CyberWire Daily - Mr. Assange’s courthouse future(s). Dragonblood Wi-Fi vulnerabilities. Tax fraud and identity theft dark web souks.
Episode Date: April 12, 2019Julian Assange remains in British custody. Hearings on the US extradition warrant are expected to begin next month. The US indictment revives discussion of the Computer Fraud and Abuse Act under which... Mr. Assange was charged. Some notes on why Ecuador decided to revoke the WikiLeaks leader’s asylum. Notes on Dragonblood. And we’re at the end of tax season, but the dark web souks are still hawking 1040s and W-2s. Ben Yelin from UMD CHHS on pending state legislation restricting law enforcement use of DNA data. Guest is Eric O’Neill, former FBI operative and author of Gray Day, My Undercover Mission to Expose America’s First Cyber Spy. This is a preview of the full interview that will run on Sunday. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/April/CyberWire_2019_04_12.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Julian Assange remains in British custody.
Hearings on the US extradition warrant are expected to begin next month.
The US indictment revives discussion of the Computer Fraud and Abuse Act under which Mr. Assange was charged.
Some notes on why Ecuador decided to revoke the WikiLeaks leader's asylum.
Notes on Dragonblood.
Eric O'Neill joins us. He's author of the book Gray Day, My Undercover Mission to Expose America's First Cyber Spy.
And we're at the end of tax season,
but the dark web markets are still hawking 1040s and W2s.
From the Cyber Wire studios at Data Tribe,
I'm Dave Bittner with your Cyber Wire summary for Friday, April 12, 2019.
As Julian Assange, the face of WikiLeaks, begins his efforts to resist extradition to the U.S.,
observers comment on the charge he faces,
which is essentially conspiracy to hack into a non-compliant computer
in violation of the Computer Fraud and Abuse Act.
Mr. Assange, the U.S. maintains,
of the Computer Fraud and Abuse Act.
Mr. Assange, the U.S. maintains,
offered to help the then U.S. Army Specialist Manning crack passwords to gain access to classified files.
He's not charged with espionage
or with possession of classified material.
Those sympathetic to Mr. Assange,
like Edward Snowden, WikiLeaks itself,
and Britain's Shadow Home Secretary Diane Abbott,
see the indictment as a way of
railroading him, especially since the offer to help then-specialist Manning break into government
systems seems more an act of stumble-bum hubris than the sinister act of a criminal mastermind.
It apparently didn't succeed, and it apparently wasn't repeated, but it did happen.
As the Washington Post notes, many security experts
have long thought the Computer Fraud and Abuse Act outmoded and overly broad, but the prosecution
would not appear, taken by itself, to represent a threat to journalists' First Amendment rights.
Besides, as former NSA Associate General Counsel April Doss told courts that kind of hacking isn't a journalistic best practice.
Many agree with her and see conspiring to break into a computer in search of files as analogous to conspiring to break into someone's house in search of files.
It's early, of course, to guess how Mr. Assange's legal affairs will play out.
He will be sentenced for yesterday's bail-jumping conviction at some time in the future, and his extradition hearing is set to begin next month.
A bit more has emerged on why Ecuador decided to revoke Mr. Assange's asylum.
That asylum was granted seven years ago by Ecuador's previous government, regarded as having been significantly farther left than the current administration.
as having been significantly farther left than the current administration.
The present government has been unhappy with Mr. Assange's continuing involvement with WikiLeaks from within the confines of their London embassy.
They also say that he had become an increasingly difficult guest.
More seriously and controversially, Ecuador's government says their guest was engaged with others
online and connected to Russian intelligence services in attempts to destabilize that government.
Mr. Assange and WikiLeaks have long been regarded as Russia-friendly.
That's of course no crime, but the optics, as they say, aren't good.
The U.S. prosecution, if it occurs, will be particularly interesting in three ways.
First, the government is widely expected to be interested in adding more charges to the one already in the indictment. Speculation to this effect is particularly common
in the British press. The Times of London writes about Mr. Assange facing decades in prison.
