CyberWire Daily - Huawei will play in UK infrastructure, at least a little. Citizen Lab on KINGDOM, a Pegasus operator. Avast and sale of user data. Happy Data Privacy Day.
Episode Date: January 28, 2020Britain decides to let Huawei into its 5G infrastructure, just a little bit, anyway. Citizen Lab reports on its investigation of Saudi use of Pegasus spyware against journalists. Avast is again collec...ting user data and sharing anonymized data with a subsidiary for sale to business customers. Some Data Privacy Day thoughts on agreeing to terms and conditions, with reflections on the first systematic look at End User License Agreements, found in the final chapter of Plato’s Republic. Joe Carrigan from JHU ISI on evolving ransomware business models. Guest is Dr. Christopher Pierson from BLACKCLOAK with insights on the alleged Bezos phone hack and the vulnerabilities of high-profile individuals. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/January/CyberWire_2020_01_28.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Britain decides to let Huawei into its 5G infrastructure, just a little bit, anyway.
Citizen Lab reports on its investigation
of Saudi use of Pegasus spyware against journalists. Avast is again collecting user data and sharing
anonymized data with a subsidiary for sale to business customers. Some Data Privacy Day
thoughts on agreeing to terms and conditions with reflections on the first systematic look
at end-user license agreements found in the final chapter of Plato's Republic.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, January 28th, 2020.
Computing reports that the British government has reached a compromise on Huawei.
Let the vendor into 5G's non-core peripheral parts, but no farther.
It seems to be an attempt to thread the needle between the telecom industry,
which wants inexpensive, reliable kit,
and the ability to deploy 5G infrastructure quickly,
and, on the other hand, security hawks in the UK
and among the UK's Five Eyes Alliance,
especially the US and Australia. How satisfactory all parties will find the compromise, and how
effectively the British government will be able to vet hardware and segment its infrastructure,
remains to be seen. The University of Toronto's Citizen Lab reports its conclusions that a New York Times journalist, Ben Hubbard,
was hit with Pegasus spyware in June of 2018. The vector was a text message that contained
a hyperlink to a site associated with a Pegasus operator Citizen Lab calls Kingdom, and which the
lab says is connected to Saudi Arabia. Other Kingdom targets included Saudi dissidents and an Amnesty International staffer.
The SMS message the journalist received included a link that represented itself as a story of
interest in Arab News with the title Ben Hubbard and the story of the Saudi royal family. At the
time, the domain used, ArabNews365.com, was part of the Pegasus infrastructure used by the Kingdom operators.
The report attracts interest, coming as it does amid the ongoing discussion of investigation of the alleged,
circumstantially supported, installation of some form of spyware on and iPhone X belonging to
Amazon founder and Washington Post owner Jeff Bezos.
belonging to Amazon founder and Washington Post owner Jeff Bezos.
But Citizen Lab says it sees no overlap between the incident since reporting and the incident involving Bezos' phone.
It does see the incident as representing a disturbing pattern
in which authoritarian states use lawful intercept tools
for surveillance of journalists in particular,
but also for surveillance of dissidents.
The story of Jeff Bezos' iPhone possibly being compromised is still developing,
so we checked in with Dr. Christopher Pearson, CEO of Black Cloak, a firm that specializes in
the online protection of high-profile and high-value individuals, for some perspective.
I think we're at a point in time where we still don't know enough information,
quite honestly. There's some indication that they may have been passed on from one person to one
person to media outlets and inappropriately shared or leaked. And there are other indications of
huge amounts of data being exfiltrated from a device from the most recent forensic report that we've all looked at.
Probably both of them are true to some extent, but there are a lot of questions there. I don't
know that the forensic report has answered everything in terms of Wright didn't have
full and complete unfettered access to the device and the encryption key and all the materials on
there. So it's really, unfortunately, incomplete. And I think there's a lot more that needs to be
uncovered in terms of things that were forwarded and may have been shared inappropriately. But I think all of
those are still in play before we can have a full and complete picture of what actually
really happened and led to the leaks. Now, this sort of thing is well within your lane,
you and your team at Black Cloak, who you're in the business of protecting high-value targets like this.
Is there any sense for just the basic plausibility of this,
this speculation that perhaps he clicked on a link
and that enabled the bad guys to have access to his phone?
Are these things even plausible?
Absolutely.
I mean, as you know, that's all we protect is high profile, high net worth individuals.
There are so-called, quote unquote, intercept tools that are available to intelligence agencies globally that are meant for surveillance, meant for purposes that are good, right?
Not meant for evil purposes, but those always lie in the minds of the persons that hold and possess
and wield that power. So it is absolutely 100% possible and has happened that countries,
intelligence agencies behind countries, are able to go ahead and surveil, target and surveil
individuals through these intercept tools. And in some cases, you have to click. In other cases,
you actually don't. You literally don't have to do anything. And in some cases, you have to click. In other cases, you actually don't.
