CyberWire Daily - Recovery from network congestion. GandCrab to close. BlackSquid drops XMRig. BlueKeep patching lags. Crypto for criminals trial. Antitrust investigation of Google. “Persistence of Chaos” sold.
Episode Date: June 3, 2019Google’s cloud services recover from network congestion. GandCrab’s proprietors say they’re retiring rich at the end of the month. BlackSquid delivers the XMRig Monero miner. Updates on the Balt...imore ransomware incident. Too many machines not yet patched against BlueKeep. CEO sentenced for providing criminals crypto. The US Justice Department is said to be preparing an antitrust investigation of Google. And “The Persistence of Chaos” has been sold for $1.3 million. Joe Carrigan from JHU ISI on Google restricting ad-blocking in upcoming versions of Chrome. Tamika Smith speaks with Washington Post writer Geoffrey Fowler on his recent article “It’s the middle of the night. Do you know who your iPhone is talking to?” For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_03.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Hi, everybody. Dave here with a quick note to kindly request
that if you have not already done so,
please be sure to check out our Research Saturday show.
Each week, I speak with cybersecurity investigators
and analysts about their latest research.
It's in the same feed as the daily podcast,
and of course you can also find it on our website,
thecyberwire.com.
It's Research Saturday.
We hope you'll give it a try.
Thanks.
Google's cloud services recover from network congestion.
GandCrab's proprietors say they're retiring rich at the end of the month.
Black Squid delivers the XM rig Monero miner.
Updates on the Baltimore ransomware incident.
Too many machines have not yet been patched against Blue Keep.
A CEO's been sentenced for providing criminals crypto.
The U.S. Justice Department is said to be preparing an antitrust investigation of Google,
and the persistence of chaos has been sold for $1.3 million.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 3rd, 2019.
Google's cloud suffered worldwide outages yesterday. These are now fixed and seem to have amounted to a nuisance as opposed to a disaster. But observers point out that the
incident suggests that any cloud may not be as reliable as its users typically assume.
And if you'll forgive us a tangent, we can't help wondering if the cloud isn't bulletproof
would be a mixed metaphor. On the one hand, no cloud would deflect a bullet, so the metaphor
would be a lousy one. On the other hand, a cloud's bulletproof in the sense that you could shoot
bullets through it all day and not harm the cloud. So maybe that metaphor is okay after all.
All good things come to an end.
The criminal proprietors of Gandcrab Ransomware say they've made enough money,
$2.5 billion if they're to be believed,
and that they plan to call it a day and retire at the end of June
to enjoy a well-deserved retirement.
They advise holdout victims to act now and pay up soon,
which isn't necessarily good advice, of course,
since it's not exactly what the lawyers would call an admission against interest.
Gandcrab appeared in January 2018 and quickly became a black market leader.
The Gandcrab gang can't resist a little crowing. They said,
We have now proven that by doing evil deeds, retribution does not come.
Well, not yet, but retribution can reach you in retirement and on the lam.
Trend Micro describes Black Squid, a criminal campaign that distributes the XM rig miner.
For now, the campaign is after Monero cryptocurrency,
but there's no reason to think its approach can't and won't be used to drop other payloads in the future.
Black Squid is interestingly complex.
It appears to make use of at least eight distinct exploits,
several of them well-known and, in principle, patched.
NSA denied in discussions with Maryland Representative Ruppersberger
that the agency's tools had anything to do with the Baltimore ransomware attack.
In particular, NSA said it had no evidence that the Eternal Blue vulnerability played a role in the incident.
Some have read this as a non-denial denial, for example the Washington Post,
but the general sentiment seems to be that Baltimore is far more sinning than sinned against.
More than two weeks ago, Microsoft urged every affected user to patch against the
Blue Keep vulnerability, but patching hasn't gone as quickly as might have hoped. Around 900,000
machines are thought to still be vulnerable. Someone's out there scanning for those machines.
