CyberWire Daily - Cryptojackers gone wild. Attempted hack of Australia’s Parliament investigated. Huawei security concerns continue. Russia tests Internet autarky. Prosecutors investigate alleged blackmail.
Episode Date: February 11, 2019In today’s podcast, we hear that clipper malware has been ejected from Google Play. A different cryptojacker is kicking its competitors out of infected machines. Australian authorities continue to... investigate the attempted hack of Parliament, with Chinese intelligence services as the prime suspects. How do you solve a problem like Huawei? Russia prepares to test its ability to disconnect from the Internet in the event of war. Prosecutors investigate alleged blackmail by below-the-belt selfie. Ben Yelin from UMD CHHS on politicians blocking citizens on social media. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/February/CyberWire_2019_02_11.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Clipper malware is ejected from Google Play.
A different crypto-jacker is kicking its competitors out of infected machines.
Australian authorities continue to investigate the attempted hack of Parliament
with Chinese intelligence services as the prime suspects.
How do you solve a problem like Huawei?
Russia prepares to test its ability to disconnect from the Internet in the event of war.
And prosecutors investigate alleged blackmail by below-the-belt selfie.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, February 11th, 2019.
Clipper malware, the kind of malicious code that copies and exfiltrates the contents of a clipboard, has been found in the Google Play Store.
ESET blogs that it's discovered a strain of the malware,
which it tracks as Android Clipper.c impersonating Metamask.
Metamask is a legitimate app that allows a user to run Ethereum dApps in a browser without the necessity of operating a full Ethereum node.
The Clipper malware targets Ethereum users.
It copies their wallet address from a clipboard, which is usually where such addresses are kept,
since they're complicated and effectively impossible to remember otherwise.
The malware attempts to steal alt currency credentials,
and it also replaces the wallet address in the user's clipboard
with an address that leads to the attacker's own wallet.
Google removed the bogus app after ESET reported the infestation on February 1st.
There's another relatively new altcoin threat out there, too.
Trend Micro warns that the XMR Stack Cryptknight cryptocurrency miner is not only active in the wild,
specifically in the Linux ecosystem,
but that this particular crypto-jacker
is deeply anti-competitive from a black market point of view.
It looks for competing coin miners
and other Linux malware on the systems it infects,
and then disables them,
the better to hog the victim's processing resources for itself.
Chinese intelligence services remain prime suspects in the Australian parliament hack, the better to hog the victim's processing resources for itself.
Chinese intelligence services remain prime suspects in the Australian Parliament hack,
the Australian Broadcasting Corporation says.
The attempt, which is regarded as having been largely unsuccessful, remains under investigation.
Suspicion of the Chinese government is based largely on form, a combination of a priori probability,
and the tactical similarities between this most recent incident and earlier attacks that have been attributed to
China. This doesn't, of course, amount to more than circumstantial evidence, and forensic
investigation will take some time. Industry reaction has followed, for the most part, a line
of, see, we keep telling you no one is immune, and here we go again.
The Chinese embassy in Canberra has yet to comment,
but one can reasonably expect the customary denials.
Opinion among the Five Eyes and many of their allies
continues to run strongly against Chinese device manufacturers,
and especially against Huawei,
whose industry leadership and market penetration
make it particularly worrisome as a potential security threat.
U.S. President Trump is widely expected to sign an executive order
that would effectively constitute a broad ban on Chinese manufacturers
from participating in U.S. mobile networks.
Fortune and others report that the executive order may come as early as this week.
Such an executive order has been discussed openly at least since the last week in December.
U.S. Secretary of State Pompeo will take up Huawei with Eastern European governments during an upcoming tour.
The University of California, Berkeley, has announced its intent to further restrict research collaboration with Huawei,
but in many places, notably the EU and Australia,
attempts to wall off Huawei from participation in R&D products
have proven more porous than official rhetoric might lead one to believe.