You literally don't have to do anything. And there is no device that is impenetrable to these types
of tools. They all exist based off of zero-day exploits and other very deep knowledge type of
exploits of the devices. Now, when you're going about protecting someone like this, if someone in a
high value situation, you know, a high profile person, is this a matter of a defense in depth
approach where I'm thinking that, you know, perhaps there could have been some detection that
the data was being exfiltrated and detecting that stream? I mean, what sort of things do you put in place
to protect someone who may be a target like this?
Yeah, it's a great question.
A lot of this starts on the front end
in terms of education, advice and guidance,
concierge assistance, questioning.
A lot of this starts there with a,
should you bring your mobile device,
essentially your entire life, your digital life,
your computer with you to places that may be more apt to surveil you on those devices,
take those devices while they're in your hotel room and implant technology that would be invisible
for you to be able to see or find onto those devices. You know, what types of preparations
do you have there? So there's a big part of this is kind of the pre-flight, if you will. What do you do beforehand, education
and training to decrease the attack service? And then it really comes down to, right, basics of
protection, but it's not just protecting the device. You have to go ahead. I mean, Black Cloak's
tagline is protect your digital life. And it kind of rings true here. It's not one thing that you
need to do. You have to protect the whole digital life. That means protecting, you know, not just one
individual, but the family around them, the family unit around them, their home, all their devices,
their online accounts, changing methodology in terms of using password safes, dual factor
authentication. It's the whole package. How much does this trickle down to folks like you and me?
I imagine there are a lot of people out there who might think, well, a person like Jeff Bezos, sure, he's a target, but this probably isn't something that I need to worry about.
Every single person in some form or fashion that is connected to the Internet is a target.
If you're not patching your devices, these are automated scanners.
They don't need to figure out what information you have and hold. All you have to do is encrypt it and ask for a ransom. If you pay, then they know that it was
worth the amount of money that they were requesting in terms of that information. So cybercrime is
really indiscriminate in a lot of cases. But for those persons that are in the high net worth,
high profile, high visibility, you know, politicians, sports, our celebrities, I think we
had a number of teams, NFL teams, and I think players that were even attacked last night in terms of Twitter accounts
being taken over. I mean, look, these people are in the news. They're in the know. They're
high profile. They need better and different protection. But everyone, right, is going to be
a target for cybercrime these days and needs to take those basic precautions on their devices
and in their digital lives as well.
That's Dr. Christopher Pearson from Black Cloak.
A joint inquiry by Motherboard and PCMag disclosed
that marketing intelligence firm Jumpshot
was selling anonymized user data to companies
who found it valuable for various marketing purposes.
The Prague-based security firm Avast owns a majority stake in Jumpshot.
Motherboard and PCMag concluded that Avast's free antivirus software collects data on behalf of Jumpshot,
which then provided the information to its customers.
There are a range of marketing and business intelligence use cases for anonymized
histories of users' internet browsing. Avast explained one of them to Forbes back in December.
Typical customers would be, for example, investors who would be interested in how
online companies are doing in terms of their new campaigns. The sales pitch, Motherboard writes,
was every search, every click, every buy, on every site.
Some very large companies bought data from Jumpshot, among them, according to Motherboard, Home Depot, Google, Microsoft, Pepsi, and McKinsey.
Some, perhaps most users, are unaware that their data are being sold.
They were given the opportunity to opt into such collection, although it's unclear how obvious
the scope of the collection was to them. It's notoriously difficult to get consent to collection
that retrospectively looks like informed consent once stories like this come to light. Although
the data Avast collected were anonymized before Jumpshot passed them to its own customers,
those data are also sufficiently rich to offer some prospect of de-anonymization.
In any case, it's a bad look for the company,
whose browser extensions were removed from Mozilla, Google, and Opera stores in December
over similar data collection.
Avast stopped collecting via extensions, Motherboard reported last month,
but the company appears to have shifted to collecting via its antivirus software.
Avast is seeking to make a fresh start, offering users of its product a chance to opt out of the collection,
but some remain unmolefied.
PCMag writes that U.S. Senator Warner, Democrat of Virginia,
has asked the Federal Trade Commission to increase enforcement actions against such sale of customer data. As it happens, these stories come up on Data Privacy Day,
or as they call it across the pond, Data Protection Day. And we wish you the joy of
the season, of course, but suggest that you consider what role we may have as individuals
in protecting our own data. Ordinary cyber hygiene, of course, is important, and we
won't spend much time on that today. It might be worth thinking again about the importance of
reading privacy policies before you just click through them. Yeah, and we know, blah, blah, blah,
blah, blah. Sure, now take me to those saucy videos you promised, the stock tips and the apps that will
keep me young forever. USA Today observes Data Privacy Day by pointing out that you and me too, friends,
are all too ready to do just that. Deloitte found in 2017 that more than 90% of users don't really
bother reading the fine print, which always, always, always taketh away. And a more recent
experiment by ProPrivacy.com says it's even worse. They asked internet users to take a survey as part
of a market research study, and they offered a $1 reward. The survey asked those who took it to
agree to the terms and conditions, and then it tracked how many people actually clicked through
to read them. Of the 100 people in the study, only 19 actually clicked over to the terms and
conditions page, and of those 19, apparently only one of them read the lengthy text closely enough
to realize that, among other things, accepting the terms would give their mom access to their browser history
and would give the survey takers the right to name the participant's firstborn child
and would give drone access to the airspace over their house.
