CyberWire Daily - New, Mirai-based threat in the wild. PLA told to steer clear of US election stories. Big data in small spreadsheets. John McAfee arrested. A hackable marital (or something) aid.
Episode Date: October 6, 2020Spyware version of Mirai detected in the wild. The People’s Liberation Army is told, by its government, to lighten up on US election stories. Centripetal wins a major patent lawsuit. Excel is not a ...big data tool. John McAfee is arrested on US tax charges. Our guest is Roger Barranco from Akamai on tracking increased DDoS attacks. Ben Yelin on a case involving warrants for Wifi location data. And an aid to chastity is found to be hackable, but at least it errs on the side of continence. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/194 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A spyware version of Mirai has been detected in the wild.
The People's Liberation Army is told by its government to lighten up on U.S. election stories.
Centripital wins a major patent lawsuit.
Excel is not a big data tool.
John McAfee is arrested on U.S. tax charges.
Our guest is Roger Barranco from Akamai on tracking increased DDoS attacks.
Ben Yellen on a case involving warrants for Wi-Fi location data,
and an aid to chastity is found to be hackable.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, October 6, 2020.
Threat Post reports that 360 NetLab researchers have found a version of Mirai botnet malware,
T-Tint, in the wild,
operating against Tendra routers.
T-Tint has both remote-access Trojan and spyware functionality.
Information operators in China's People's Liberation Army
have been told to go easy on stories about the U.S. election,
the South China Morning Post reports.
This seems less an ironic gesture than it does a ratcheting up of central control
over a campaign that could run in directions not necessarily
to the Chinese Communist Party's advantage.
Centripital Networks has won a large judgment
in its patent infringement case against Cisco.
The United States District Court for the Eastern District of Virginia
found in favor of Centripital and ordered the defendant to pay,
according to Bloomberg, $1.9 billion to the security firm.
A press release from Herndon, Virginia-based Centripital
calls the award the largest of its kind issued by a U.S. court.
Have you noticed a big surge in the number of COVID-19
cases reported over across the pond in the mother country? So have a lot of people in England. But
that's actually an IT issue as opposed to a clinical one. A spike in English COVID-19 cases
may be due not to infection but to bureaucratic misunderstanding of Office 365.
Public Health England said it had corrected a technical issue in the data load process
by which officials shared positive test results.
Public Health England isn't saying much more, but according to The Independent,
Prime Minister Johnson has been forthcoming in ascribing the glitch to a failure to appreciate that Microsoft Excel spreadsheets have limits in the number of rows and columns they can handle, so the data was truncated.
Excel is a useful product, but it's not intended to be a big data tool.
The U.S. Justice Department has indicted security pioneer and inveterate bad boy John McAfee on 10 counts related to income tax evasion.
Coindesk reports that Spanish police have arrested him pursuant to a U.S. request and that he presumably faces extradition proceedings.
Unpleasant as this all is, it's not the end of his legal problems, unfortunately.
The U.S. Securities and Exchange Commission has also filed a civil complaint against Mr. McAfee in connection with his involvement in pumping altcoin offerings.
The commission alleges that he, as the SEC puts it,
leveraged his fame to make more than 23.1 million U.S. dollars in undisclosed compensation by recommending at least seven
initial coin offerings, or ICOs, to his Twitter followers.
The ICOs at issue involved the offer and sale of digital asset securities, and McAfee's
recommendations were materially false and misleading for several reasons.
The specific improprieties the SEC alleges are interesting.
First, he didn't disclose that his promotion of the ICOs was compensated by the companies
issuing the securities. The SEC calls this unlawful touting, for which he made around
$23.2 million, which he is said to have kept quiet about not only to prospective investors, but to the
Internal Revenue Service as well. The SEC also says he lied to investors when they directly asked
him if he were being compensated for his endorsement. Second, Mr. McAfee is said to have
falsely claimed to be either an investor or a technical advisor to the issuers, which suggested to
prospective investors that he'd checked the issuing companies out, and that his recommendation
was well-informed, impartial investment advice. Third, after a blogger exposed what was going on,
Mr. McAfee sought to cash out a large number of virtually worthless securities from the ICOs he had previously touted.
He allegedly did so by encouraging investors to buy while he himself was trying to dump his holdings.
