CyberWire Daily - Cyberespionage and counterespionage. The DDoS that never was. A very strange case of cyberstalking. And leaky niche dating sites.
Episode Date: June 16, 2020What does Beijing want to know about US Presidential campaigns? Position papers, mostly. A redacted version of the CIA’s inquiry into the WikiLeaks Vault 7 material is out. That DDoS attack you read... about on Twitter? Never happened. Former eBay employees face Federal charges of conspiracy to commit cyberstalking and witness tampering. Ben Yelin explains a judge refusing to sign off on a potential Facebook facial recognition settlement. Our guest is Randy Vanderhoof from the Secure Technology Alliance on mobile drivers licenses. And where would you store “niche” dating app material? In a misconfigured AWS S3 bucket. Where else? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/116 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
What does Beijing want to know about U.S. presidential campaigns?
A redacted version of the CIA's inquiry into the WikiLeaks Vault 7 material is out. That DDoS attack you read about on Twitter? Never happened. Thank you. Our guest is Randy Vanderhoof from the Secure Technology Alliance on mobile driver's licenses.
And where would you store niche dating app material?
In a misconfigured AWS S3 bucket.
Where else?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Tuesday, June 16, 2020.
We've got two stories of espionage today.
In the first, the Voice of America reports that Chinese intelligence services
are collecting against the U.S. presidential campaign a presumptive Democratic nominee, Joe Biden.
What are they after? Position papers, apparently.
The campaign appears not to have been
compromised, and the operation appears to be part of a long-standing effort aimed at developing a
picture of U.S. presidential candidates' attitudes and likely policies toward the People's Republic.
Google's threat analysis group, cited by the Voice of America, has been tracking the espionage for weeks. FireEye attributes the effort to APT 31, also known as Hurricane Panda or Stone Panda.
The other story involves the partial declassification of the October 2017 report by the CIA's WikiLeaks task force
that was formed to investigate how the leak site came to obtain the material it published as Vault 7.
According to the Washington Post, the heavily redacted report found that the CIA was focused on developing offensive cyber tools,
but that it neglected basic security measures and sound practice.
The report's provenance is interesting.
It came to the Post from Senator Wyden, Democrat of Oregon,
who received it in his capacity as a member of the Senate Intelligence Committee.
The senator got it from the Justice Department, which has it because it figures into the trial of Joshua Schultz, who's been charged with passing the Vault 7 material to WikiLeaks.
Fultz's attorneys claim that the report shows that the CIA's security was in this respect so slipshod that any one of hundreds of people could have given Vault 7 to Mr. Assange's organization.
The CIA has said that it does indeed take network security seriously, but beyond that had little to
say. A former intelligence official speaking anonymously told the Post that he disagreed
with the conclusion that the CIA's enterprise systems were carelessly secured, that, to the contrary, Langley had secured its enterprise
systems to a gold standard. But the enterprise systems and the mission systems were two separate
things, and while security was emphasized, the source told the Post that the operators who ran
the mission network thought there was better auditing, more insight into the network than in fact there was. There was a mismatch of
expectations between the operators and those who administered and maintained the network.
Did you hear that the U.S. was under a major DDoS attack? It's been all over Twitter, you know.
Anonymous, with its cosplayer's customary overstatement,
has claimed that the United States is under crippling distributed denial of service attack,
and a lot of others have been tweeting, retweeting, and otherwise sharing their thoughts on the matter.
And, as is usually the case, those thoughts run along the lines of,
well, the Martians have landed, and the man is out to get you.
But as Cloudflare and others have pointed out, it's not true.
There was no DDoS.
Sure, T-Mobile had a rocky upgrade yesterday that impeded calls and texts,
although CNET says data for the most part continued to flow, albeit with certain outages reported.
The people tweeting as anonymous didn't claim the DDoS for themselves,
saying instead that it was probably China
because of stuff going on around the Korean demilitarized zone.
The attack map iCandy tweeted in the anarchist collective's non-name
appears to put the center of the campaign somewhere between Omaha and Des Moines,
which could maybe be why we missed it here in Baltimore,
but we think Forbes, TechCrunch, and Computing have it right.
There was no DDoS.
And those maps with all the lines arcing across the globe?
Don't take them too seriously.