Or maybe the other 18 did notice, but they were just cool with the matriarchal audits,
crowdsourced child naming, and domestic open skies policies.
Bear these results in mind when you think about Avast's data collection.
And if you're in the business of writing privacy policies, consider striving for clarity.
You've got to reach a pretty inattentive audience, but
it may be worth it. But if you won't believe USA Today, maybe you'll believe Plato, whose republic
ends with an account of the biggest eula of them all, where souls between lives get to choose the
life they'd lead next. The greedy and the hasty don't look beyond the first benefit and choose,
for example, to become tyrants able to gratify every avaricious and lustful impulse,
but don't read far enough to notice that they're also choosing to commit crimes
that will merit hideous punishment in the next round of the afterlife.
The one soul who took its time and read the whole thing, the soul of Odysseus,
chose a quiet, peaceful life and left well satisfied.
soul of Odysseus, chose a quiet, peaceful life and left well-satisfied.
Being flogged around the Aegean for 20 years by vengeful gods will help you wise up.
Or nowadays, so will getting all those emails from your app's friends and partners just on those topics your app thinks you'll find interesting.
So, happy Data Privacy Day. with agents, winning with purpose, and showing the world what AI was meant to be. Let's create
the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
BlackCloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
also my co-host on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
We wanted to discuss today some interesting evolutions that we're tracking when it comes to ransomware and the business models that the scammers are using.
Right. I'm fascinated by the business models and the economics of the underground economy.
Yeah. Take us through what you're tracking here.
So a couple of months ago, you and I talked and there was the speculation that there was going to be ransomware coupled with blackmail for releasing documents,
right? And I said that that wasn't going to be a successful business model.
Okay. Because?
Because the model I envisioned was you get your files encrypted and stolen, right? But you don't
know they've been stolen. You just know they've been encrypted. So you pay the ransom for having
them decrypted,
right? Which is valuable to you. And then the criminals come back and they say, okay, well, now we're going to release the documents if you don't give us more money, right? At that point
in time, I said that nobody's going to agree to that because there's really nothing that stops
them from asking you for more money over and over and over again. Right. But what has happened is they are now essentially
giving you the two for one option. Right. They're incentivized. They've increased the incentive.
So now when you get your files encrypted, the ransomware notice or the ransomware negotiation
says, also, if you don't pay the ransom, we will release your files. Yeah. Right. That changes the
value proposition dramatically. Right. Now I get two
benefits from paying the ransom. So if my files get encrypted and, and the, the person says,
I won't release them if you pay the ransom, I won't make the public. If you pay the ransom,
then the incentive for me to, to pay the ransom has gone up while the cost has remained the same.
It also seems to me like in the, at the outset that they're putting a little more pressure on you
because it's the time issue of not only getting your files back,
which you could say, well, hey, no problem.
I've got good backups, so go pound sand.
But if they say, oh, no, no, no, that's great that you have your adorable backups, but we're going to start releasing these files publicly.
Right.
And you'd hate to have that happen.
Yes.
And you can decrypt in place, which will be a lot faster than restoring from backups as well, right?
Mm-hmm.
Theoretically.
My point still stands, though, I think, that if let's say that I scam you out, or I lock up your files and steal them.
And I say, Dave, it's $100 for you to decrypt them.
And if you don't decrypt them, I'm going to release them to the public.
So you say, okay, Joe, here's $100.
And I decrypt them and I don't release them.
Then I say, Dave, I need another $100 or I'm going to go ahead and release them.
And you said, hey, we had a deal.
And I said, well, the deal's changed.
I'm altering the deal.
I'm altering the deal. Got to get that Star Wars reference in, right? And I said, well, the deal's changed. I'm altering the deal. Right. I'm altering the deal. You've got to get that
Star Wars reference in, right?
So, the incentive for you to
pay that second ransom demand is
a lot lower. Because if you
pay me, let's say you give me another $100,
there's nothing to stop me from coming back in another week
and going, you know what? In order to keep these files
secret, I'm going to just need $100 from you on a weekly
basis. Yeah.
Right?
And at that point in time, the value,
it's the law of diminishing return takes over.
But don't you think that some of the,
that the threat of having things released publicly
would be compelling to some people?
Yeah, that's correct.
It really depends on the contents of the material, right?
Mm-hmm.
But there's nothing to stop somebody from, first off, telling you that they haven't released
the information and then the back end selling it to somebody else, right?
You have no control over the data anymore.
Right.
Right?
It's much like the Snowden leaks.
This data is now public domain.
Yeah.
It's out there.
And there's nothing you can do to stop it.
Right.
It's out there, and there's nothing you can do to stop it. Right.
So I guess it's a matter of cutting your losses and not getting into a sunk cost fallacy, that sort of thing.
Exactly.
Yeah.
Yeah.
All right.
Well, boy, these things continue to evolve, don't they?
David's going to get worse.
That's my prediction.
And on that sunny note, Joe Kerrigan, thanks for joining us.
My pleasure. we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.