Finally, he's said to have engaged in what the SEC calls scalping, which involves accumulating
large amounts of the digital asset security and touting it on Twitter without disclosing his
intent to sell it. The SEC wants to disgorge, as they put it, the millions he made, and to
enjoin Mr. McAfee from doing the same in the future. So, don't do likewise. We should also
note that while Mr. McAfee founded the company that still bears his name, he's had no connection with it for a couple of decades.
Finally, have you considered a network-connected marital aid?
Of course not. Neither have we.
But someone apparently has.
TechCrunch reports that a digital smart mail chastity appliance,
and we hesitate here because it's not entirely clear
whether this would be a chastity enforcer
or a device that promises some form of gratification,
and we confess we're generally unfamiliar with the sector as a whole,
a smart mail chastity appliance is apparently hackable.
Pentest Partners said the device in question,
the QI Cellmate Internet Connected Chastity Lock,
which the manufacturer says is the world's first app-controlled chastity device,
could have allowed anyone to remotely and permanently lock in the user's Membrum Verile.
The ominously named Cellmate is lockable and unlockable via an app,
because of course it is.
And unfortunately, said app was at one point unprotected by a password,
so any interested party wouldn't need so much as an open Sesame to take charge.
Anywho, Pentest partners contacted
the manufacturer, who said they'd installed some password functionality, but alas, they also left
the original unprotected access open. We'll spare you the jolly back and forth that has surrounded
the discovery of this particular vulnerability, but suffice it to say that not only is the app
in question easily accessed, but there's no override either.
The manufacturer told TechCrunch they were working on a fix, but four deadlines have come and gone and no fix is in.
They're a small shop, the manufacturer pleaded in its defense, saying that every time they fixed something, they broke something else.
People familiar with the technology, and again, we're not,
say that absent an override,
it appears that only the careful,
and we stress careful,
use of bolt cutters
or a lateral grinder
will free a trapped user.
It seems to us that all the reporting
has buried the lead.
The cellmate has actual users?
Yikes.
Who knew?
But there you go.
In case you're asking for a friend,
bring your bolt cutters.
A wire-cutting plier won't cut it.
Or so we've been told.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Researchers at Akamai have been tracking how DDoS attacks continue to get bigger and in some cases more sophisticated,
showing that they are still a weapon of choice for threat actors.
Roger Barranco is Vice President of Global Security Operations at Akamai.
If it was maybe this time last year,
I would have reported that things are, you know,
always increasing, but nothing really exciting going on.
And then towards the beginning of this year,
I expected to see a big spike
because of all the COVID-related items.
And we really didn't see anything directly tied to COVID.
But oh my goodness, the last, I'd say,
four months, the activity has been huge. So two attacks were certainly in the record-breaking
range, one being 1.44 terabits in size. The other, which is truly a record that I'm aware of,
it was 809 million packets per second.
From that day, there's been quite a bit of activity. We've seen a big spike in attacks
over 100 gig in size. And the number of attacks is really spiking up also. And there seems to be a
newfound interest with DDoS because quite a bit of extortion-related activity going on also.
Can you dig into that a little bit?
I mean, what sort of things are you tracking in terms of what's behind these attacks?
Yeah, so, you know, typically we haven't been able to tie it back to a specific threat actor.
It seems like a lot of different actors out there.
And what's happening is these extortion-type letters are going out to different verticals,
and they're asking, you know, no surprise for Bitcoin to be paid out.
I think the thing that is interesting is that they seem to be going
vertical by vertical. So they would go, you know, first to, no surprise, banking. After that, the,
you know, airlines, then hoteling industries, and they're just going vertical by vertical,
rolling these threats out, which does indicate, you know, a fair amount of coordination.
And where do we stand in terms of the botnets themselves?
I mean, do they just continue to grow in size and capability? So that's a really good question. So
we haven't seen anything radically new from a vector perspective. So we've seen some newer
vectors, but nothing radically new. So the world's largest DDoS that I'm aware of was actually a reflection, CLDAP reflection attack handled by AWS. That was 2.3 terabits in there. So they're mixing it up where the Akamai one with nine vectors,
the AWS one huge with one vector, right?
One massive punch with that.