They know that a single count of violating the Computer Fraud and Abuse Act would carry a
sentence of at most five years, but they expect other counts to be added
whether the federal prosecutors do so remains to be seen second how the government handles
this prosecution without running afoul of the first amendment will be worth watching
so far they seem to be working hard to avoid this third the political implications of whatever may
come out in court are unpredictable and probably at this stage unknowable,
but there's much cross-cutting speculation and mutually incompatible hope circulating at the moment.
University researchers Maddy Van Hoof of New York University Abu Dhabi and Eyal Ronan of Tel Aviv University and K. Leuven report that secure Wi-Fi protocol WPA3's SAE handshake may be
susceptible to the same kind of exploitation as its predecessor, WPA2, was. One of the problems
lies in the transition mode designed to ensure backward compatibility with the older protocol.
They're calling the five vulnerabilities dragon blood because they're related to the protocol's dragon fly handshake we heard from watch guard technologies ryan orsi the security company's director of
product management he would like people to understand that wpa3 represents an improvement
over wpa2 but that it's not proof against a number of known wi-fi threats dragon blood
vulnerabilities mostly affect those devices that were released with WPA3 support
and, he says, that manufacturers are currently getting patches out for those. How would attackers
use Dragonblood? Orsi says the most probable approach would be through an evil twin access
point or a rogue access point. The terms perhaps require some clarification. An evil twin access
point is one established by an attacker to give the appearance of legitimate Wi-Fi access,
but that in fact is there for eavesdropping and other illegitimate purposes.
A rogue access point is one established within a network, but unofficially, without the administrator's permission.
Rogues may be well-intentioneded but misguided forms of shadow IT. Carbon Black
continues to track the maturation of the dark web's black market in tax fraud and identity
theft tools. They're increasingly commodified and cheaper than ever. Here are some of the things
they've found. Hoods are trading W-2s and 1040 forms. These are, we note for our international
audience, U.S. reports of wages and
tax filing forms, respectively. And they're also offering what Carbon Black calls how-to guides
for illicitly cashing out tax returns, a kind of tax fraud for dummies. W-2s and 1040s fetch
between half a buck and a dollar. Other info an identity fee for other bunco artists might find interesting.
Things like names, social security numbers, and birthdates. These things can be had for between
19 cents and 62 dollars. The study is dispiriting, to say the least. Another form of petty crime with
low barriers to entry afflicts the law-abiding who simply wish to leave peaceful, quiet lives.
As Carbon Black notes,
listings include previous year's W-2 forms,
Form 1040 information and Social Security numbers,
among other information,
indicating that cybercriminals are not just looking to make a quick buck,
but also trying to steal a person's financial future.
And this reminds us,
Monday is April 15th, tax day in these United States.
And as they say in Secaucus, forget about it.
We better get those returns in the mail, right?
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents, winning with
purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, it's great to have you back. Interesting story came by from Wired. This is,
should cops use family tree forensics? Maryland, which is our home state, isn't so sure. What's
going on here? Yeah, so there's a bill currently pending in front of the House of Delegates in
Annapolis here in Maryland, and that bill would prohibit law enforcement from searching DNA databases
collected through some of these public websites like Ancestry.com and 23andMe.
People voluntarily will submit their DNA to these websites. They are aware that this information is
going into a public database, even if they're not aware that most law enforcement agencies across the country, in fact,
has access to these databases to match them up against the DNA of suspected criminals. And we've
seen some very high profile cold cases that have been resolved based on data submitted through
Ancestry.com and 23andMe. People innocently trying to track their genealogy end up causing the
downfall of some of their distant relatives.
There's this case in California, I think like a 40-year cold case, where they were able to
identify the killer because his DNA was linked to someone who was doing genealogy research
through 23andMe. What this bill in Maryland would do would be to prohibit our law enforcement agencies from searching those databases in an effort to solve unsolved crimes.
And why? What's the concern?
It's born out of privacy and civil liberties concerns.
submitting the data are doing so with the understanding that they are doing genealogical research and not that they're potentially subjecting their distant relatives to arrest.
And it is a suspicionless search for those who have been arrested. The government didn't get
any kind of warrant to conduct a search of the suspect's DNA,
they were able to obtain it without any sort of judicial authorization.