Researchers at Gray Noise have observed scans from Tor exit nodes. That's from the exit nodes, not of the exit nodes,
as we think we might have misspoken last Tuesday. The danger is still out there.
Let all apply the lessons Baltimore learned the hard way and patch.
The U.S. Justice Department has begun preparing an antitrust case against Google,
according to multiple sources. An earlier investigation by the Federal
Trade Commission, whose responsibility in such matters overlaps that of the Justice Department,
looked bad for Mountain View, but ultimately Google emerged in 2013 essentially unscathed
and, of course, quite intact. The current investigation is said to be in its preliminary
phases, with justices and the FTC sorting out the equities.
Apple kicked off their Worldwide Developer Conference earlier today,
showing off new hardware and software and services.
An area that Apple likes to emphasize is privacy.
But just how much does Apple's crowing align with reality?
The Cyber Wire's Tamika Smith has this report.
Now we turn our attention to a new article
that looks into the secret life of your phone. As you would expect, various apps that you enjoy
using, whether to purchase food or smart TVs, are tracking your activity. But to what degree?
Here to talk more about this is Jeffrey Fowler. He's a tech columnist for the Washington Post.
Thanks for joining the program, Jeffrey. You bet.
So you conducted a privacy investigation into your own phone and published the findings
in a recent article you wrote called, It's the Middle of the Night.
Do you know who your phone is talking to?
What did you discover?
I found my phone is talking to lots of companies that I have never heard of, and in some cases
sending them a lot of really personal information about me.
So basically what I did is I, with the help of a company called Disconnect and their CTO
who used to work for the NSA, his name is Patrick Jackson, we ran this experiment on
my phone and hooked it into a system that tracked all of the incoming and outgoing data.
And we did this while I was sleeping every night.
I would wake up in the morning and I would look at that traffic and see what was being
sent.
Some of it was encrypted, but a lot of it wasn't.
And for the stuff that wasn't, I was just shocked to see the names of some of these
companies that were receiving my personal data that I had not installed in my phone
myself.
Turns out they were tracker companies that had been embedded in these apps that I had
installed on my phone, used for a wide variety of purposes.
Everything from analytics to marketing to who knows what, because you really, really couldn't tell.
So one of the highlights in your article, it mentions privacy policies and what they're really used for.
How does this tie into these app trackers?
Yeah.
into these app trackers? Yeah.
So when you talk with Apple or even some of these companies
about it, they say, well, listen,
if you install this app on your phone,
you have essentially agreed to the privacy
policy of these companies.
First of all, most people do not look at the privacy
policies for apps.
And even if you do, they're extremely vague on this topic
about sharing your personal data with third parties. And in some
cases, or at least one case, an app called Citizen, I found that they were sharing data
in a way that violated their own policy. They said they wouldn't send personally identifiable
information out to trackers or other third parties, and they were. This activity seems to
be abusing Apple's background refresh functionality in the iOS. Is there any indication that Apple
could clamp down on this? I think there. Is there any indication that Apple could
clamp down on this? I think there's a number of things that Apple could do here. So first of all,
just a reminder, Apple is the company that heavily markets the privacy of the iPhone as a reason to
buy one. It put out a billboard at CES earlier this year that said what happens on your iPhone
stays on your iPhone. And my experiments certainly show that that is not the case. What could Apple
do here? Partially, it could be about restricting what kinds of
activity is allowed to happen in the background. By default, apps turned on, they're allowed to
refresh in the background on their own. But I think that's only part of the problem.
These apps are also sharing our data with third-party tracker companies during the day,
too, right? If you open that app in the middle of the day,
you don't really have much transparency into what is being shared. So I think one thing Apple should
do is force these companies to be more transparent about what they're up to. I mean, GDPR caused a
lot of websites to have to flag when they use cookies. And so maybe apps should have to do the
same thing. You might think twice, for example, about using DoorDash.
If every time you opened it up, you got a message saying, just a reminder, we're using
nine different trackers to track you in all these different ways.
