CyberWire Daily - DPRK's Sun Team works from three apps in Google Play. PII for sale in Zheijiang. SPEI theft. Jihadist content in social media. SEA charges. DDoS-for-hire sentencing. ZipperDown bug.
Episode Date: May 21, 2018In today's podcast, we hear that North Korea's Sun Team is rising in Red Dawn. Much PII, mostly out of Japan, appears in the black-market stall of a poorly reviewed vendor. The Mexican bank raid se...ems, the Central Bank says, to have started with a small brokerage and spread from there. Facebook and Google+ continue to be infested with jihadist inspiration. More charges for alleged Syrian Electronic Army hoods. A man gets fifteen years for, among other things, DDoSing former employers. And mobile app users? XYZ. Ben Yelin from UMD CHHS on controversy involving North Carolina police using overly broad warrants to gather location data from Google. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Sun team rises in Red Dawn.
Much PII, mostly out of Japan,
appears in the black market stall of a poorly reviewed vendor.
The Mexican bank raid seems to have started with a small brokerage and spread from there.
Facebook and Google Plus continue to be infested with jihadist inspiration.
More charges for alleged Syrian electronic army hoods.
A man gets 15 years for, among other things, DDoSing former employees.
And mobile app users? XYZ.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 21, 2018.
McAfee researchers are tracking the Sun Team, a DPRK threat group operating a mobile malware campaign, Red Dawn, against North Korean defectors.
They're using Google Play and Facebook to spy under the guise of beta applications.
Three bad apps have been found.
Food ingredients info, for the health conscious out there.
And two bogus security apps, FactAppLock and AppLockFree, for the rest of you.
The initial quiet infection is via the Play Store.
The larger, noisier spread is through Contagion by Facebook.
FireEye's iSight unit has found a great deal of Japanese
personally identifiable information for sale in a Chinese black market,
apparently culleded for the most part
from earlier big breaches. The material seems genuine enough, and it comes mostly from Japanese
databases. Who is the vendor selling this stuff? FireEye speculates. Speculates, they say, that
it's an individual living somewhere in China's Zhejiang province. Whoever it is seems to have been in business underground since 2013.
The criminal vendor gets low grades from the black market's equivalent of Yelp.
And yes, black market buyers do rate their vendors.
There are a lot of complaints that buyers don't get what they expected when they ponied up.
One good bit of advice is to avoid reusing passwords.
when they ponied up. One good bit of advice is to avoid reusing passwords.
Exploitation of compromised, reused credentials seems to be the biggest danger here.
Inquiry into the recent rash of unauthorized transfers from Mexican bank accounts continues.
The Bank of Mexico says that while its investigation of a series of criminal raids on the Interbanking Electronic Payment System,
SPEI, is still in progress. They've concluded that the initial attack came through a small brokerage house. Losses in the theft are estimated to come to some 300 million Mexican pesos,
a bit more than 15 million U.S. dollars. Bank of Mexico Governor Alejandro Diaz de Leon
has said that three banks, a broker and a credit union were affected, but he declined to name the institutions involved.
Facebook continues to struggle with content moderation.
Terrorist imagery and propaganda is one category the company has expressed a desire to purge, but Facebook has met with indifferent success.
a desire to purge, but Facebook has met with indifferent success. The Global Intellectual Property Enforcement Center and the Digital Citizens Alliance say it's easy to find jihadist
exhortations and imagery of unbelievers' executions. You just have to know which hashtags to follow.
Also, while in many respects forgotten, Google Plus isn't gone and it has become a popular channel for jihadist
inspiration. Two alleged members of the Syrian Electronic Army, Ahmad Umar Agha, 24, the pro,
and Firas Dardar, 29, the shadow, now face 11 U.S. federal counts of conspiracy to commit
computer fraud, conspiracy to commit wire fraud,
and aggravated identity theft. Both men remain at large. They were principally Fishers. They
successfully targeted employees at The Washington Post, CNN, the Associated Press, National Public
Radio, The Onion, Human Rights Watch, NASA, Microsoft, and the Executive Office of the President. Among their capers were tweets
from a hijacked AP Twitter account that falsely claimed the U.S. President had been injured in a
bombing. One of their co-conspirators, Peter Romar, pleaded guilty in 2016 and was sentenced to time
served. The new charges, Security Week notes, come as the five-year statute of limitations on their original 2014 charges is approaching its expiration date.
Tokyo police have concluded their investigation of a May 2015 breach of the Japan Pension Service,
in which an attack exposed one and a quarter million items of personal information.
The investigation is over, not because they got their hacker,
but rather because the statute of limitations has expired.
This has us wondering.
Two statute of limitations stories in one week.
What is the statute of limitations for cybercrime?
Does it differ by severity of crime?
It clearly differs by jurisdiction.
So how long do you have to stay on the lam, hypothetically speaking,
before you're beyond the reach of the long arm of the law?
We're asking for a friend.
Let us say right up front that said friend is not one John Kelsey Gamble of New Mexico,
who pleaded guilty back in January to a count of conspiracy to cause damage to a protected computer.
