CyberWire Daily - Vigilantes and hacktivists. Point-of-sale malware source code leaks. Malicious extensions and apps. US Federal indictments: spying and hacking. Robo-caller gets record fine.
Episode Date: May 11, 2018In today's podcast, we hear that vigilantes have visited ZooPark, and the lights go out—voluntarily—on some Georgia hacktivists. Treasure Hunter source code posted to a criminal forum. Maliciou...s Chrome extensions and malicious Android photo-editing apps. GrandCrab ransomware served by compromised legitimate sites. Russian influence ops. Concerns about a resumption of Iranian hacking. Ex-CIA officer charged with espionage. Hobby hacker indicted on Federal charges. FCC hits a robo-caller with a record fine. Jonathan Katz from UMD on why cryptography is more challenging than many software engineers think. Guest is Cyrus Farivar, author of the book Habeas Data, Privacy vs. the Rise of Surveillance Tech. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Vigilantes visit Zoo Park and the lights go out, voluntarily, on some Georgia hacktivists.
Treasure Hunter source code is posted to a criminal forum,
malicious Chrome extensions and malicious Android photo editing apps,
grand crab ransomware served by compromised legitimate sites,
news on Russian influence ops and concerns about a resumption of Iranian hacking,
an ex-CIA officer's been charged with espionage,
a hobby hacker's been indicted on federal charges,
and the FCC hits a robocaller with a record fine.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, May 11th, 2018.
We begin with some notes on hacktivists and vigilantes.
To take up the vigilantes first, one such avenging netizen has decided to take on the
Zoo Park surveillance group Kaspersky discovered operating in the Middle East.
The vigilante has released a good tranche of what he or she discovered, sending it on
to Motherboard in the expectation of striking a blow against
Zoo Park's continuing ability to operate quietly against its victims. The vigilante also tempts
fate with a lot of coldly disparaging remarks about the folly of code reuse. Any attacker who
would reuse code so freely, the vigilante suggests, is a skid without skills.
The other group we might mention is the crew of hacktivists
who opposed the U.S. state of Georgia's proposed computer security bill by defacing various sites in the Peach State.
The proposed law, State Bill 315, was vetoed Tuesday by Governor Nathan Deal.
The hacktivists have said, in effect, mission accomplished,
and they will no longer do any more digital strong-arming.
It's good they're stopping, but they've set an unfortunate example.
The proposed bill was sufficiently ill-conceived
that widespread rational argument from the security industry
and elsewhere would probably have been all the opposition the governor needed.
There's no indication that Governor Deal was moved
by fear of the hacktivists. He was probably moved by concerns about criminalizing legitimate
white hat work and by the possible difficulty of avoiding widespread unintended consequences
should enterprises too vigorously avail themselves of the bill's hackback provisions.
As the governor said in the statement accompanying the veto,
quote,
inadvertently hinder the ability of government and private industries to do so.
Researchers at security firm Flashpoint have found that the source code for the Treasure Hunter point-of-sale malware has leaked online.
The source code was posted to a Russian-language criminal forum.
The family to which Treasure Hunter belongs has been operating in the wild since 2014.
Treasure Hunter is installed, Security Week reports, using weak credentials.
The crooks get through a Windows-based server to the point-of-sale terminal
where they install Treasure Hunter.
They create a registry key to run the malware at startup.
From that point, Treasure Hunter scans processes running on the victim's system,
identifies paycard data, and reports
that data back to its command and control servers.
It's not known why the source code was posted, but this is known.
When malware source code leaks, one can expect a surge in criminal activity using that code
to follow soon.
Flashpoint found the leak in March, and since then have been working with Cisco's Talos
group to find ways of disrupting the anticipated surge.
Malicious Chrome extensions continue their crypto-jacking success.
Radware has found seven malicious extensions in the official Chrome web store.
The infection chain began with links pushed by Facebook.
These led to a bogus YouTube page that invited installation of the bad extensions.
Once infected, the victim machines were subjected
to one or more of the following,
bot herding, cryptojacking, click fraud,
or credential harvesting.
Google has expelled the extensions,
but the method is likely to be used again.
Another official Google store
has also had infestations to deal with.
Malicious photo editor apps have been found in Google Play.
Security firm Sophos has found 25 bad apps that entered the Play Store in March and April.
They carry ad fraud malware.
Crooks monetize infected devices by getting them to click, as it were,
on background ads without
the user's knowledge or interaction. The ads have all been reported to Google and should be gone
from the walled garden of the Play Store. Researchers at Cisco's Talos unit have found
grand crab ransomware lurking in a variety of legitimate but compromised websites.
Two of the examples Talos gives are, according to ThreatPost,
a courier service in India and a WordPress site for an herbal medicine vendor.
What the compromised sites tend to have in common are default credentials
and MySQL vulnerabilities.
So good digital hygiene is important not only for your enterprise,
but for cyber public health as well.
not only for your enterprise, but for cyber public health as well.
