CyberWire Daily - Current forms of hacktivism, misinformation, and disinformation. More recommendations from the Cyberspace Solarium. Fraud accompanies Test and Trace.
Episode Date: June 2, 2020Unrest accompanied by misinformation, disinformation, and Anonymous theater. Booter hacktivism. Extremist inauthenticity. The Cyberspace Solarium Commission releases its white paper on the pandemic’...s lessons for cybersecurity. Joe Carrigan unpacks Casio executing a DMCA takedown on a hardware hack. Our guest is Herb Stapleton from the FBI on the 20 year anniversary of the IC3. And the UK’s Test and Trace system is expected to be accompanied by a wave of fraud. Actually, that fraud has already begun. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/106 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Unrest accompanied by misinformation, disinformation, and anonymous theater,
booter hacktivism, extremist inauthenticity.
The Cyberspace Solarium Commission releases its white paper
on the pandemic's lessons for cybersecurity.
Joe Kerrigan unpacks Casio executing a DMCA takedown on a hardware hack.
Our guest is Herb Stapleton from the FBI on the 20-year anniversary of the IC3.
And the UK's test and trace system is expected to be accompanied by a wave of fraud.
Actually, that fraud has already begun.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday,
June 2nd, 2020. Unrest over the death by asphyxiation of George Floyd while he was in police custody continues,
and it's attended online by various forms of hacktivism and influence operations.
Minnesota's Governor Walz characterized the distributed denial of service attacks against
state services as very sophisticated. The Hill quotes him as adding, quote,
that's not somebody sitting in
their basement, end quote. But it very well could have been the work of proverbial basement dwellers.
As State Scoop and others point out, distributed denial of service attacks are commodity attacks.
They can be hired for less than $20. The state's CIO, Tarek Tomes, told Minnesota Public Radio that,
quote, these DDoS attacks are not new to us.
We see DDoS attacks on a monthly basis, one to two, that vary in frequency and capability, end quote.
The rate of the attacks are unprecedented, he said.
The attacks are a new form of protest, he said, and that they couldn't be attributed to any one single actor.
There are commonly multiple actors, some domestic and some overseas.
The state expects more DDoS over the coming days.
Anonymous has also resurfaced during the Minnesota-centered unrest,
although distinguishing the real Anonymous,
insofar as an anarchist collective can be said to have a real enduring identity,
is, as Motherboard notes, difficult.
Anyone can claim to represent Anonymous.
It's perhaps significant that a lot of the chatter nominally from Anonymous
is amplified through K-pop social media fan accounts.
Both the Washington Post and Cyberscoop dismiss the claimed Anonymous operations
as derivative fizzles, either an attempt to regain
relevance or the work of wannabes and reenactors. Anonymous, or more precisely people saying they're
acting in the name of Anonymous, have for years overpromised and underdelivered. The videos posted
in the name of Anonymous are appropriately menacing, but they seem to generally have been
more cosplayer than superhero.
So far, the material they claim to have stolen from police sites seems to be old,
recycled stuff from publicly known breaches, much of it up on Have I Been Pwned?
There's also inauthenticity in the chatter related to the unrest,
some from foreign intelligence services and some from rival extremists flying false flags, NBC reports.
Racial fissures in American society have long been favorite points of attack for foreign, especially Russian, disinformation campaigns.
And while there have been calls from Antifa urging the extremist group's followers to regard the National Guard as easy targets, again as reported by Minnesota Public
Radio. There have also been spoofed Antifa messages attributed by Twitter to the white
supremacist fringe group Identity Yefropa. Thus, Reprehensible dresses up as reprehensible.
There has also been some fairly wild chatter about social media blackouts in, for example, Washington, D.C.
These have been easily debunked by reporters on the ground, but not before, as the Washington Post reports,
much misinformation was tweeted under the hashtag D.C. Blackout.
The FBI is celebrating 20 years of running their IC3, the Internet Crime Complaint Center.
is celebrating 20 years of running their IC3, the Internet Crime Complaint Center.
Time sure does fly when you're fighting bad guys. And joining us with reflections on this milestone is FBI Cyber Division Sector Chief Herb Stapleton. 20 years ago, you know, we're talking about
the late 90s into the turn of the century, into the turn of the 21st century. And really at that time,
internet usage among consumers and the general public was really on the rise,
particularly that was a time when email
had really increased into sort of normal use
throughout society.