Now, the caveat to that is the only reason a suspect's DNA is in the system is because the DNA was obtained at the scene of the crime
or in connection with the crime.
For the purpose of making arrests,
obviously if somebody's DNA is in the scene of the crime or is part of a
criminal investigation, they're going to be suspects in the crime. That certainly would be probable
cause to justify an arrest. But the information that would have led to that arrest is obtained
without any sort of judicial authorization, which in reality can be the source of law enforcement abuse if it's not checked by
a warrant issued by a neutral magistrate. It has been legal in Maryland since 2008 to conduct
these searches of these databases. Delegate Sidnor, who is a Baltimore delegate, son of law
enforcement, so somebody who has a personal connection to the law enforcement community, is also a civil liberties advocate. And he has proposed this piece of legislation
to take that tool away from law enforcement, and that would force law enforcement to use
different tactics to try and solve some of these cold cases. Really, it's a values judgment. Are we more interested in having a database of DNA submitted voluntarily and DNA that has been made public to help solve crimes? Or is it more important to not have warrantless access to this bevy of information, information that was not volunteered by the person who's going to be facing the consequences.
So you can see analogs in the physical world, and that's probably where courts get guidance from these issues.
There's a famous case of who was the big mafia guy who was arrested for tax fraud?
Oh, Al Capone?
Al Capone, yeah. I'm pretty sure it was Al Capone who they were wiretapping somebody that he was talking to, but not wiretapping him.
But he incriminated himself in that conversation.
And as a result, he was put under arrest.
And the Supreme Court held that you don't have a reasonable expectation of privacy when you are communicating with other people, even if you're the person who is not
subject of surveillance. By putting information out there publicly, it's in the public domain
and it's accessible to law enforcement. I think that has some close analogs to people submitting
DNA, having it be public, having it be something that law enforcement has access to.
Yeah. It's interesting. Changing times, for sure.
Absolutely.
All right, Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
Eric O'Neill is a former FBI counterintelligence and counterterrorism operative
and founder of the Georgetown Group, a security and investigative firm,
as well as national security strategist for Carbon Black.
In his book, Gray Day, My Undercover Mission to Expose America's First Cyber Spy,
Eric O'Neill shares the fascinating and sometimes harrowing tale
of his experience being assigned to help expose Robert Hansen, the FBI's most notorious mole.
In 2001, Hansen pleaded guilty to multiple charges of espionage for sharing classified information with the Soviet Union and Russia over the course of over two decades.
My full interview with Eric O'Neill will be released this Sunday.
Here's a preview of our conversation.
I wasn't prepared to investigate a spy in this manner. You know, during my entire time in the FBI, all those years, I was what's called an FBI ghost. So I was an undercover operative.
I pursued terrorists and spies primarily around
the Washington DC area. And most of my role was to surveil and investigate targets that we suspected
or knew were spies or terrorists. And suddenly my supervisor shows up from my house unannounced,
it's the first chapter of the book, and asked me if I know a guy named Robert Hansen.
And I say, no, I hadn't investigated him.
And he said, good, because we want you to go undercover and investigate him.
And I said, why did you have to come out here on a Sunday to tell me that?
That's what I do.
And he said, we don't want you to ghost him, Eric.
We want you to work undercover in an office we're going to build for him in FBI headquarters. And we want you to go
undercover as yourself. For me to do this kind of role for a non-agent, I mean, I had a badge and I
had credentials. The only difference between the ghosts and the agents are we don't make arrests
and we're typically not armed because it's hard to conduct surveillance when you're armed. But the problem was, they couldn't find an agent who had the combination of knowledge of counterintelligence
and spy hunting, which I had from my years on the street as a ghost, and the ability
to turn a computer on and understand what was happening. I just happened to meet both
of those qualifications. Because what we were doing is we were putting Hansen in charge
of a new section in the FBI that was built just for him. It was called the Information Assurance
Security Team. It was built to examine the FBI's computerization efforts, the security behind them,
and build information security for the FBI. This was 2000-2001. Today we would call that
cyber security. So follow me here. They took the biggest spy in US history, the
first cyber spy in US history, and put him in charge of building cyber security
for the FBI. And the only other person he put in the room with him to keep him
from giving up these secrets and catch him in the act was a 26-year-old ghost who they pulled off the street and threw into a role that I wasn't prepared for and had to learn on the job.
