CyberWire Daily - Slacktivism and vandalism in a time of unrest. Ransomware operators continue to evolve. Email voting. Looking up how-to-guides to cybercrime during social isolation.
Episode Date: June 3, 2020Protest groups sustain DDoS attacks, too. Old school denial-of-service afflicts police radio networks in Chicago: they’re being jammed with talk, music, and other noise. Influencers and wannabes con...tinue to use unrest as an occasion for on-line branding. The Sodinokibi gang is selling data stolen in ransomware attacks, and Maze seems to be establishing a criminal cartel. Is email to voting what shadow IT is to the enterprise? Ben Yelin describes a federal case involving police screenshots of a suspects’ phone as evidence. Our guest is Steve Durbin from the Information Security Forum on the Threat Horizon 2022 report. And cybercrime for dummies. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/107 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Protest groups sustain DDoS attacks too.
Old school denial of service afflicts police radio networks in Chicago.
They're being jammed with
talk, music, and other noise. Influencers and wannabes continue to use unrest as an occasion
for online branding. The Sodino Kibi gang is selling data stolen in ransomware attacks,
and Mays seems to be establishing a criminal cartel. Is email to voting what shadow IT is
to the enterprise? Ben Yellen describes a federal case involving police screenshots
of a suspect's phone as evidence.
Our guest is Steve Durbin from the Information Security Forum
on their Threat Horizon 2022 report,
and cybercrime for dummies.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Wednesday, June 3, 2020.
Forbes reports that Cloudflare has observed significant distributed denial-of-service attacks against various protest and civil rights groups during unrest over the death of George Floyd.
the denial-of-service attacks against some state of Minnesota sites.
The attacks on the groups weren't beyond the mitigation capabilities of CloudFlare and other providers of DDoS countermeasures.
There are also further evidence that DDoS is now a thoroughly commodified attack technique.
Does jamming and intrusion into radio networks count as a cyber incident?
Given the convergence of cyber and electronic attack, it's close enough to bear mention.
And so other, more conventional forms of interference are also in evidence.
The Sun-Times says the Chicago Police Department's radios have been jammed during responses to protests and rioting over the weekend.
The jamming took the form of music, yelling slogans, anything to disrupt police communication.
The content came from all over the political map with anti-cop music predominating,
but with plenty of anti-protester remarks in the mix.
A lot of the jamming seems to have been done for the lulz.
There's a YouTube video the Sun-Times describes in which two clowns are heard laughing
while they listen to police scanner feed of an officer trying to arrange transportation of prisoners, while music, the two skids think
it's Serbian music, which in Chicago is a possibility, blasts over the police net.
So again, distress continues an occasion for amusement. It's also an occasion for branding.
Reuters reports on the reappearance of Anonymous during the current U.S. unrest,
and the news service characterizes it as the revival of a brand by hackers and hucksters,
which is probably a useful way of understanding the operation of an anarchist collective.
Another class of online actors, influencers, is also actively engaged in brand building.
A number of these are drawing criticism, according to The Telegraph,
for showing up at protests for photo ops.
Ars Technica reports that R-Evil, the ransomware gang also known as Sodinokibi,
opened bidding yesterday on their cynically named site The Happy Blog
for two tranches of confidential data stolen in the course of attacks
on two separate companies. Some of the data are business information. Other data for sale include
personal information like scanned driver's licenses. This represents an ongoing development
in the history of ransomware. First, begin by encrypting files, thereby denying them to the
victim. But this has limited potential.
Once the targets realize the threat and start taking the precaution of routinely backing
up their data, ransomware drops to the level of a nuisance.
Second came data theft.
The extortionist exfiltrated data and threatened to dox the victims by releasing sensitive
or embarrassing information if the victim didn't pay the ransom by the deadline.
This threat to dox is a way of achieving leverage over the victim didn't pay the ransom by the deadline.
This threat to docs is a way of achieving leverage over the victim, increasing the pressure to pay.
And now, in the third phase, the extortionists simply add another revenue stream.
They'll not just release the victim's files, but sell them in the criminal-to-criminal underground markets.
Steve Durbin is Managing Director of the Information Security Forum based in London. He joins us to discuss Threat Horizon 2022, the ISF's latest annual report,
which highlights the major threats that organizations can expect to face over the next two years.
It's an annual report that we produce, Dave, that really tries to look forward two years. We've been
doing it now for probably about the best part of 10 or 11 years. And so we've built up
quite an amount of credibility in this particular space at forecasting some of the real themes that
businesses need to be aware of in order that they can better prepare themselves going forward.