Is that cool?
And then you could say yes or no.
What about your experiment surprised you?
I think that it was happening on an iPhone.
I'm a tech columnist for The Post.
I'm aware that there's this whole data economy out there. But Apple has done a very good job of making a lot of us believe it thinks differently when it comes to privacy and it goes out of its way to protect us. But it seems like they really have a big blind spot when it comes to the app store that they curate. There's a lot of activity happening there that only took me a week of looking under the covers to find stuff that violated privacy policies, violated their terms. And are they
really doing enough to check these apps on our behalf? Now, some people think this is a case of
app developers hiding excessive sharing permissions and the end user license agreement. What's your
thought on that? Look, definitely apps are taking as much
data as they can, and they're getting away with it. Apple does give you controls as a user to
limit, you know, you don't necessarily have to share your exact location with an app,
or you don't have to share your contacts. And those are all good things that people should
spend more time thinking about. But the truth is, most people just click
yes on whatever the apps ask for, and then they get it. And so that's a big hole that we're all
falling into. Thank you so much, Jeffrey. We'll definitely be tracking what's happening with these
apps. And we'd love to have you back on the show to talk more about it. You bet. That's Jeffrey
Fowler. He's a tech columnist for The Washington Post. He wrote an article, It's the Middle of the
Night. Do you know who your phone is talking to? You can read the full article on their website.
The CEO of Phantom Secure, Vincent Ramos, was sentenced last Tuesday in a U.S. federal court
to nine years in prison and also told to forfeit some $80 million in stuff he'd accumulated
homes gold coins cryptocurrency things like that Mr. Ramos has copped a guilty plea to charges
connected with selling encrypted blackberry phones to a variety of bad actors including
the sinloa drug cartel and the australian chapters of the hell's angels the angels are
said to have used the phones to coordinate several murders.
The AP calls the phantom phones gutted, uncrackable smartphones
that, for a subscription, could send encrypted text messages
through a secure network based in Panama and Hong Kong.
They could also be wiped remotely should the users feel the heat breathing down their neck.
The U.S. case was prosecuted in a San Diego court,
but the investigation was a joint U.S.-Canadian-Australian one.
Mr. Ramos is Canadian and a resident of Greater Vancouver.
The case is interesting in that it apparently represents the first case
in which someone has been convicted of providing encrypted devices to criminal organizations.
We should point out that Phantom Secure is not to be confused with Phantom Cyber,
the entirely legitimate company that gained visibility
in the RSA Conference Innovation Sandbox
and was subsequently acquired in April of 2018 by Splunk.
And hey, check it out.
The Persistence of Chaos, a Samsung NC10 laptop,
infested with six, count them, six bits of malware,
WannaCry, Black Energy, I Love You, My Doom, So Big, and Dark Tequila, is now off the market.
It sold for $1.3 million.
If that sounds pricey for an 11-year-old and very dirty laptop, well, dang it, it's art, you Philistine.
You square, you. You it's art, you Philistine. You square you, you
Chromebook user, you. Forgive us. Art does have the power to move us, doesn't it? And the unnamed
person who parted with $1.3 million to own it is now the owner of a genuine 100% certificated work
of art. After all, did Duchamp disinfect Fountain with Lysol before displaying it?
We have it on good authority that the answer is no. But artist Guo O'Dong, or more probably his
adult sponsors over at security firm Deep Instinct, wanted to play it safe. Seems kind of a shame.
Toronto's National Post, which has assumed a very straight-faced pose, which may or may not be ironic with respect to its reporting on the transaction,
says that Mr. Gua first achieved minor éclat in the art world by a performance piece in 2017 in which he rode a Segway around Brooklyn while leading or being led by a hipster on a leash.
on a leash. We looked up images of the work called Hipster on a Leash, and we're sorry to report that for one, the hipster hardly seems to qualify as a hipster because his shorts, sunglasses, and
short-sleeved shirt look a lot more like routine New York tourist apparel, so we're reluctantly
calling BS on the whole hipster thing, which is Dragsville, if hipsters actually even exist.