Now, interestingly enough,
the Akamai one actually had a higher packet rate than the AWS one.
So they're nuanced.
And then clearly the largest from a packet per second,
that was definitely, like you said before, bot-related.
And the 809 million packet per second one.
And that clearly shows that
because there's so much IoT out there available,
that these tools have greater access
to more devices to launch attacks than they've ever had in the past.
Hence, it's easier to launch a very large attack.
That's Roger Barranco from Akamai. Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant.
And joining me once again is Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security.
Also my co-host over on the Caveat podcast, which if you have not yet checked out,
what are you waiting for?
Check it out, right, Ben?
It's a good show. Subscribe to this awesome podcast.
There you go.
There you go.
So, Ben, we've got an interesting story this week.
This is from NBC News.
It's from John Shoup and Cyrus Farivar,
who I've spoken to on the Cyber Wire before.
It's titled, Police Need Warrant to Obtain Wi-Fi Location Data, Privacy Activists Argue.
Give us the background here. What's going on?
So it's a fascinating case.
It emanates from an incident that took place in 2017,
where a member of this college's football team and it's Moravia College in Pennsylvania
held up somebody in a dorm room at gunpoint
to extract money and a jar of marijuana.
And part of the evidence used to obtain a conviction of this individual
was that he was logged on to the campus Wi-Fi system.
Now, there was no authorization for law enforcement from a judge.
There was no warrant issued here to obtain that identifying information
to confirm that he was logged onto campus Wi-Fi.
That was all obtained using an administrative subpoena.
So this defendant, a guy by the name of Duncans, is appealing his
conviction that this is a violation of his Fourth Amendment rights. And he's being joined by some of
the major groups out there who advocate for digital privacy, including the Electronic Frontier
Foundation and the American Civil Liberties Union. What he is saying is that, what this defendant is saying is that
this search violates his right to privacy.
It is a violation of the Fourth Amendment.
His attorneys and some of these outside groups are analogizing this case
to Carpenter v. United States, which I know we've talked about on this podcast
and on our own podcast, where the Supreme Court held that a warrant is required for cell site location
information that tracks a person's movement over time.
What the prosecutors are saying is that this is not analogous to Carpenter.
This is not a case where they're tracking one individual's movements in multiple locations
through an extended time period, but rather they were seeing which individuals were
at a given location at a particular time. And they're also claiming that Mr. Duncans did not
have a reasonable expectation of privacy when he connected to that Wi-Fi network. And one of the
reasons they say that is in order to get campus Wi-Fi, you have to sign those terms of service,
which says that you don't have...
Busted by a EULA.
You're always going to get busted by those EULAs. And that explicitly says, you know,
in so many words, be cautious, my friends. By logging onto this Wi-Fi, nothing you do here
is private. We can see exactly what you're doing. You've relinquished your expectation of privacy.
And if we happen to turn that over to the police, that's your problem.
I happen to think in this case that the prosecutors have a stronger argument in terms of where
case law has been on the Fourth Amendment.
The reason I think that this is different from Carpenter is, you know, as the prosecutors are saying here, we're not talking
about the type of pervasive, ongoing, involuntary surveillance that we saw when we're talking about
cell site location information. You know, a person really doesn't have a choice as to whether to use
a cell phone. And because cell phones are constantly pinging towers to make sure that they're getting
service, this process sort of happens involuntarily. Nobody presses a button where they say,
I agree to share my location at every single second that they're carrying around their cell phone.
Here, this individual pretty clearly, in my view, relinquished their reasonable expectation of
privacy when they signed that EULA. A EULA that he most assuredly did not read.
Oh, of course he didn't read it.
But it's largely still enforceable.
And so I just don't think that that is the same type of broad, deep, and pervasive surveillance
that the court feared in coming up with the Carpenter decision.
So that's my perspective.
It's a fascinating case,
and I suspect this is the type of case
that potentially could inch its way up our court system
and perhaps merit Supreme Court consideration
if it's something where we see a split
among judicial circuits.
All right, well, it's an interesting one for sure.
Ben Yellen, thanks for joining us.
Thank you.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
The Cyber Wire, it's what's for dinner.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker, too. Thanks for listening.
We'll see you back here tomorrow.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.