Well, let's go through the report together. What are some of the key
findings this year? Yeah, well, we tend to break the report into themes and three themes this year.
One is about invasive technology. Another is really focusing in on infrastructure, the fact
that there is neglected infrastructure, as we refer to it out there, that we believe has the
real potential to cripple or at
least hugely disrupt operations. And then the third theme, which I think is very, very topical
and will stay with us for some time to come, which is all around trust. And it's really around what
we believe is a crisis of trust that is going to undermine digital business going forward. So,
those are the three themes. And then we build
on particular threads inside each of those themes. Well, let's go through them together,
one at a time. Sure. I mean, I think if we kick off with that invasive technology that I referred
to there, this is really about new technology. So this is about it really invading pretty much
every element of daily life. We're thinking here of sensors, we're thinking of cameras,
we're thinking of devices in the home, offices, factories, public spaces,
but pretty much everywhere.
The first one that we pull out is around augmented attacks
that really look at reality and distort it.
This is about attackers being able to gain access to sensitive information.
I think that's the real issue in this one.
How about the other two themes?
Yeah, the second one, which I think is pretty topical today as well, actually, is around behavioral analytics.
And we do believe that that is going to trigger what we refer to as a consumer backlash. So this is all to do with a multiplicity of devices
that are out there that are sensing,
that are watching,
that are then being used to develop behavioural analytics.
And the concern that we have in this space
is that increasingly,
if that is not being done in very transparent fashion,
in very ethical fashion,
then we're going to see something of a backlash from consumers.
And we're going to see intensifying scrutiny from regulators too,
as the practice is deemed perhaps to be invasive and unethical.
And then the third one deals with trust.
Yeah, that's right.
The third theme really looks into trust in a great deal of detail.
We're all dependent upon technology,
but we're somewhat dependent upon the integrity of the technology, the confidentiality of the data that is being
shared. And so plenty in that particular area around trust, which I think is something that
we'll be focusing on for some time to come, frankly. That's Steve Durbin from the ISF.
for some time to come, frankly.
That's Steve Durbin from the ISF.
Another development has been observed,
this one attributable to a known innovator in the underworld.
The gang behind Mays Ransomware last November pioneered the now-routine criminal practice of stealing data
to gain leverage against their victims.
Bleeping Computer reports that Mays is now leading the formation of a cartel
that would enable ransomware gangs to cooperate and share information.
That this is happening may be seen in the appearance on the Maze leak site
of files taken from an architectural firm.
These files, however, weren't taken by Maze, but rather by Lockbit,
a different ransomware-as-a-service operation.
Bleeping Computer, which is often remarkably successful
in getting criminals at large to return their emails,
contacted Mays and received an explanation of what's up.
Quote,
In a few days, another group will emerge on our news website.
We all see in this cooperation the way leading to mutual beneficial outcome
for both actor groups and companies.
Even more, they use not only our platform to post the data of companies,
but also our experience and reputation, building the beneficial and solid future.
We treat other groups as our partners, not as our competitors.
Organizational questions is behind every successful business.
It's not clear how or even whether money is changing hands.
Mays declined to answer a question asking whether they would receive a cut of Lockbit's take.
They couldn't share the details, maybe because, hey, they're proprietary. In any case, Mays led
the way in moving extortion from simple ransomware to a combination of ransomware and doxing.
It may now be leading the way in
cartelization. Primary voting in the U.S. proceeded this week, but difficulties in distributing and
collecting postal ballots prompted some jurisdictions, including the District of Columbia,
to move toward potentially risky workarounds, like voting by email, according to the Washington Post.
And finally, what are people doing while socially
distanced and sheltering at home? Apparently, many are considering a career in cybercrime.
Cyber News thinks a lot of searching for how-to-hack information indicates widespread
interest in a walk on the dark side. The searches include such terms as hacking course, ethical
hacking course, how to get on the dark web, how to scam, learn hacking, and things like that.
We hope these are all budding infosec professionals, perhaps a fresh influx of independent researchers or pen testers.
But people being people, we suspect all too many of them may have crime on the mind.
all too many of them may have crime on the mind. be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is
critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. Black Cloak. Learn more at blackcloak.io. And joining me once again is Ben Yellen. He is from the University of Maryland Center for Health
and Homeland Security, but more importantly, my co-host on the Caveat podcast. Ben, always great
to have you back. Good to be with you again, Dave. On this week's Caveat, you and I covered
a fascinating case, and I want to share it with our Cyber Wire audience as well.
