidden,
but rather quite overt. Some of the groups have been operating for as long as eight years,
in the process attracting tens of thousands of members.
Cisco Talos says they've been able to track 74 criminal groups operating in this more or less open fashion.
The members of the groups promise to do what Talos calls an array of questionable cyber dirty deeds.
Those would include delivering spamming tools and services, selling and trading stolen paycard information, and stealing and selling account credentials.
The group's membership in the aggregate, Talos estimates, at 385,000.
Checkpoint yesterday announced its discovery of a man-in-the-middle vulnerability in a security application that comes pre-installed with Xiaomi phones.
Checkpoint disclosed the issue responsibly, and Xiaomi has patched the problem.
The U.S. Defense Industrial Base Sector Coordinating Council announced today that it had chartered
a new group to work on ways of thwarting threats to the supply chain.
The Supply Chain Cybersecurity Industrial Task Force is an example of the sort of sector
coordinating council U.S.
policy for protection of critical infrastructure encourages. The five founding members of the
task force are familiar names, big defense integrators all, BAE Systems, Boeing, Lockheed
Martin, Northrop Grumman, and Raytheon. Their initial focus will be on advanced persistent
threat tactics, that is, the ways in which nation-states attempt to compromise networks, devices, and supply chains,
on enhancing oversight and accountability,
and on establishing enduring industry-government partnerships.
The U.S. House Committee on Science, Space, and Technology
has asked the Federal Emergency Management Agency, that's FEMA,
to explain how FEMA lost control of disaster victims' private information.
The members want FEMA to explain how the whole thing happened,
what effect the incident had on the victims,
and what exactly FEMA intends to do to prevent a recurrence.
Reuters reports that some of the evidence the U.S. collected against Huawei CFO Meng Wanzhao
was gathered under Foreign
Intelligence Surveillance Act warrants, charged by the U.S. with sanctions violations. Ms. Meng
is in Canada fighting extradition. Krebs on security reports that the alleged head of a
Romanian ATM skimming gang has been arrested in Mexico. The police, who picked the gentleman,
an alleged confederate up in Cancun,
didn't reveal their names, but Krebs thinks they're Florian the Shark Tudor and his sometime
colleague, Nikolay Kozman. The beef in Cancun over was an illegal firearm and $26,000 in Mexican
and U.S. currency. The pair had no particularly good explanation for having in their possession.
The two are believed by Romanian and U.S. investigators to be strong-arming ATM technicians
into installing skimmers into ATMs around Mexican tourist spots like, for example, Cancun.
WikiLeaks has been tweeting that Ecuador is getting ready to show Julian Assange the door,
inviting him to depart that country's London embassy.
to show Julian Assange the door, inviting him to depart that country's London embassy.
Mr. Assange could be back on the street in hours to days, if the Twitter feed is to be believed.
Mr. Assange's lawyers maintain his eviction would contravene international law,
and that Ecuador is only doing it because they're embarrassed by WikiLeaks' release of documents that purport to show corrupt knuckling under to American pressure and other stuff. Ecuador's foreign ministry says that rumors of expulsion are old and insulting
to boot, but that Mr. Assange has been a bit of a pest in violation of protocol, as they put it.
For its part, the UK foreign ministry says, hey, Mr. Assange is a free man
and can come and go as he pleases. buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning
with purpose, and showing the world what AI was meant to be. Let's create the agent-first future
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's a senior law and policy analyst at the University
of Maryland Center for Health and Homeland Security. Ben, it's great to have you back.
Interesting story came by from Motherboard. The title is dozens of cities have secretly
experimented
with predictive policing software. This sounds to me like something out of a movie. What are
we talking about here? So this is done through a company called PredPol, or actually a software
called PredPol, I should say. It stands for predictive policing. It does sound rather
Orwellian. And it is in use, we've found out based on this
Motherboard article, in major cities across the country. Some big ones like Atlanta, Georgia,
some medium-sized ones, Modesto and Merced, California, and some smaller-sized ones,
South Jordan, Utah. How it works is it gives police data based on previous crime and arrest reports as to the likeliness that a
crime is going to be committed in a particular geographical area. And they now have the
technology to limit that area to a 500 by 500 foot section of a city, which is relatively small.
I don't know what the size of your house is, but that would probably be the length and
width of an average house. Yeah, a city block for sure. So obviously this presents major civil
liberties concerns, particularly because of the inputs. The data that goes in to these predictive
policing softwares isn't unbiased, isn't generated by a computer. It's based on past police reports that
themselves have been subject to all sorts of biases, racial biases, geographical biases.
And if that's the data that's being fed into this predictive tool, then the data coming out will
also reflect that bias. You understand it from a law enforcement perspective, because at least the
way they see it, if there's a particular city block or a particular area that has seen high
crime activity in the past, it's more likely that you're going to see high crime activity in the
future. That's the part that I'm not clear on, because I can certainly see the police department
getting together and saying, all right, everybody, you know that New Year's Eve down by the docks is always a hot spot.
So we're going to send some more officers over there that time and place.
And I don't think anybody has a problem with that.
Right.
And I think to the extent that that's how it's used, I think that would be acceptable.
I think that would be acceptable. I think predictive policing for sort of broad trends, knowing the neighborhoods that are particularly high crime might have beneficial use without some of these civil liberties drawbacks. Individuals who have been subject to the biases of past reporting now being on constant watch and possibly being subject to false arrest, undue prosecution, just because they happen to be located in an area that's previously been subject to police reports. And I think organizations like the Electronic Frontier Foundation, who've come out strongly against these types of software, those are the concerns that they've expressed.