Imagine not having to carry a wallet,
and instead having all of your payment information,
medical insurance cards, and even
your driver's license stored on your mobile device. Convenient, yes. Secure? Possibly,
depending on how it's implemented, and as they say, the devil is in the details.
Several U.S. states are underway with plans to make mobile versions of driver's licenses
available to their citizens who prefer them. Randy Vanderhoof is executive
director of the Secure Technology Alliance, and he offers these insights. Most people in the U.S.
over the age of 18 get a driver's license from their state primarily to prove their privilege
to drive. But most people don't use that driver's license that often for that purpose, but instead use the driver's license as a form of identity so that people can prove their age if they're entering an age-restricted establishment or prove their address or their identity if they're opening a bank account or cashing a check or accessing a secure facility. Having a mobile
version of this identity offers a lot more convenience as well as security as well as
functionality because the digital version of that physical driver's license can be
version of that physical driver's license can be transmitted electronically to someone who can then read that information and authenticate it and then have an electronic record of the transaction,
which is something that is not commonly available by just presenting the physical driver's license.
Now, in this scenario, how does a mobile driver's license
verify that I'm who I say I am? So, in the mobile version, there would be a digital image of the
person so that you can match the driver's license credential with the person that's presenting it.
And then there could be a set of options that the person
holding the phone would be able to select as to what other information do you want shared.
And then you could bring up your age eligibility or you could bring up your address if that was what was required. And then the establishment that's proving my identity
can read that information electronically. And so there's a higher level of trust because
the information that's shared electronically can be digitally secured. And then there's an
auto trail or a record that the establishment then has. So if
there was a question after the fact whether or not that establishment actually checked for my
identity, they can go back to their electronic record and show the information that they got
at the point of when that digital driver's license was presented. That's Randy Vanderhoof from the Secure Technology Alliance.
The U.S. Attorney for the District of Massachusetts
has charged six former eBay employees
with conspiracy to commit cyber-stalking
and conspiracy to tamper with witnesses
in an unusually nasty and dim-witted case of cyber-stalking.
They are alleged to have harassed and doxxed a Natick, Massachusetts couple
who ran an e-commerce blog and newsletter, E-Commerce Bites,
that sometimes posted critical reviews of eBay.
The harassment included anonymous and disturbing deliveries,
a bloody pig mask, a book on mourning a spouse's death,
live cockroaches, nasty pornography apparently intentionally misdelivered to a spouse's death, live cockroaches, nasty pornography apparently
intentionally misdelivered to a neighbor's house, a fetal pig, and so on. It even involved physical
visits to the victim's home, disrupted by the Natick police who subsequently asked eBay what
was going on. The six defendants, all of whom eBay fired last September after an internal investigation prompted by the Natick PD, included some senior and middle managers.
The U.S. Attorney's Office says the defendants were, until eBay parted ways with them,
the senior director of safety and security, the director of global resiliency, senior manager of global intelligence,
the manager of eBay's Global Intelligence Center,
a contractor who worked as an intelligence analyst in the GIC, a senior manager of special operations for eBay's global security team. It's a very strange story in which a well-resourced
Fortune 500 company decided to go after two small-town online journalists with strong-arm
tactics out of a cheap detective novel or a bad TV crime show. In what passed for cunning among the planners, they intended
to escalate the pressure, then send one of their number to visit the victims in Natick,
appearing as an eBay hero, sympathetically prepared to help them get out from under all
the harassment. This would generate goodwill toward eBay and favorable stories on the victim's
blog. So a win-win, right? Well, no. Let's see what we mean about a lousy script.
And finally, Carlos Danger, call your office. VPN Mentor is reporting that researchers discovered
that hundreds of thousands of users of niche dating and hookup apps had their personal information exposed.
20,439,462 files totaling 845 gigabytes and including such photos, many of them described as graphic and explicit,
screenshots of private chats and financial transactions, some audio, and a bit of personally identifiable
information. The apps appear to have shared a developer. More importantly, they shared an AWS
S3 bucket, and guess what? That bucket was exposed to the internet. If we thought any of you needed
it, we'd close with a meditation on Kant's transcendental principle of publicity as one
formulation of the categorical imperative.
But in case any of your friends ask you, here's a quick gloss.
If you don't want that stuff to turn up on the pages of Wired,
don't put it online.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security.