This is a story from Ars Technica written by Kate Cox.
The title is Just Turning Your Phone On Qualifies as Searching It, Court Rules.
Boy, this is an interesting one.
Can you unpack it for us?
It really is a fascinating case.
So it is a federal case, but the incident
happened in Washington state about a year ago. A criminal suspect was indicted on a bunch of
charges, robbery and assault. Suspect was using a smartphone. When that suspect was arrested,
one of the arresting officers hit the power button on that person's device to bring up that phone's
lock screen. Now the officer didn't do anything with that lock screen, but he or she must have seen
something that was suspicious. As the federal government was investigating this case, it is a
federal case, the FBI turned on the phone to take a photograph, a screenshot of that phone's lock
screen. And that lock screen seemed to display the name Streasy,
which it appears to me from reading the story was an alias for this criminal suspect.
And that was key evidence used in the conviction.
So the criminal defendant sought to suppress this evidence,
saying that both the police officers, the arresting officers,
and the FBI violated this
defendant's Fourth Amendment rights by simply turning on the phone and taking a screenshot
of that lock screen. And the judge actually agreed with the criminal suspect, at least as it relates
to the FBI taking that screenshot of the lock screen. There are additional questions about the
arresting officer. It's generally legal to search somebody incident to arrest. So that's something that's going to
be adjudicated in a future proceeding. But the FBI, when it turned on the phone and took that
screenshot of the lock screen, that qualifies as a search under the Fourth Amendment and therefore
necessitates a warrant. Because no warrant was issued in this case, at least on those grounds, the conviction would have to be overturned.
So the rationale here is particularly fascinating, and I'll give just a very short history.
Prior to the 1960s, it used to be that there would be no Fourth Amendment violation unless
there was a physical trespass on somebody's
property, whether that was their real property or their stuff, which in legal parlance is effects.
That's actually the language in the Fourth Amendment. In the 60s, that standard changed.
There was no longer a focus on a physical trespass into somebody's property. Instead,
the focus turned to whether there was a violation of somebody's reasonable expectation of privacy.
In 2012, the Supreme Court reconsidered each of those doctrines and decided a physical intrusion into somebody's stuff, somebody's device in this case.
What the judge here says is we need not answer the question on whether this violates the defendant's
reasonable expectation of privacy because what we have here is actually a physical trespass.
The FBI physically took the
device, pressed those two buttons to take a screenshot. That is a trespass on that person's
property, and that in and of itself qualifies for a Fourth Amendment search, and therefore a warrant
should have been issued. So it's really a fascinating case. It'll be interesting to see
whether this logic adopted nationwide in other similar cases.
What do you make of this? What is your take on it? I mean, it is fascinating to me. I have to say,
I would not have expected a ruling like this. Yeah. So this case is very analogous to the 2012
case I referenced, and that's the Jones case. And in that case, the government or law enforcement had placed a GPS tracking device under the hood of a suspect's car.
And the majority of the Supreme Court held that that was a search simply because law enforcement trespassed on that suspect's vehicle.
What Justice Alito said in his concurrence in that case is the act of physically attaching that GPS device is completely insignificant as it relates
to the question of personal privacy.
The real privacy question is what happens after that device is physically attached.
And that's the tracking.
That's tracking an individual's location.
And so my thinking of it is, you know, the question on whether somebody's fundamental
rights are violated as it relates to
their personal integrity, their personal privacy, generally in the digital age will not turn on
whether there has been a simple physical trespass. So, you know, in my view, that shouldn't be the
determining factor as to whether there has been a Fourth Amendment search. And to relate more to,
you know, a number of things,
including how intrusive this particular method of searching is,
you could make a case that this individual
actually did not have a reasonable expectation of privacy
in their lock screen because it's something
that a person generally shows publicly.
If you put your phone out on a table,
if it falls out of your pocket,
that's going to be something that anybody could see.
That, to me, would have been a fine justification instead of using this more, I would say,
arcane 19th century physical trespass doctrine to make the decision in this case.
That's fascinating.
All right.
Well, Ben Yellen, as always, thanks for joining us.
And if you want to hear more about this case, Ben and I spend a good deal more time on it over on the Caveat podcast.
So if you have not yet checked that out, that would be an excellent chance for you to do that.
So please do so.
Ben, always a pleasure.
Thanks for joining us.
Thank you, Dave.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.