CyberWire Daily - Ransomware updates. Lazarus Group’s new Trojan. IoT insecurity. Exploiting older versions of WhatsApp. Mr. Assange’s extradition. Door kick in IP beef. Someone naughty’s still running XP.
Episode Date: December 17, 2019Updates on the ransomware attacks in Florida and Louisiana. North Korea’s Lazarus Group adopts a new Trojan as it shows signs of pivoting into the Linux ecosystem. Insufficient entropy in IoT key ge...neration. Older versions of WhatsApp are vulnerable to exploitation. The state of Julian Assange’s extradition to the US. Hey--this is Moscow! Where’d you think you were, Iowa? And guess who’s still running Windows XP? Ben Yelin from UMD CHHS on Google location data being used to find a bank robber. Guest is Michael Chertoff from the Chertoff group on the 5G transition. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/December/CyberWire_2019_12_17.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Updates on the ransomware attacks in Florida and Louisiana.
North Korea's Lazarus Group adopts a new Trojan
as it shows signs of pivoting into the Linux ecosystem.
Insufficient entropy and IoT key generation.
Older versions of WhatsApp are vulnerable to exploitation.
The state of Julian Assange's extradition to the U.S.
Hey, this is Moscow. Where'd you think you were, Iowa?
And guess who's still running Windows XP?
And guess who's still running Windows XP?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, December 17th, 2019.
The city of Pensacola, Florida, continues to recover from the ransomware attack it sustained earlier this month.
The mayor is short on details, but says things are going well, WUWF reports. The city has, according to the Pensacola News Journal,
hired Deloitte to figure out exactly what damage was done, so while matters may not be as rosy as
the mayor suggests, the city seems to be seeking appropriate help. It appears that the particular ransomware strain involved in the Pensacola incident was maize.
The hoods behind maize represent a new school of extortion.
They recently dumped a list of victims who refused to pay the ransom,
along with samples of their file names.
This is intended as a form of naming and shaming,
and thus a way of ratcheting up the pressure to pay.
Interestingly, Pensacola does not figure among the latest list of their victims, Bank Info Security reports.
In Louisiana, as New Orleans continues its recovery from a riot ransomware attack,
a similar incident hits Baton Rouge Community College, the Advocate reports.
It's unclear what, if any, relationship there may be
between the New Orleans and the Baton Rouge incidents, but the attack on the community
college is the latest in what amounts to a wave of ransomware strikes against schools and colleges.
ZDNet, citing NetLab360, says that North Korea's Lazarus Group has begun using the
DAX Trojan as it pivots from a concentration on Windows targets into the Linux ecosystem.
The move probably augurs more expansive targeting by Lazarus Group,
which has recently concluded business agreements to obtain technical support from organized cybercriminal groups.
KeyFactor warns that encryption weaknesses in RSA keys could leave large numbers of IoT devices vulnerable to exploitation.
The weaknesses arise from poor entropy, that is, inadequate randomness in key generation.
Checkpoint urges WhatsApp users to update to the latest version of the app.
Their researchers have found that attackers could hit older versions
and permanently delete chats as well as work other mischief.
Julian Assange is expected to argue during his upcoming extradition hearings
that during the period he enjoyed asylum, holed up in Ecuador's London embassy,
he was illegally monitored,
and that the data collected in such personal surveillance was sold to the US CIA.
This, he is thought likely to maintain,
is evidence that he won't be able to receive a fair trial in the U.S.,
where he faces multiple charges of violating the Espionage Act,
The Guardian reports.
Mr. Assange is currently in British custody.
The allegations that someone sold Mr. Assange to the CIA
is currently being investigated by Spain's Audiencia Nacional, the country's national court.
A Spanish court is interested in the case because a Spanish company, Undercover Global SL,
provided security for the Ecuadorian embassy and reports in Spanish newspaper El Pais
allege that Undercover Global provided audio and video surveillance to the CIA,
Undercover Global provided audio and video surveillance to the CIA,
including surveillance of meetings Mr. Assange held inside the embassy with his lawyers and supporters.
The court is investigating whether these constitute violations of privacy and legal privilege.
UK extradition laws are relatively friendly to US requests, and vice versa, but they do allow for a prejudice exemption that protects people from
extradition for their political opinions. It seems likely that Mr. Assange's team will assert
that exception. The continuing deployment and ramp-up to 5G mobile device connectivity
has the attention of security professionals around the world. There are technical issues
as well as geopolitical issues.
We checked in with former U.S. Secretary of Homeland Security and current head of the Chertoff Group, Michael Chertoff, for his thoughts on the 5G transition.
5G has a tremendous amount of potential, and it is going to be the enabler for the true expansion
of what people call the Internet of Things. that's where, you know, your refrigerator, your baby camera, your car, everything is wirelessly connected.