Kaspersky has found 17 critical vulnerabilities in the widely used Open Platform Communications Unified Automation Protocol,
that's OPC UA.
OPC UA is widely used by developers working in the industrial Internet of Things.
Release of Russian Facebook ads shows how the troll farms refined their
messaging and used it opportunistically to damage the credibility of U.S. institutions
during the last presidential election. A former CIA officer has been charged with spying for China.
Jerry Chun-Shing Lee, a former case officer with human intelligence responsibilities,
Li Chun-Shing Li, a former case officer with human intelligence responsibilities, worked for the CIA from 1994 to 2007.
According to reports by NBC News and the New York Times, he's thought to have provided Chinese security services with information they used to roll up U.S. covert operations in China.
In Los Angeles, an alleged hacker has been indicted for illegally accessing and defacing military, government, and business websites.
The alleged hacker, Billy Ribeiro Anderson, who used the handles Anderson Albuquerque and Alphabetto Virtual, is thought to have hacked as a hobby.
Should the prosecution have their way with him, we must remember that he's considered innocent until proven guilty.
Mr. Anderson may need a new hobby to occupy himself during his sabbatical at Club Fed.
Researchers show there's a dog whistle for Siri, Alexa, and Google's assistant.
A study at the University of California, Berkeley, has shown it's possible to embed commands a human wouldn't notice in songs.
When played in the presence of the AIs, the AIs hear them, but you don't.
And now we wait for all the objections from audiophiles that, yes, indeed, they can hear sounds only dogs can hear, and that, unlike the rest of you squares, they can easily tell an unobtrusive command from digital noise.
So talk amongst yourselves, please.
Quietly.
Industry experts are almost as a group pointing to Iran, talking about Iranian cyber reprisal
for U.S. withdrawal from the nuclear agreement as a done deal. So if you bet on form,
bet on Tehran's cyber contractors getting busy in a network near you.
Iran's cybercontractors getting busy in a network near you.
And finally, in a good news, bad news story,
the U.S. Federal Communications Commission has handed a robocaller with a record fine, $120 million.
That's the good news.
The bad news is that it's just one robocaller.
As FCC Commissioner Jessica Rosenworkel said in the course of a statement applauding the fine, quote, let's be honest, going after a single bad actor is emptying the ocean with a teaspoon.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies
like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Jonathan Katz.
He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center.
Jonathan, welcome back.
We saw an article come by from HelpNet Security,
and it was called Why Cryptography is Much Harder Than Software Engineers Think.
And I thought this was right up your alley.
First of all, do you agree?
Is cryptography much harder than software engineers think?
Well, I don't really know what software engineers think about, but I think it definitely is very tricky.
And I think one of the things in particular is that software engineers just aren't used to thinking in general about implementing security critical or cryptographic software.
cryptographic software. And so shortcuts that you might take or efficiency improvements that you might apply to general code might actually render a security-critical algorithm insecure.
Oh, can you give us an example?
Well, in this article, they were talking about a vulnerability that was discovered about six
months ago called ROKA. And what that vulnerability was based on was the generation of primes for the RSA algorithm. So some of the
listeners may know that the RSA algorithm fundamentally works by having the honest
party generate two random primes and then multiplying them together to get a modulus.
And the hard problem for an attacker would be taking that modulus and then finding what the
original primes were. And there's been a whole sequence of techniques developed
and recommendations actually issued for how to go about generating those primes
because they need to be large, they have to be a certain size,
they should be unpredictable,
and there are other properties they need to satisfy as well.
And so there's a whole literature about how to do that securely.
And it seems that what happened was that people who were implementing
the software for generating those primes ended up taking some shortcuts in order to try to make the process more efficient.
And those shortcuts led to the software generating primes for which it was then easy for an attacker to factor the resulting modulus.
So basically by taking these shortcuts and not following the recommended practices, they were making the software insecure.
I see.
Now, as a professor, the students that you deal with, how do you impart these lessons to them?
It's definitely a challenge.
So first of all, I always tell students that they need to implement things exactly as specified.
They shouldn't be designing their own crypto, and they shouldn't be trying to optimize algorithms that are recommended.
And then what I also do is try to illustrate to them throughout the course what can go wrong when they don't follow that advice.
So what I'll usually do is give examples like this one, showing them what can go wrong in the real world when people do take shortcuts, when people don't follow the recommendations.
And hopefully, you know, after a semester's worth of that, they get the idea that it's really dangerous to modify things on their own.
That's a good lesson.
All right, Jonathan Katz, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Saroos Faravar.
He's the senior business editor at Ars Technica and author of the book The Internet of Elsewhere
about the history of the Internet
and the effects it's had on different countries around the world.
He joins us to discuss his new book,
Habeas Data, Privacy vsus the Rise of Surveillance Tech.
So it's interesting to remember that the United States Constitution does not recognize an
affirmative right to privacy. If you read our founding documents from the 18th century,
you won't find the word privacy anywhere in there. You will find the word privacy in the
California state constitution. It's in Article 1, Section 1.