And so one of the things that arose
in the context of this increased utilization
of the internet for transacting both personal and professional business were Internet frauds or scams.
And they became quite prolific in the early 2000s. someone, you know, send an email to an unsuspecting victim saying, if you send me, you know, X amount
of dollars, you'll get a million dollars in return, which was, of course, a scam all along.
So that was really the genesis of the IC3, where those were with that propagation of internet
frauds in the early 2000s as internet usage rose. And take us through, I mean, the past two decades, what's the evolution been like? How has
the FBI adjusted to the changes we've seen in the adoption of, well, so many things shifting online?
Well, you know, the IC3 complaints are really a great record, historical record of how
cybercrime has evolved over the years. You know, we've gone from those types of
advanced fee scams or romance scams that we saw in the really early days of the IC3, but what we
have seen evolve is more complex scams, more sophisticated scams, or computer intrusions like
business email compromise, where a victim's email is actually taken over, or things like
ransomware, you know, actual deliveries of malware. And all those things are captured in the
complaints of the IC3 over the course of the years and have been, you know, the way that the FBI
is able to get information from the public so that we can take action to try to protect the citizens of the U.S.
So the IC3 has been around for 20 years. Do you have any thoughts on what the next 20 years might look like? What does the future hold for the Internet Crime Complaint Center?
Well, the Internet Crime Complaint Center, you know, has become really a cornerstone of the FBI's
cyber investigative efforts. And so I think we'll
continue to see it grow in importance. I think over the course of the next 20 years, what we'll
see is just an increase in the kind of partnerships that the Internet Crime Complaint Center is
engaged in and working more with private sector entities, working more with other government agencies,
as we all try to work together in a whole society effort to combat cybercrime. I think the other
thing is that I don't anticipate over the course of the next 20 years that there's going to be
a reduction in cybercrime activity. I think we're going to continue to see high levels of
complaints related to this type of criminal activity. And so as a result,
the IC3 is going to continue to occupy a critical space within the FBI's cybercrime efforts.
That's Herb Stapleton from the FBI.
The U.S. Cyberspace Solarium Commission this morning issued a white paper on lessons learned about
cybersecurity from the COVID-19 pandemic. For the most part, those lessons reinforce the
commission's policy recommendations, but they also see interesting analogies between a pandemic and
a major cyber attack. They're both global crises that call for a whole-of-nation response. Both
call for an environment that makes it possible for solutions to emerge.
And in both cases, prevention and pre-established relationships are better than deterrence and
response. In particular, the commissioners think establishment of a national cyber director is more
clearly indicated than ever. They call upon Congress to send digitization grants to state,
territorial, tribal, and local governments, and to do so as part of COVID-19 relief packages.
They urge planning for continuity of the economy, and they repeat their recommendation that the nation work toward building societal resilience to disinformation.
The Solarium commissioners also include four new recommendations.
First, they urge Congress to pass an Internet of Things security law.
Second, they recommend increasing support to not-for-profit organizations
that help law enforcement agencies' efforts to combat cybercrime and support victims.
Third, they advocate establishing a social media data and threat analysis center.
And finally, they urge increasing non-governmental capacity
to identify and counter foreign disinformation and influence campaigns.
Speaking of the pandemic, it's continuing to provide the bait for phishing campaigns.
In the UK, the NHS's test and trace system will soon be contacting people
who may have been exposed to COVID-19 in an effort to
forestall a second wave of infection. The National Health Service says that if you're called, you
will not be asked to provide any passwords, bank account details, or PIN numbers, nor will you be
asked to download anything. But InfoSecurity Magazine points out the test and trace callers
may ask for full name, date of birth, sex, NHS number, home postcode and house number, telephone number and email address.
And that's a nice beginning for subsequent spear phishing and identity fraud.
So people should expect the scams to begin.
Since junk phone calls now seem to constitute about the same fraction of calls that junk mail does in your mailbox,
it's not surprising to read in the same fraction of calls that junk mail does in your mailbox.
It's not surprising to read in the register that such attempts are already in progress.
It's easy to spoof SMS and caller line identification,
and you can't rely on those as indications that call is genuine.
And links in an SMS message purporting to take you to a COVID-19 alert?
Follow them at your own peril.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world
what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers
to learn more.
Do you know the status
of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting story came by.