He's said by prosecutors to have hired various booter services, DDoS for hire, to hit former employers, competitors, and public services,
people he had a grudge against. A partial list of his victims includes Washburn Computer Group,
the Minnesota State Courts, Dakota County Technical College, Minneapolis Community and
Technical College, the Community and Technical College,
the Hennepin County Sheriff's Office, which suggests that while he may have been from New Mexico, his interests were up in Minnesota and the Dakotas. The judge gave him 15 years.
Stiff, but he wasn't a first offender. He'd had an earlier felony conviction on his record,
and in addition to the hacking charge,
he went away for two counts of being a felon in possession of a firearm.
Friday is GDPR Implementation Day, and we'll remind you of this daily.
Today's story involves the cost of compliance.
It's driven a few online games out of business, like Loadout and Super Monday Night Combat,
and some others at least out of Europe, like Ragnarok Online. The cost of either rewriting or shifting to a new platform
have been proving prohibitive, so they bid farewell in a twilight of the gamers.
And finally, there's a new frontrunner in Names for Vulnerability's marketing sweeps.
This one, discovered and named by the
jailbreakers at Pongu Lab, is called Zipperdown. Pongu's report is a little vague on details,
but they think for sure that it's a common programming error which leads to severe
consequences such as data overwritten and even code execution in the context of affected apps.
They think a lot of mobile apps are
probably vulnerable, but sandboxing and iOS and Android are probably a good defense against it.
Still, here we are mentioning it. And why? Because Pongu called it Zipper Down is why.
Sure, it's vulnerability research, kids, but don't fool yourself. It's also commerce.
research kids, but don't fool what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Ben Yellen. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. We had an
interesting story come by. This was from WRAL, a TV station in Raleigh, North Carolina.
And they were talking about the police managing to piece together a crime using some information from Google.
Fill us in what's going on here.
been actually securing warrants from a court down in North Carolina to collect the location data of any device that was in a given location when a crime was committed. So they actually provided
an example of one of those warrants in the article, and they'll give GPS coordinates.
So within GPS coordinate X and Y, which devices were there? What are their phone numbers? Who do
those phones belong to, they can either rule
people out or in as having committed the crime. That presents obviously a lot of legal issues and
potentially some major privacy violations. Now, in terms of the legal side, the city of Raleigh
is actually on relatively strong legal grounds because they got a warrant. If they had just gone
to Google and requested this information and had Google comply voluntarily, or even if they had sought some sort of subpoena,
that I think might have created more legal difficulty. They did get a warrant. There
was somebody from the judicial branch who actually approved the search, and that's going to give it
a little bit more legal credibility. It seems broad to me.
Extremely broad.
So you're absolutely right about that.
The purpose of the Fourth Amendment is to have this sort of particularity.
So the warrant, per the language of the Fourth Amendment, identifies what is to be searched, who is to be searched, with some level of particularity.
This is the exact opposite of that, right?
It's not search whether individual X was in a given area at this particular time.
It's searching that area to determine which individuals, which devices were contained within that area.
And I think that could potentially run afoul of the particularity requirement.
I think what the government would say is that you sort of relinquish your reasonable expectation of privacy in your location when you use your smartphone device. You have to know that your smartphone,
whether you're using a Google Maps app or whether you're trying to make a phone call,
is going to be able to obtain your location, whether it's through GPS tracking,
whether it's just the cell phone tower that pings your phone. And because you know that,
at least the traditional view of the law, you have forfeited your expectation of privacy in that information.
What some of the privacy advocates said in this article, and which I think is a really important
point, is that outlook might be outdated because we don't really have a choice. Just because we
use a device that literally every person uses and every person basically
needs for their job, their familial engagements, their political and religious affiliations,
just because we have that device, that means that we're forfeiting our right to privacy
and that the government can determine whether we were in a particular location at a particular
time.
That really rubs me the wrong way.
And I think it would really rub a lot of the American public the wrong way. So while I think because they obtained a warrant,
they're on higher legal ground than they otherwise would be, I think there are significant
ethical dilemmas and privacy dilemmas that come with this decision.
And how do you suppose it'll play out from here?
Well, the issue is somebody has to have standing to challenge this in court.
So, so far, in the instances that the article mentions where this technology was employed,
only one person has been arrested.
So what has to happen is that person will go through the criminal process.
If they're convicted and that conviction is based on this evidence, I think they have
reasonable grounds to challenge the conviction. They could say some county judge approved a warrant for an overbroad search that runs
a foul of the Fourth Amendment, and that could be a very strong basis for appeal.
And that would go first to the North Carolina Intermediate Court, potentially up to the
North Carolina Supreme Court.
I think this is, even though the issue is slightly different, we'll get a reasonable view on how the Supreme Court sees this when they come down with their Carpenter v. United States decision, which should come down sometime this spring, about whether you have a reasonable expectation of privacy in your cell site location information.
So that should give us at least some guidance as to how the Supreme Court of the United States sees this issue.
All right. Well, we'll keep an eye on it. Ben Yellen, as always, thanks for joining us. Thank you. So that should give us at least some guidance as to how the Supreme Court of the United States sees this issue.
All right. Well, we'll keep an eye on it. Ben Yellen, as always, thanks for joining us.
Thank you.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.