For its part, Huawei continues to say it's baffled by the suspicions it faces,
but in a continuing charm offensive, the company also says
it's open to supervision by the European Union. Microsoft Security Response Center said at the
Blue Hat conference in Israel last week that risks from delaying one of its patches by even 30 days
are now lower than the risk of being hit by a zero-day. Zero-days are also now much more likely to be used in highly targeted attacks
than they are in mass public campaigns.
These developments reflect a shift in attacker culture, approach, and capability.
Microsoft also credits its own improved product security
with responsibility for the change.
It's harder to weaponize a patched bug now than it used to be,
and the company also thinks that a better set of defaults, firewall on and so forth, have helped too.
Redmond did add that you'll still get hit if you disregard patching for too long.
That is, eventually, the skids will get around to you.
Russia will proceed with a test of the autarkic Internet its proposed Digital Economy National Program mandates.
ZDNet calls it a plan to disconnect from the Internet, which in a way it is.
But in fairness, it also seems a measure designed to give the country's online infrastructure the resilience to cope with full-on cyber warfare.
No date has been announced, but the test is expected to be complete before April.
The beginning of April is the deadline for comment on the Dumas proposed law.
U.S. federal prosecutors are looking into allegations the National Enquirer attempted to blackmail Amazon founder Jeff Bezos.
The Enquirer strongly denies that what it did amounted to blackmail,
although the emails Mr. Bezos released in his blog late last week
do appear to contain the sort of quid pro quo associated with blackmail.
Stop the properties you own, like the Washington Post, from doing certain things,
and the below-the-belt selfies we've got need never see the light of day.
The text of the emails in some respects reminds one of a non-disclosure agreement,
but of course a communication from an attorney would be likely to fall into that genre. The text of the emails, in some respects, reminds one of a non-disclosure agreement,
but of course a communication from an attorney would be likely to fall into that genre.
Saudi Arabia, which had been mentioned in press speculation as having played a role in the matter,
presumably because it resented the Washington Post's coverage of Jamal Khashoggi's murder,
said over the weekend that it had nothing to do with the inquirer's emails and knows nothing of the affair.
So how did Mr. Pecker's inquirer get Mr. Bezos' below-the-belt selfies?
Speculation about presidential operatives or the wheels within wheels of the deep state is always attractive to those who frequent this 18th century coffeehouse we call the Internet,
but getting a hold of an emailed selfie isn't really all that
misterioso. As a Security Boulevard blog post from Erata Security very reasonably points out,
there are lots of ways an enterprising sleaze hound can lay their virtual, if grubby, hands
on these sorts of things. Well, hey, you might object. Surely a new economy billionaire like
Mr. Bezos would have solid security, right?
Well, sure, maybe, but as Arata's post observes, such selfies usually have recipients, and maybe they're not so secure.
Just ask Carlos Danger, we might add.
And it's relatively easy to get into someone's email with a credential stuffing attack, especially if they, as so many of us do, reuse passwords.
Get a hit from collections number one through five,
and Bob's your uncle.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was meant
to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, Thank you. And joining me once again is Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, great to have you back.
We had an article come by.
This was from the Naked Security blog over on Sophos.
And Lisa Voss wrote this.
This is about politicians blocking social media users and whether or not they're violating the First Amendment.
I remember when President Trump came into office, there was a dust-up over this,
whether or not he was allowed basically to block people on Twitter. What's going on here? Yeah, this is
just a fascinating issue. So the First Amendment gives us the right to petition our government for
redress of grievances. And what that means in plain English is we get to yell at politicians
and tell them that what they're doing is wrong and tell them what they should be doing.