But that puts an even greater premium on security, because if you're in an autonomous or semi-autonomous vehicle and all of a sudden the 5G connection is shut off, you get into an auto accident. If you're running your critical
infrastructure on 5G and it gets shut off, all of a sudden that goes dark. So more than ever,
given the number of devices that are going to be part of this network, we need to build
security by design when we architect the hardware and software.
And that's been the subject of a good deal of discussion because right now Chinese companies
like Huawei and ZTE are ahead of most Western companies in terms of their ability to build
and install hardware and software for 5G at the scale you would need for it to be really
operational. And that raises questions about whether giving Chinese companies that kind of
commanding position in the infrastructure of the technology would not only create the opportunity
to engage in theft of data, but could also allow the Chinese in some circumstances
to actually dial back or turn down the effectiveness of the networks.
Where do you come down on that? Where do you suppose that we should be when it comes to
restricting companies like Huawei and ZTE?
I think this is a legitimate, serious national security concern. Now, I'm putting to one side issues about trade balances, which are kind of trade issues.
And I'm talking strictly about national security.
could steal our data, or worst, actually shut off our ability to operate our 5G networks if we were to get into a conflict or an adversarial situation.
What alternatives are available to us?
Would we need to be concerned that by not using Chinese providers, we might fall behind?
There are three Western companies, using the term in a kind of a loose sense,
that do have infrastructure providers that could scale and match Huawei and ZTE. It's Ericsson
and Nokia, which are in Scandinavia, and Samsung, which is in Korea. We're confident that those
companies could get up to production in the scale and the speed
at which we would need? Well, there's a challenge in that, and it's twofold. One is, I don't think
they're yet at the scale that we would need, although they could get there. But the second
issue is, and this is a complaint I've heard from people in the U.S. and outside, they're more expensive because the Chinese government
essentially directly and indirectly subsidize their companies in terms of promoting 5G scalability,
first of all, in China. And that means the cost per unit has decreased. Ericsson and Nokia don't
get that kind of help from their governments. So part of what we need to start to think about, as we do with respect, for example, to military infrastructure, is whether we need to have a joint effort by Western like-minded nations to build a hospitable market for 5G investment so that these companies will begin to increase the tempo of their production because
the profitability will be there for them. Where do you suppose we are when it comes to that balance
between security and privacy? I'm thinking about technologies like facial recognition and some of
those things that are on the horizon. Facial recognition can be valuable. It's, for example,
useful when you try to open up your phone and
your face appears and the phone opens up. The question is what happens with the data?
And I think increasingly we need to think about the issue of privacy, not just in terms of what
gets collected, but how the data is controlled. There may be uses for facial recognition that are
perfectly appropriate, but you want to make sure they don't migrate over to something that would be very inappropriate or threatening.
But you wouldn't necessarily want that to be transmitted to the government and be used as a way of surveilling what you do out on the street every single minute of the day. situation where either they don't participate at all on these internet activities or they wind up basically surrendering their private interests to commercial interests or government.
What is your sense of how well we're doing as a nation in response to these threats? Are we in a
situation where we're nimble enough to respond to them? I think we are slowly awakening to some of the challenges we've talked about on privacy, on balancing security with encryption, on disinformation campaigns.
So you're beginning to see legislation being passed in some of the states.
Congress is beginning to propose things. But I will acknowledge that we've been somewhat slow off the mark. And it took a pretty dramatic set of events, like, for example, what happened
in the 2016 election, for people to wake up and say, we better get on top of this problem.
That's Michael Chertoff from the Chertoff Group.
The founders of Ngenix, a subsidiary of Seattle-based F5 Network, which acquired the
Russian-born company this past March, are complaining about the raid Russian police
conducted against their homes in the early hours of last Thursday. It was over a copyright beef.
Rambler Group, which operates a popular search engine in Russia, claims that it's the rightful owner of Ngenix web server code.
One of Ngenix founders, Igor Siosif, was formerly employed by Rambler. Siosif and his co-founder,
Maxim Koyovalev, says they intend to stay in Russia and fight for their IP. There's been a
fair amount of publicly expressed sympathy for the two in Russia. Yandex, for example,
a Rambler
competitor that operates the country's biggest search engine, said the raid sent a very bad signal.
And finally, it's ho-ho-ho time, and so we send out a holiday wish to President Putin.
May Died Muros and Snegiroshka bring him a nice new laptop, fully loaded and up to date.
The Guardian, quoting Open Media,
a fairly independent and opposition-friendly Russian news outfit,
says that official photographs taken at both the president's Kremlin office
and in his official residence show that his machines are still running Windows XP.
This is probably not as bad for Mr. Putin as it would be for you and me,
to pick two people at random.