This is covered by Gizmodo, among other places,
and it's about a hardware hacker who had modified a Casio calculator and in doing so
caught the attention of Casio, who put out a takedown notice. What's going on here, Joe?
put out a takedown notice. What's going on here, Joe? So this is actually from reclaimthenet.org. And Casio has filed a DCMA complaint,
a Digital Millennial Copyrights Act complaint against the user who hacked their calculator
to connect to the internet. Okay. So basically what they're alleging in the complaint is there's actually an organization called React, R-E-A-C-T, that works for several large companies that goes out and finds copyright infringements and then contacts places where they think copyright infringements have happened.
And they wrote to GitHub, which is where he was storing all of his code, and took the repository down.
There's a link to his YouTube video. They have gotten a takedown notice for that video. You
can't see the video anymore. But the Gizmodo article is still up, and the Gizmodo article
is from earlier in May. And it talks about what this guy actually did. And what he did was he added a very small OLED display,
which is just a nice looking cheap display
that you can put in.
He noticed that it was about the same size
as the solar panel in the calculator.
So he removed the solar panel,
then he put in this OLED display.
And then for a power source, he replaced the solar panel, then he put in this OLED display, and then for a power
source, he replaced the solar power with a battery. And then he added what's called an ESP8266
Wi-Fi module. Now, an ESP8266 is a very small microcontroller that's actually very powerful, and it has a full TCP IP stack in it,
right? And it also has a Wi-Fi connector or Wi-Fi circuits in it, Wi-Fi chip. So you can connect
this device to the internet. It's like an Internet of Things development platform.
Think of it like an Arduino with a built-in Wi-Fi capability. And in fact,
with a built-in Wi-Fi capability.
And in fact, you can actually use the Arduino Studio to program this device.
So he has added this hardware.
He has added a battery.
He has added an OLED display.
And he's put all the code to run on the ESP8266.
Now, Gizmodo points out that this could be used
for cheating in classrooms
when a student comes in with a calculator.
If they don't notice that this calculator has been hacked, the proctor doesn't notice the calculator has been
hacked, then it can be used to surf the internet and get answers, which is a valid point.
But what's really concerning here is that Casio and React have just issued a blanket takedown
order saying, and this is a quote from the Reclaim the Net article,
the code the repository contains is proprietary and not to be publicly published. The hosted
content is a direct, literal copy of our client's work. I hereby summon you to take down the yada,
yada, yada. I don't see how that's possible. I really don't see how that's possible for the code this guy wrote to work on an OLED
screen. And what he essentially did was install an ESP8266 into a calculator, into the case of
a calculator. It doesn't look to me like he's actually downloaded or changed any of the code
or even pulled the code off the calculator. And there is a picture on here of the soldering connections.
The only modification it looks like he's made to the circuit board of the calculator
is to wire the battery into the power supply of the calculator. Now, I can't be sure of that
because I can't look at the code and see what's going on because it's all been taken down. I can't
even look at the video he posted because that's been taken down. But I really think this looks to me, if what I'm saying is what has happened, and it probably is, that he put an OLED screen into a calculator form factor, replaced the power source, and dropped in a microcontroller that has Wi-Fi connectivity.
If he did that, then Casio is not being completely honest here.
is not being completely honest here.
It's an interesting point because I think a lot of folks point out that the Digital Millennium Copyright Act really is weighted towards the folks claiming to have the copyrights.
I mean, all they have to do is basically put in a takedown notice.
And as happened here, stuff gets taken down.
You can reply.
You can challenge that.
But there's really no penalty to the people who
put up a false takedown notice. And there should be a penalty for that. Casio is not going to face
any backlash for this. The worst case scenario for Casio is that this thing comes back on,
and that's not even a worst case scenario for them, because this guy is not pirating their
code, it looks like, from what I'm seeing. He is just modifying a case. And there's huge
debate that goes on in this. When I buy a calculator, do I have the right to open it up
and cut a hole in the case or change the modification? I believe I do, that this becomes
my property and I get to do whatever I want with it. And I'm disappointed to see Casio react this way. I would like to see penalties for companies that do this.
Yeah, yeah.
Well, lots of people think it's an area
that's ripe for reform.
So this is an interesting case here.
A fun one to look at as well.
I love these little hardware hacks.
Yeah, they're awesome.
I have a couple of these ESP8266s that I bought
and I've actually never pulled them out,
but maybe I will pull them out.
All right.
All right.
Well, Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your