He is also my co-host on the Caveat podcast.
Ben, always great to have you back. Interesting story from Courthouse News Service, and it's titled,
Judge Won't Sign Off on $550 Million Facebook Facial Data Settlement.
What's going on here?
So this has been a case that's been tied up in our court system for about five years now.
A group of plaintiffs initiated a class action suit under Illinois' Biometric Information Privacy Act of 2008.
Yes, federal courts can hear cases on state laws for all you civil procedure nerds out there.
state laws for all you civil procedure nerds out there. And the case claims that Facebook started mapping users' faces for its photo tag function without properly notifying the users. So recently,
Facebook and the class of plaintiffs came to a settlement for $550 million, which is below,
you know, for each plaintiff, that's below what one would get for
a single violation if you read the Illinois statute literally. And so the judge in this case,
a federal district court judge, is questioning the terms of the settlement, which is very unusual.
Judges are usually very deferential to parties who decide to settle. It makes their lives easier.
It keeps cases out of court.
So even if they have to sign off on a settlement, they'll usually trust whatever agreement the parties have come to.
In this case, the district court judge is saying, in his opinion, these penalties, the penalty that Facebook is going to pay to these plaintiffs is just simply not large enough.
The statute requires far greater penalties,
and it's not going to be enough of a disincentive for Facebook
to change its behavior and give proper warning
before it engages in things like mapping users' faces.
So I think Facebook is probably freaking out right now.
They thought they had this case settled.
You know, they came to an agreement with this class of plaintiffs,
and now the case is reopened,
and the judge is asking each party for additional information.
So the case has kind of been resurrected,
and it'll be interesting to see what the future proceedings hold.
Yeah, I mean, looking at some of the details here, that Illinois statute apparently uses a benchmark
of $5,000 per violation. And according to this article, in the settlement, everyone would receive
between $150 to $300, which, if you do the math, turns out to about 1.25% of the maximum
that people could get. And the judge is saying that essentially a 98.75% discount off of the
recommended violation isn't going to cut it. Yeah, it's rare that you see 98.75% discounts
out there. Even in the age of Groupon, you rarely see, you know, 98% off.
Yeah, I mean, it's pretty extreme.
There are a couple of things that are worth noting about that.
One is it's very likely that the plaintiffs thought this litigation is going to be so costly,
could go on for such a long time, it might be in our best interest to just cut it off now,
take the settlement that we can get, and move on.
And both parties also said in some of their filings
that they expected a judge, you know,
if there was a civil judgment for this class of plaintiffs,
they'd expect that the amount of damages owed
would be reduced anyway,
so we might as well keep this case out of court.
What this judge is saying is that's not persuasive because even if a judge or jury were to reduce
the amount of damages, it's very unlikely that they would reduce them by a number as drastic as
98%. And, you know, I think he certainly has a point there.
And he also, another thing this judge said
is Facebook still hasn't explained
how this problem is going to be dealt with going forward.
How is Facebook going to handle class members'
facial geometry data after the settlement is finalized?
And so the judge still wants some clear answers on that. So I think the judge
is saying to both parties, this does not look like a fair and equitable agreement right now.
This does not look like a problem that's going to be solved. So that's why he's taking this rather
rare step of opening the case up. And so what happens now? Do both groups go back to the drawing board?
Where does it go?
Yeah, so the judges ordered attorneys for each party
to address the concerns laid out in the judge's memo.
And the judge basically said,
I'm not signing off on a settlement.
It's very possible if you, the parties,
don't adequately address my concerns
that we're going to actually have a civil jury trial.
And in that case, Facebook is most likely going to owe a heck of a lot more than 1.25%
of, uh, the potential damages.
You know, I think it's possible that the plaintiffs will use this as, uh, this judge's, uh, memo
as leverage and say,
all right, the judge thought $500 million was too small.
Let's go $2 billion, $3 billion.
Pretty soon we're talking about real money.
Real money, exactly.
And then maybe the judge will sign off on that,
but none of us have to go to court
and go through the very difficult process of a long civil jury trial.
And, you know, I think that's, we could still very well see a settlement in this case.
It's just going to be different than the settlement that has already been agreed upon by the two parties.
Yeah, yeah. Very interesting indeed.
All right. Well, Ben Yellen, thanks for joining us.
Thank you, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.