For one thing,
he's not a big fan of the internet in the first place, since he regards it in his darker moods as a CIA-built tool. Actually DARPA, but why be pedantic over whether the net came from an
American five-letter agency as opposed to a three-letter one? The important letters are U and
S, or in the phonetic alphabet, Yankee. He also probably has a world-class help desk to keep him out of trouble,
and anywho, no one's going to call him out for visiting, say, X Hamster.
And as it happens, XP is the last version of Windows
approved for use on Russian government machines that hold state secrets.
Russia's in the process of moving toward domestic software,
its Astra version of the Linux OS and homegrown browsers like Yandex.
It can be tough to quit an OS, and that's no joke.
We see it in the industrial IoT all the time.
Fun fact, his desktop background shows the towers of the Kremlin.
Better than flying toasters, right?
So Grandpa Frost, send the president something nice.
Maybe a Best Buy gift card, right? So Grandpa Frost send the president something nice maybe a Best Buy gift card
right? a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's the Program Director for Public Policy and
External Affairs at the University of Maryland Center for Health and Homeland Security. Ben,
it's great to have you back. Good to be here again. I should mention that you are also my
co-host on the Caveat podcast, which if you have not yet subscribed to, what are you waiting for?
It's a great show.
Check it out.
On your favorite podcast platform.
There you go.
Interesting story came by.
This is via NBC News, and it's about the police using some Google location data to find an accused bank robber, and his lawyers say that's no good.
What's going on here?
This is about the use of geofencing technology.
Basically what happened here is there was a bank robbery in Richmond, Virginia.
Nobody who could identify who the suspect was ended up stealing like $200,000 from the bank.
But in one of the security video footage of the incident,
they saw somebody on a personal device, the suspect using a personal device.
Even though they couldn't identify who that suspect was.
So the government asked Google to do geofencing, basically to list every device that was within that geographical area where that bank robbery took place.
And using process of elimination, they landed on the suspect who was charged with armed robbery.
That individual's lawyer is challenging this arrest, saying that this is an unconstitutional search.
We've had court decisions on other types of location information.
Historical cell site location information, for example, was the impetus behind the Carpenter case, which came out in 2018.
We have not yet had a case specifically on geofencing,
where you sort of figure out every single device that you can find that was in a particular area at a particular time,
work backwards, and narrow down your list to find a suspect.
So what's the hazard here? How are they arguing that this bumps up against our
constitutional rights? So there's always the risk of false positives. That's, you know,
first and foremost. Second of all, this sort of goes against the rationale for having the
Fourth Amendment in the first place, which is avoiding what are called these general warrants,
where, and this goes back to our common law ancestry in England, you know, you'd get a warrant to just go search every house
to try and find incriminating material without any sort of particularity naming the person to
be searched or the things to be seized. One of the attorneys here in this article notes that this is
sort of the digital equivalent of going into everybody's house in a given
neighborhood and trying to find incriminating evidence. And if that's, you know, the analog
for what's going on with geofencing, I think we can understand why geofencing presents these
civil liberties concerns. So the notion here being that if, for example, you or I were also doing
some business at that bank or maybe the sandwich shop next door that we would have been subject to an illegal search by virtue of our data getting caught up in this geofence effort.
Right. And it's completely suspicionless. So the government would have no inclination or idea that we committed any crime or had any evidence whatsoever about the crime that did take place.
Now, of course, what law enforcement will argue is that the third party doctrine applies here,
which means when you log onto your phone, you know or should know that when you're using Gmail
or any other Google apps, they are tracking your location. They keep those as part of their
business records. So you don't have an expectation of privacy in that information. We'll see how courts square that with the
carpenter decision, which said that people do have a reasonable expectation of privacy as it relates
to historical cell site location information. My inkling is that if you have a reasonable
expectation of privacy about where location identifying
information that's taken place in the past, then perhaps that would apply to geofencing as well.
But without any actual court cases, you know, we can't know for sure.
How is this different than just good old fashioned surveillance video? You know,
in other words, I've got a video camera that's tracking the parking lot of where this bank is,
and it's getting everybody coming and going from the bank.
And like I said, the sandwich shop next door and the dry cleaners and all that sort of stuff.
Is it that the amount of information that can be gathered with this,
that we absolutely know the names of everybody involved, or is there a difference there?
So that's part of it.
The other part is with video surveillance, you're putting yourself in plain view, which means you're forfeiting your expectation of privacy.
We're not necessarily doing that just by opening your device, even though now perhaps people should know that their location is being tracked.
They're using certain applications if they're permitting location services on that application.
That's different than you're walking on the street and a camera captures you.
You're in a public place.
Right.
So you sort of are assuming the risk that somebody has a camera and is observing you.
All right.
This will be interesting to see how this one plays out.
Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Thank you. Sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.