CyberWire Daily - The UN takes up a case of spyware; it’s linked to an extrajudicial killing. Glenn Greenwald indicted on hacking charges in Brazil. NetWire and StarsLord are back.
Episode Date: January 22, 2020UN rapporteurs say that the Saudi Crown Prince was probably involved in the installation of spyware on Amazon founder Jeff Bezos’s personal phone. Brazilian prosecutors have indicted Glenn Greenwald..., co-founder of the Intercept, on hacking charges. IBM describes a renewed NetWire campaign, and Microsoft says StarsLord is back, too. And in cyberspace, there’s nothing new on the US-Iranian front. Ben Yelin from UMD CHHS on surveillance cameras hidden in gravestones. Guest is Sean Frazier from Cisco Duo on their most recent State of the Auth report. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/January/CyberWire_2020_01_22.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
UN rapporteurs say that the Saudi crown prince was probably involved in the installation of spyware
on Amazon founder Jeff Bezos' personal phone.
Brazilian prosecutors have indicted Glenn Greenwald, co-founder of The Intercept, on hacking charges.
IBM describes a renewed NetWire campaign, and Microsoft says Starzlord is back too.
And in cyberspace, there's nothing new on the U.S.-Iranian front.
there's nothing new on the U.S.-Iranian front.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, January 22, 2020.
Two investigations dominate today's news.
The first involves the compromise of a phone. The second, the indictment of a journalist.
To take up the phone compromise first, Amazon chief and Washington Post owner Jeff Bezos
is reported to have had his phone hacked in May of 2018 by Saudi operators.
The Guardian reports that Mr. Bezos' phone was compromised after contact with Saudi Crown Prince Mohammed bin Salman.
after contact with Saudi Crown Prince Mohammed bin Salman.
The hacking took place some five months before the killing of Jamal Khashoggi on October 2, 2018.
Mr. Khashoggi had been a critic of the Saudi government and a columnist for The Post.
The Crown Prince is widely suspected of involvement with the killing, with sources as varied as the U.S. Special Rapporteur on Extrajudicial Killings
and the U.S. Central Intelligence Agency reaching that conclusion.
The Special Rapporteur announced the conclusion publicly last summer.
The CIA's conclusion hasn't been formally announced, but has been widely reported.
The details of the compromise in the Guardian's report are as follows.
On May 1st of 2018, after an otherwise friendly chat session
between the Crown Prince and Mr. Bezos,
Mr. Bezos received a WhatsApp message
from what appeared to be the Crown Prince's private account.
That message carried a malware payload.
Shortly after the installation of the payload,
a large quantity of data were exfiltrated from Mr. Bezos' device.
Where does the evidence come from?
According to the Wall Street Journal,
Mr. Bezos contracted with Washington-based FTI Consulting
for a forensic audit of his phone.
FTI concluded with medium to high confidence
that data began leaving the device
shortly after it received a video file
from the WhatsApp account linked to the Crown Prince
and that such data exfiltration continued for months. shortly after it received a video file from the WhatsApp account linked to the Crown Prince,
and that such data exfiltration continued for months.
FTI Consulting would not comment on the story to the journal,
which cites a person familiar with the matter as its source.
The Saudi embassy in Washington tweeted that the hacking claims were absurd and has demanded an investigation so that all the facts may come out.
An investigation is what the UN officials, who apparently saw the FTI consulting report,
wants too. The Wall Street Journal reports this morning that the UN's special rapporteurs on
extrajudicial killings and freedom of expression this morning said, quote,
Mr. Bezos was subjected to intrusive surveillance via hacking of his phone as a result of actions attributable to the WhatsApp account used by Crown Prince Mohammed bin Salman.
End quote.
Those two officials were involved because of the circumstances of Khashoggi's killing
and because of Khashoggi's work as a journalist.
The rapporteurs go on to add that, quote,
a single photograph is texted to Mr. Bezos from the Crown Prince's WhatsApp account,
along with a sardonic caption.
It is an image of a woman resembling the woman with whom Bezos is having an affair,
months before the Bezos affair was known publicly, end quote.
The source of the kingdom's interest in Mr. Bezos is widely reported
as stemming from his ownership of the Washington Post and the Post's employment of Mr. Khashoggi, who had been an irritant to Saudi authorities.
One of the public passages in the ill-willed dispute between Bezos and the kingdom
may be seen in Mr. Bezos' February 7, 2019 blog post entitled,
No Thank You, Mr. Pecker, in which he explained his disinclination to accede to what he characterized
as pressure from David Pecker, chief of the National Enquirer's corporate parent AMI,
to call off post-investigations of the Khashoggi killing and other matters discreditable to the Kingdom of Saudi Arabia.
What the malicious payload on Mr. Bezos' phone actually was is unknown,
but the rapporteurs speculate that it may have been
NSO Group's intercept tool Pegasus.
The grounds for this seem so far to be largely circumstantial
based on Pegasus' known performance and distribution
and by reports of it being distributed via WhatsApp.