The only thing that would improve this story would be if we found out
that it was in fact Baltimore City that purchased the persistence of chaos
with VopperCoin.
But alas, that's just wishful thinking.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute and also my co-host on the Hacking Humans podcast. Joe, great to have you back.
Hi, Dave.
I had an article come by from Forbes. This is written by Kate O'Flaherty. And the title is Google just gave 2 billion Chrome users a reason to switch to Firefox. Let's dig in behind that headline here. And what's going on? So Google is working on a proposal called Manifest Version 3, or V3.
And this is how plugins will work with the Chrome browser.
And they're planning to restrict modern ad blocking through Chrome extensions.
Okay, so there's a part of their API that's going to be deprecated in the next iteration of this Manifest 3 that will stop these calls that allow ads to be blocked without getting too technical.
Right. Okay.
This seems like something no one's asking for, except maybe the ad folks, I suppose.
Right. Yeah.
Well, it's interesting because there's been a lot of backlash from this from the Google user community.
Nobody wants this.
If you want an ad blocker,
you should be able to use it. Google says you'll still be able to use ad blockers, but it won't
use the same API calls. It'll use a different API call that makes it less efficient and probably not
as effective. There's the other issue here that for enterprise users of Chrome, you will still
have access to this API. This is presumably, 9to5Google says this
is presumably to allow the development of custom Chrome extensions that might not block ads,
but it will still allow the same kind of features that would let you block ads, right? So I find it
interesting that Google is allowing customers that pay it to use it, but not allowing the
general public to use it. You know, people like you and me, I don pay it to use it, but not allowing the general public to use it.
You know, people like you and me, I don't pay to use Chrome.
What is also interesting is that Google is, or Alphabet rather,
is a very large owner of advertising services.
Sure.
Right?
I think this represents a genuine conflict of interest here,
that they're not acting in the public's best interest with regard to the Chrome browser.
I think you own AdSense and AdWords, and they also own the Chrome browser, which has a 62%
market share, which is the most popular browser on the market.
Obviously, if they have 62%, nobody else has more.
They have more than all the others combined.
So if you have that kind of pull and you disable ad blocking so that your ad networks and other ad networks can now be more profitable,
I don't know that that represents what I would consider to be fully ethical business practices.
You know, for me, the issue I have here is not so much being shown ads.
I think that's a fair deal.
Allow me to read your content for free, and I will look at an ad. But the problem
I have is all of the tracking. All the tracking that goes on is pretty insidious. Right. So if
there were some happy medium here where you can still show me the ad, you can still get credit
for this ad was shown to someone. Right. But not take all of my information back to those people
and tell them who I am, where I was and what what I had for breakfast this morning, then I think we're okay.
Well, Google said in a statement to 9to5Google that Chrome supports the use and development of ad blockers.
We're actively working with the developer community to get feedback and iterate on the design
of a privacy-preserving content filtering system that limits the amount of sensitive browser data
that is shared with third parties.
So it sounds like that's what Google or Alphabet thinks they're doing.
But I don't know if, or at least that's what they want you to think they're doing.
But I don't know if this is the best way to go about it.
All right.
Well, we'll see what the market chooses, right?
Yeah, that's right.
That's what's going to happen.
I think, I don't know, will Google see a loss of market share because of this?
I predict they don't.
I predict they don't.
The Chrome browser is a good browser.
It works very well.
I suspect you're right.
Yeah, I don't think they'll see an impact from this.
All right, well, Joe Kerrigan, thanks for joining us.
My pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today
to see how a default deny approach can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time
and keep you informed.
Listen for us
on your Alexa smart speaker, too.
The CyberWire podcast
is proudly produced in Maryland
out of the startup studios
of DataTribe,
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing CyberWire team
is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, generation of cybersecurity teams and technologies. Our amazing CyberWire team is Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.