That if the inputs are not free from bias, then certainly the outputs are going to be not free from bias.
I think this is your classic balancing of how much we want to protect the civil liberties of individuals who happen to live in
these areas of high crime. Obviously, they're going to be disproportionately poor and
disproportionately minority groups. So you're balancing that interest against the interest
of public safety. You know, I think that's a really tough balance to strike.
You end up with some kind of a feedback loop, perhaps.
Absolutely. And then that gets fed into future reports.
It also could perpetuate the reputations of various neighborhoods and that in turn could lead to more crime in the future.
So I think it might actually, as you say, have that feedback loop.
All right. Well, it's interesting technology.
Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
My guest today is Rob Strayer. He's Deputy Assistant Secretary at the U.S. State Department
for Cyber and International Communications Policy. He heads up a team of diplomats and public servants
developing internet and cybersecurity policy
and leading negotiations with foreign governments worldwide.
One of the issues at the top of mind these days
is the imminent rollout of 5G technology.
So we're talking to a number of countries
about how very important it is that we consider security
and adopting a risk-based security
framework as telecom operators in their countries implement 5G infrastructure. And in particular,
we've asked them to focus on the supply chain security issue as well as part of that overall
risk-based assessment of the infrastructure. We're particularly focused, too, in talking about how we have a concern about the ability of a government
to influence vendors within a country to either disrupt communications,
to alter the integrity of the data, or to conduct espionage through the 5G infrastructure
if it's not made secure and
done with truly trustworthy vendors. And specifically, we're talking about Huawei
here and the efforts to keep some of Huawei's equipment out of the buildouts for 5G around
the world. Right. Well, I would say that, you know, our focus is on a sort of country agnostic
framework that we say, you know, that relationship between the government and the companies within that country, if it's governed by a relationship where there's not strong rule of law presence and companies are subject to extrajudicial mandates where they cannot go to court and say that we are governed by a statute and laws that require us to protect
citizens' rights, to operate in ways that are above board, then we think there are substantial
concerns potentially with the vendor. Huawei currently in the legal regime in China would fit
that categorization in our view. That is correct. And so why the concern over the 5G build-out
specifically? As part of our discussions about the need to the concern over the 5G build-out specifically?
As part of our discussions about the need to have security-related 5G,
unlike 4G where most of the focus has been on just the availability of communications and availability of being able to use applications largely through our smartphones,
5G will be completely transformative in the amount and types of applications that will be made available through the 5G infrastructure with its very high throughput rates and very low latency.
So, of course, that includes telemedicine, automated manufacturing, and all of the Internet of Things world that we know will be empowered. So the stakes related to 5G couldn't be higher
in the sense of all the sort of vital applications
that we will be relying on it for
become that much more critical
and would put all of us
in a sort of a collective security interest at risk
and our collective economic interests much more at risk
if they could be disrupted
or the data that's flowing over those systems
disrupted through a cyber means. risk if they could be disrupted or the data that's flowing over those systems disrupted
through a cyber means. And how successful are you as you travel around the globe getting other
nations on board? You know, if you looked a year ago, we had, I think, a very nascent understanding
of what 5G was going to be about, what 5G is going to develop into. And certainly there was
not an appreciation of the potential security
risks related to the availability of the applications, to the integrity of the data,
and to potential espionage related that could occur through 5G networks. So as we've done a
vigorous campaign around the world to talk to governments about our concerns, as well as to
talking to the private sector, I've not heard a country or entity within a country not acknowledge that there is a 5G security concern
that they're now focused on.
So I think we've had a great success in raising that awareness.
And where does the U.S. stand in terms of its ability to lead right now
when it comes to the global conversation on cybersecurity?
I think we're in a great position. Our Secretary of State, Secretary Pompeo,
has been very engaged in raising this issue with his counterparts around the globe.
We have a number of ambassadors that are talking to their host governments
about the issue. We've got diplomats in posts around the world who are articulate about the
digital economy and cyber security portfolios
that they have. They sort of amplify the work that we're doing here in Washington on a continuous
basis with the host governments. And, you know, in the last few weeks, we've seen announcements
by Germany talking about announcing they're going to have stronger standards for 5G security.
We've seen the European Union, both through resolution in their parliament, and then a council decision that resulted in a recommendation by the European Union Commission
just this week on improving supply chain security related to 5G. And the European Union, in fact,
said that they need to look at the legal system of third countries where the vendors are located.
And as you look forward, what are the biggest challenges that you see the State Department facing when it comes to cybersecurity?
You know, there's a constant need for us to be able to articulate our vision for a stable
cyberspace, which includes the importance, the applicability of international law to cyberspace
that applies in cyber activities, just as it does in the physical world, and that countries should not
be able to act in ways that undermine independence of other countries, or what we call violate the
principle of non-intervention, which would be obviously implicated when you interfere with the
elections of another country. It's also important we just keep talking about these norms of
responsible state behavior and what they mean. there's a reality that some countries are going to see it in their interest to act in ways that use cyber as an asymmetric tool
that advance their interests, but of course violate these norms of responsible state behavior.
So we need to educate other countries about the importance of these norms and how we need to work
together to hold accountable those states that would act contrary to those norms. There's
tremendous legitimacy when we act together to attribute and eventually bring consequences to bear against nations that
act contrary to those norms of responsible state behavior. That's Rob Strayer, Deputy
Assistant Secretary at the U.S. State Department for Cyber and International Communications Policy. communications policy.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for Cyberire Pro. It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Thanks for listening.
We'll see you back here tomorrow. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.