Cisco Duo recently released the latest version
of their State of the Auth report,
which tracks how users are adopting modern authentication methods.
Sean Frazier is advisory CISO for Federal at Cisco Duo.
So I think the biggest things are there is an uptick in awareness and usage of multi-factor.
And I think that that's kind of due to a few different reasons.
One is I think a lot of users in their personal lives are
being required to use multi-factor authentication. I mean, now if you log into a bank account,
or you log into Facebook or eBay, or pretty much anything you use online, you're almost either
required or strongly encouraged to use multi-factor. So I think that's helping create more awareness
and certainly more awareness in the enterprise. And I think the enterprise side is kind of coming at it from that perspective as well.
They're kind of saying, okay, for enterprise applications,
we're going to require you to use multi-factor for these things
and not just allow you to use username and password.
So we see both of these things from awareness to usage trending up.
So they're not quite double from last year, but they're pretty close.
trending up. So they're not quite double from last year, but they're pretty close.
Yeah, let's go through together what you all saw in terms of the types of multi-factor that are most popular and how that's trending. What did you find there?
So I think we still see one of the predominant methods of multi-factor being SMS-based or,
kind of, one-time passcode over an SMS channel. We've started to see folks
kind of move away from that for obvious reasons. If you look at kind of the NIST guidance around
passwords and authentication, they actually have recommended people not use SMS based
authentication just because of the ability for someone to take control of that channel.
Yeah. Let's dig into that. I mean, one of the things you highlight here in the report is
the importance of your email account. Yeah, absolutely. I mean, one of the things you highlight here in the report is the importance of your email account.
Yeah, absolutely. I mean, that tends to be kind of the nucleus of everything that people do.
If you're doing, you know, again, a password reset or you're doing some kind of account reset, a lot of times that's coming back to your email.
That's, you know, that's going to be, you know, part and parcel with everything else you're doing in your email account.
And if someone has hijacked your email account, which is not super simple, but not terribly
difficult thing to do, they have access to everything.
You know, they can go pretend to be you, you know, do a password reset, bypass the multi-factor
authentication, get that reset done to your email by just saying the fact that I, you
know, I don't have that device anymore.
I don't have that phone number anymore.
So I need to, you know, and the banks want to, and other account holders or account creators want to be able to provide this ease of use to users,
this self-service because it helps them too. And by virtue of that, if you're not protecting
an email account, you're wide open. Where do you suppose we're headed here?
Are we getting to the point where users are willing to accept that multi-factor is just
part of the deal that if you want to use some of these services,
it's going to be required? I think so. I think more so that will happen over time. Again,
I think that, you know, we've lived in this password life for, you know, over 20 years.
We've only really seen multi-factor authentication become prevalent in our personal lives in the last couple of years. So it's really only been like the last, really last bit or last part of that.
So I still think we have a couple more years to go before we've got to the point where
it's widely accepted.
I think, you know, part of that is us, meaning us software developers, developing things
that are super easy to use.
Because again, we don't want to add too much friction on top of what users have to do already.
It's not going to be the silver bullet in the short term, but I think longer term, I
do see light at the end of the tunnel for actually getting away from the password life. That's Sean Frazier from Cisco Duo on their latest State of the Auth report.
Brazilian federal prosecutors on Tuesday unsealed charges against Glenn Greenwald,
co-founder of The Intercept and best known for publishing Edward Snowden's leaks.
The New York Times reports that Mr. Greenwald's role in publishing cell phone messages that embarrassed prosecutors and an anti-corruption task force is at issue.
Prosecutors say that he played a clear role in facilitating the commission of a crime by being in contact with people who obtained the messages and recommended that they cover their tracks.
Greenwald himself brackets his case with Julian Assange's and claims both indictments
represent an attack on journalism. Few others see it this way. Mr. Assange is generally regarded as
having worked actively to facilitate hacking, whereas Greenwald merely advised sources on how
to remain anonymous. The Electronic Frontier Foundation, the ACLU, and other observers have
objected to the charges,
which they see as a threat to legitimate journalism.
Mr. Greenwald has been critical of the Brazilian government and is a controversial figure in that country.
There have been some announcements with respect to new threats or perhaps familiar threats now renewed.
IBM's X-Force researchers have found a new phishing campaign that uses fake business
emails that deliver variants of the NetWire remote access Trojan. NetWire first emerged in 2012.
This particular campaign looks like the work of criminals out for financial gain.
And there's another malware strain that's been around for some time.
S-Load, also known as Starslord, not to be confused with
the Guardians of the Galaxy hero. S-Load is a dropper malware that can be used as the first
stage in an attack to deliver further malicious code that actually accomplishes the criminal's
goals. Information theft, credential theft, theft, theft, or maybe even theft. Microsoft exposed the S-Load gang's methods last month, ZDNet reports,
but the gang has adapted and is now busily using S-Load 2.0.
And finally, we haven't forgotten the prospect of U.S.-Iranian conflict in cyberspace.