It guarantees privacy as an affirmative right to Californians.
The word privacy also appears in a number of other state constitutions, but that's very
much not the norm, right?
Over time, you know, over the last 200 plus years of our history, there has built up a
standard of what we think of as privacy, typically around
the Fourth Amendment, right, which protects against unreasonable searches and seizures,
privacy with respect to the government. The Fourth Amendment, of course, only protects
the citizens against the actions of the government. It doesn't protect, you know,
individuals like you and me from the actions of Facebook or Google or any other company.
When we're talking about government surveillance in the modern era, really, we have to go all
the way back to the 1960s.
And there was a famous Supreme Court case called United States versus Katz that involved
the prosecution of a guy who was gambling in Los Angeles in 1965.
Specifically, he would go to these phone booths and he would on Sunset Boulevard in Hollywood and he would call his East Coast bookies and he would bet on college basketball games. And he did this so much that he drew the attention of the FBI and also of the Los Angeles Police Department.
figured out, you know, which phone booths he'd like to go to. And they ended up putting microphones and a recording device on top of the phone booth that he liked to use. And this is a crucial
distinction that the fact that they put it on top rather than inside the phone booth or attempted
to wiretap the phone booth or anything like that. The legal standard at that time really turned on
a question of trespass on physical trespass into kind of an
enclosed space like a house or a phone booth or a car or an office or something like that.
Law enforcement thought that they were totally within their right to go right up to the edge,
right up to the physical edge of the phone booth and put this microphone on top. Charles Katz ended
up challenging this case and it went all the way up to the Supreme Court. And in the end, the Supreme Court ruled in a five to three vote that that was not OK, that that law
enforcement had overstepped their bounds by by doing that. And in that decision, there's this
phrase that sort of continues to resonate with us today. That is a, quote, reasonable expectation
of privacy. So when courts today are looking at whether or not a particular
technology is okay, this is a standard that they turn to. Is there a, quote, reasonable expectation
of privacy in X or YZ situation? Having gone through the process of writing this book,
of doing the research and gathering the data and putting pen to paper, What are the take-homes for you?
And what do you hope people get out of reading the book?
What I hope people get out of reading the book
is just having a better appreciation
for what kinds of technology
is already in existence in America.
This is not like a far-off future.
This is now, right?
Today, in Oakland, California, the city where I live,
all police officers wear body cameras for instance right and maybe in the city where you live too um in lots of
major cities around america this is increasingly becoming the norm police now have license plate
readers police now have drones very soon police will have body-worn cameras that have facial recognition capability.
So imagine something even more sophisticated than a license plate reader, something that can not
only capture license plates, but that can capture people's faces. And guess what? There already is
a database of all of our faces, the DMV and the Department of State. If you have a driver's
license or a passport, a government agency already has a very high quality picture of your face. And so I think for a lot of people that, you know, you may not be
bothered by these kinds of things. You may not, you may say, well, you know, I'm just a regular
law abiding citizen. I don't really care if the police have a picture of my face or a picture of
my license plate or whatever. But I think a lot of us, you know, are maybe a little bit troubled by that and may not realize that as of now, a lot of these technologies that might feel invasive are currently legal.
So I hope that people come to realize what exists right now and also what exists, you know, in your local police department has license plate readers or drones or, you know, any of these other tools,
I would suggest that you file a public records request with your police department.
Ask them and they hopefully will tell you, you know, it's easy to file a public records request.
Anybody can do it. You don't have to be a journalist. You don't have to be a lawyer.
So find out what exists in your local community. You might be really surprised. You might not know, for instance, that your city has, you know, however many drones or or however many,
you know, other types of surveillance tools. So I want people to kind of be conscious of what
exists in their own communities and ask these kinds of questions. Also, I want not just regular
citizens to be aware, but I want, you know, local lawmakers, city council members, county supervisors, police chiefs.
You know, I want people who are in positions of authority to be aware of of what for the first time community control over surveillance technology in Oakland.
A number of other California cities have already passed measures like this, Berkeley and Davis, California, which is near Sacramento.
And a number of other communities around America are considering similar measures as well.
similar measures as well. So if this issue concerns you, I would suggest that you try to find out whether there are efforts like in Oakland in your area to see if your city council or your
county or your community is interested or is actively pursuing such measures. Because
what I've learned is that changing federal laws and national laws and
waiting for the supreme court to halt a particular practice can take years or decades if it ever
happens at all but you know it's a lot easier to change things locally right or perhaps even at
your state level i'm hopeful that that with some of the efforts by some of the more privacy-minded
activists and lawyers and other organizers around the country,
especially here in California, that hopefully we can come up with more sensible policies that, as you say,
can strike the balance between the needs of law enforcement without kind of impinging on civil rights and civil liberties.
That's author Cyrus Farivar. His new book, Habeas Data, is available now.
We've got an extended version of my interview with Cyrus Farivar
on our Patreon page at patreon.com slash thecyberwire.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, Thank you. Thanks for listening. We'll see you back here tomorrow. Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.