Eric O'Neill worked as Robert Hansen's assistant and quickly learned to navigate Hansen's quirky and sometimes volatile personality.
In time, O'Neill saw a potential avenue for collecting evidence of Hansen's spying.
He kept a Palm Pilot. And yes, I'm bringing everybody back into technology. But the Palm
Pilot, a digital, a personal data assistant, a PDA, one of the original ones, and this was a
Palm 3. So it was this big clunky thing. And he kept his entire life calendared in that thing.
And when I asked him about it, he said,
I've written the encryption on this myself. Even these idiots, and these are his words, not mine,
that the FBI couldn't crack it on their best day. I mean, wow, come on. So I looked at him and I
said, all right, well, and in my mind, I was thinking we need to get this away from him.
The problem was he kept it in his left back pocket because it was so precious to him.
He never pulled it out of his pocket until he slid it in his bag next to his desk and only
when he was sitting down. So that's tough. I mean, how do you distract someone and get it away
with enough time? So we had to come up with this crazy plan to separate him from the Palm
Pilot with enough time for a tech team to copy it and
allow me to put it back before he knew it was gone. So we had to physically remove it from him
using what we call a pretext or in FBI speak, some shenanigans to get him away from it,
sufficient time for me to get it down, copy it and get it back. So what we did is we used
everything we learned about him in the investigation. He has massive, massive narcissism, which meant that he
had no respect for anyone above him in seniority or in authority. He didn't like to be interrupted
and he really liked to shoot. So we had an assistant director and a special agent named
Rich Garcia, who was
the only other person on the ninth floor who knew about this investigation. The two of
them walk in, right? The ADIC, the assistant director was read into the case just for this
operation. And they come in unannounced. When Hansen was sitting down, that was important,
slap $20 on his desk and say, you and us downstairs, rifle range right now, $20, I beat you,
right? And he tried to say no. And the assistant director said, this is not a request. So he's mad.
And he walks out after them grumbling with his gun and his ear protection and eye protection
and all the stuff you need to go down all the way to the sub-basement and shoot. And for the
first time, he breaks his routine and doesn't grab that Palm Pilot. So I was really excited. I get a page
saying he's in pocket shooting. So I run to his bag, open all four pockets. They're all identical,
pull out the Palm Pilot and I find a data card and a floppy disk. All that stuff has data, right?
Grabbed it all, ran down three flights of steps, handed it off to a tech team
right grabbed it all ran down three flights of steps handed it off to a tech team using this program called norton ghost so you can literally see the bar going across as they're copying this
oh yeah and i'm like watching the bar like 20 21 and i'm dancing around and i'm so nervous
and i'm so stressed out they throw me out of the room so now i'm standing in the hall
and and i get another page and i look and throw me out of the room. So now I'm standing in the hall and I get another page.
And I look and it says, out of pocket, coming to you.
So, you know, I knocked on the door.
I was like, very polite.
Hey, guys, I'm going to need the Palm Pilot and the floppy disk and the data card.
I need it now.
And they're like, oh, we're almost done.
Don't worry.
I said, you don't understand.
He's armed and I'm not.
He's angry.
I need to be there before him. They got it. It took a little while. I knew I had about nine minutes. If the
guy ran, he probably wasn't going to run up to the office, but he was going to hurry.
And I got it. I ran up three flights of steps. I slammed the big door to the skiff behind me,
which saved me. I ran into his office. It was a little separate office, you know, off of my main pit area office.
Got to his desk, knelt down before it, felt like I won, and realized I have three devices, four pockets, and no idea which pocket I was supposed to put things into.
Total rookie mistake.
I sat there trying to figure out how I was going to remember, and I was stressed.
And the more stressed you get, the worse your recall.
And as I'm trying to figure this out, I hear him come through the door.
The rest of the story and my complete interview with Eric O'Neill can be heard this Sunday on a Cyber Wire special edition.
It'll show up in your podcast feed and on our website, thecyberwire.com. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave
Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.