Such concerns persist, as NPR and others have noticed.
But so far, the kittens haven't been yowling or
the eagles screaming, at least not publicly. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He is the Program Director for Public Policy and External Affairs at the University of Maryland Center for Health and Homeland Security.
He is also my co-host on the Caveat podcast.
Ben, always great to have you back.
Thank you, Dave.
We've got a fun privacy story here this week.
This is a story from Motherboard,
and the title is,
This Secretive Surveillance Company is Selling Cops' Cameras Hidden in Gravestones.
Written by Joseph Cox.
What's going on here, Ben?
I just, I can't get enough of this story.
It's so good in so many ways.
Yeah, okay.
There is a surveillance vendor who works with many U.S. government agencies, all of your
three-letter agencies, FBI, DEA, and ICE.
And they, there were marketing materials that were leaked to Vice and Motherboard
indicating some of the spying capabilities that this company has.
One of those spying capabilities was to put a hidden camera
or a hidden recording device inside of a tombstone.
Another one was a camera inside a baby car seat.
And a third one was a surveillance device in a vacuum cleaner. All of these are
beyond bizarre just because
it almost seems like it was created from some sort of comedy bit and not for
a legitimate surveillance purpose. But to make
it better, you couldn't make up a shadier
sounding group. Nothing against the special
services group, which is the vendor behind these products, but their logo is the floating eye in
the pyramid logo, which I don't know if you've seen. What was that movie where there was like
a whole conspiracy about how the backside of our US dollars, which contained that pyramid,
were some sort of hidden signal for
something.
Right, right.
It's escaping me at the moment.
But the fact that they have these rather absurd surveillance devices in some of the most bizarre
places imaginable, they have this name and they have this logo.
It's just sort of the full package of surveillance insanity.
This is tickling your funny bone from many different directions. It's just sort of the full package of surveillance insanity. This is tickling your funny bone
from many different directions. It is.
Now, obviously, there's a serious side because
like many other secret recording
devices, this is part
of the pervasiveness of our surveillance
state. Okay. Let me play
devil's advocate here because I
guess... Good role to play. Now you're the lawyer.
Yeah, and I don't know what...
Playing devil's advocate in a cemetery.
I don't know.
But the first thing that came to mind for me
in a situation like this is an episode of The Sopranos.
You know, right?
You got a bunch of mobsters.
Somebody's been whacked.
How are you going to surveil and see who was there
and what they said?
And, you know, I don't know,
Johnny Dollar got, you know, got dropped. So I could see this being a useful thing for law
enforcement. It's going to blend in. Is it absurd? Yeah, but I guess, I mean, the history of
surveillance and the FBI and the CIA is chock full of clever ways in which to hide recording devices.
Yeah, I think actually the position you present is entirely reasonable.
I'm sure a lot of the places law enforcement has placed recording devices probably seemed ridiculous when they were first proposed.
The vendor is probably introducing this product in response to some sort of demand
because there aren't a lot of people
who go to cemeteries at night for legitimate reasons.
It's probably a place where people gather
to engage in illicit conduct.
And there you would have law enforcement justification
for putting recording devices there.
You can certainly think of a million different reasons
why you'd want to have a recording device on a child's car seat,
especially if you were engaged in some sort of tracking
of a potential child predator
or you had some individualized suspicion about a parent or something.
I mean, you could certainly imagine
what law enforcement's interest would be.
It's just when you put it in the terms of
they're putting recording devices in our gravestones, it just sounds like something that
the crazy person on the street would make up as part of a crazed rant.
Well, I think also, I think it speaks to that general creepiness of, are there no spaces that are, in this case, literally sacred?
Literally sacred, yeah.
Yeah.
Now, you know, I think our most sacred place is our home.
Our home is our castle.
Our next most sacred place probably would be our gravestone.
I mean, it is our—
Maybe a house of worship?
A house of worship, which certainly
surveillance has taken place within houses of worship.
I think that's a given.
But yeah, this is certainly up there
on one of the places that
we like to, that is sacred to us.
It's a place where people have a lot of private
moments. So even though there
might be legitimate law enforcement purposes,
I mean, imagine visiting grandma's tombstone
and somebody recording that very intimate private moment
when you're there and you're grieving.
Yeah.
You know, and if it just,
part of it is that the vendor here
is just sort of hilariously cavalier about the whole thing.
So they release part of their advertisements
and it's almost as if they're advertising
like a smart refrigerator or something,
and how enthusiastic they are about it.
Our newest video concealment offering,
which has the ability to conduct remote surveillance operations
from cemeteries.
So maybe a little tone deaf by your estimation.
The all-inclusive system can be deployed for approximately two days
with the included battery.
It is fully portable and can be moved from location to location as necessary.
Yeah, that seems overly enthusiastic.
Yeah.
All right.
Well, the article is titled,
This Secretive Surveillance Company is Selling Cops Hidden Cameras and Gravestones.
It's on motherboard via Vice.
Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.