Traditionally, that's been done by calling one's member of Congress, sending letters to the White
House. Obviously, things have changed in the digital age. So what this case was about was,
and the article just calls her a bureaucrat, but it's a government official in the state of
Virginia who had a personal page or a personal Facebook profile, as well as a
profile representing the agency that she worked for, which was the Board of Supervisors in Loudoun
County, Virginia. A member of the public, basically an old adversary of this bureaucrat,
had written a series of complaints on this person's public Facebook page. And this
member of the Board of Supervisors blocked that individual from commenting further. Now,
she did end up unblocking him, so to speak. So he was actually only blocked for a relatively
limited amount of time. But what the court held is that this is a violation of one's First Amendment
right to petition their government. And the idea is that there's this distinction between a public
forum and a private forum. So obviously, the law wouldn't allow us to go to a politician's dinner
party and yell at them for voting on one way on a piece of legislation. But when we're in a public forum,
or when they're performing the duties of their office, that's when that First Amendment right
is applicable. So that's the distinction that courts have really drawn, whether this is a
private, personal social media profile used to conduct a person's, you know, personal affairs
versus an official government page. And what the court held here is that this
was an official government page, was a Facebook page representing this member of the Board of
Supervisors. It had official government announcements on it. That was the evidence
that they had that this was an official use or a public forum. Of course, you know, the elephant in the room here is the president's
use of the block button on Twitter as it relates to his personal Twitter account, RealDonaldTrump.
So he argued unsuccessfully in a New York district court that his RealDonaldTrump Twitter account was
a private account representing him personally. It was not an official government account.
account was a private account representing him personally. It was not an official government account. And therefore, he had the right to block individual users. And the court, I think correctly
in that case, held that the way his Twitter account has evolved since his presidency began,
it really is a public forum. And it's hard to argue against that. I mean, he's made personnel
announcements from the real Donald Trump Twitter account.
He's announced some very serious policy changes, like we're withdrawing from Syria, all different types of very public declarations that have taken place on his personal Twitter account.
You know, and that distinguishes him from previous presidents.
And that distinguishes him from previous presidents.
Obviously, Barack Obama had an official White House Twitter account and his own personal Twitter account.
But he did not use his personal Twitter account to make public policy proclamations.
The Second Circuit, the Court of Appeals in New York, is going to hear that Trump Twitter case.
And we'll see if they take some guidance from this Virginia case. I mean, I think for the president's Twitter account, it's pretty clear cut.
He, through his actions, strongly indicates that the real Donald Trump Twitter account is a public forum.
That's a place where he makes announcements about public policy, government decisions, appointments.
And blocking individual users from being able to access that content, I think, is pretty much a per se violation of the First Amendment.
Now, help me understand. It seems to me like there's a there's a civility issue here. If I go to my congressman's office and I stand outside the door and I yell and scream and spew profanities and insults, isn't it within their right to
eventually remove me? Yes. So there are time, place and manner restrictions that are acceptable
under the First Amendment. Some of that, although this isn't universally applied, but some of that
can include harassing language, obscenities, etc. And I think that's
one of the things that President Trump has tried to argue as it relates to his Twitter account,
that people are posting obscenities, offensive language. As it applies to private individuals,
that's really a no-brainer. As it applies to public officials, the First Amendment is extremely
strong. There are some ideas, political ideas that cannot properly be
expressed without the use of obscenities. It reminds me of one of my favorite First Amendment
cases where an individual named Cohen, in the case of Cohen v. California, wore a sweatshirt to a
public court proceeding that said, f*** the draft. So the rules of the California court said you could not
wear clothes with any obscenities within the courtroom. And the Supreme Court said,
that's a violation of the First Amendment because there's no other way to express that exact
sentiment. Saying, I strongly dislike the military draft or screw the draft is very different than
the word that he actually used. So there are Twitter terms of service about harassment, and there are certainly time,
place, and manner restrictions about screaming and yelling at members of Congress.
The First Amendment presents a very, very high bar.
And I think standard obscenities, if it truly is a public forum, is not something that can
be restricted, consistent with the First Amendment.
We want to have a robust marketplace of ideas.
That's what our most cherished Supreme Court justices have written about as it relates to the First Amendment. express my opinion very strongly about the president's actions in response to what is
pretty clearly to me to be a public forum, a place where he conducts the business of our government,
then the First Amendment protects that interest very, very strongly.
All right. It's fascinating to see it play out as always. Ben Yellen, thanks for joining us.
Absolutely. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant. Check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.